Use of Taps and Span Ports in Cyber Intelligence Applications

Cyber warfare is unfortunately no longer found only in speculative fiction; it is with us today. Distributed denial-of-service (DDoS) attacks have been launched against the United States, South Korea, Kyrgyzstan, Estonia, and Georgia in recent years, and military and government computer systems around the world are assaulted by intruders daily. Some attacks come from nation-states, but others are perpetrated by transnational and unaligned rogue groups. Those bent on inflicting harm on nations and citizens not only use networks as an attack vector, but also for organizing, recruiting, and publicizing their beliefs and activities.

On the other side of the fence are the good guys, the members of the cyber intelligence community who aim to understand and track the terrorists, and ultimately stymie their plans. Due to the pervasive use of networks by radical and criminal organizations in the modern world, a great deal can be learned about terrorists by examining their use of the World Wide Web, and how the Internet is used as a vector to attack both public and private systems. This field of study is called “terrorism informatics,” which is defined as “the application of advanced methodologies and information fusion and analysis techniques to acquire, integrate, process, analyze, and manage the diversity of terrorism-related information for national/international and homeland security-related applications” (Hsinchun Chen et al, eds., Terrorism Informatics. New York: Springer, 2008, p. xv).

Terrorism informatics analyzes information from data-at-rest sources such as blogs, social media, and databases. For other types of analyses, it is necessary to examine data in motion, in other words, information as it travels on a network. Access to data-in-motion is often obtained by eavesdropping on the network traffic using Span ports in switches. This paper focuses specifically on the implications of using Span ports in counter-terrorism monitoring applications. It shows that Span ports are particularly ill-suited to this use. Note also that the security vulnerabilities of Span ports in counter-terrorism applications apply equally when Span ports are used for other monitoring needs such as performance or compliance monitoring.

Span or mirror ports are a convenient and inexpensive way to access traffic lowing through a network switch. Switches that support Span ports – typically high-end switches – can be configured to mirror traffic from selected ports or VLANs to the Span port, where monitoring tools can be attached. At first glance, it seems that a Span port could be a good way to connect an intrusion detection system (IDS), forensic recorder, or other security monitoring device.
Unfortunately, Span ports have several characteristics that can be troublesome and risky in a counter-terrorism application. These characteristics include:

  • The possibility of dropping packets
  • The need for reconfiguring switches
  • The vulnerability of Span ports to attack
  • The fact that Span ports are not passive mechanisms

These issues are elaborated in the following sections.

Problem #1: Dropped Packets
The first issue with Span ports in a counter-terrorism application is that the visibility of network traffic is less than perfect. In counter-terrorism monitoring, a fundamental requirement is that the security device must be able to see every single packet on the wire. An IDS cannot detect a virus if it doesn’t see the packets carrying it. Span ports cannot meet this requirement because they drop packets. Spanning is the switch’s lowest priority task, and Span traffic is the first thing to go when the switch gets busy. In fact, it is allowable for any port on a switch to drop packets because network protocols are specifically designed to be robust in spite of dropped packets, which are inevitable in a network. But it is not acceptable in a counter-terrorism monitoring application.

Different switches may be more or less prone to drop Span packets depending on their internal architecture, which varies from switch to switch. However, it is unlikely that the performance of the Span port was evaluated as an important criterion when the switching gear was selected. As a counter-terrorism professional, you probably don’t want your security strategy to be dependent on a procurement policy that you don’t control.

Nevertheless, suppose you do have switches with the best possible Spanning performance. Dropped packets may still be an issue depending on how much traffic you need to send through the Span port. If you need to see all of the traffic on a full-duplex 1 Gigabit link, a 1 Gigabit Span port won’t do the job. Full duplex link traffic exceeds the 1 Gigabit SPAN port capacity when link utilization goes above 50 percent in both directions. To see all the traffic, you need to dedicate a 10 Gigabit port for Spanning, and now the Span port doesn’t seem so inexpensive any more.

However, Span port visibility issues go beyond simply dropping packets. Being switch technology, Span ports by their very nature are not transparent for layer 1 and layer 2 information: for example, they drop undersized and oversized packets, and packets with CRC errors. They usually remove VLAN tags, too.

Leave a comment

Your email address will not be published. Required fields are marked *