I am not an expert on network security and I have no idea what "out of band network tap" means... If I read it right, the article is saying that in order to have a secure network, you should monitor what is going on in it and detect anomalies, ok?
That's a good point, I guess.
(however, the blog is on a page of a company, that seems to me to be selling network monitoring devices.)
Out of band tap would be a device used to sniff a port mirror of all the traffic coming through the network under scrutiny. The "out of band" part means that this device itself should live on a completely separate network from the one it is sniffing/analyzing.
Yes. In addition, this type of monitoring cannot be turned off. Hackers can turn off logging on servers, but they cannot keep from sending communications over the wire.
Valid point. An out-of-band network tap is definitely a pretty insider-y term to the networking community. What it means is that there's a device sitting in a company's datacenter that can receive a copy of all the traffic flowing through that network without impacting the performance of said network.
Some performance management tools will use up some of the bandwidth of a network to be able to perform their duties. An out-of-band tap offers a way to get visibility into what's happening in your network so you can monitor performance without sapping bandwidth.
Instead of the NSA going to your company's network and illegally tapping into it, your company signs up to an NSA promoted company to tap into their network.
Because network tapping is fast becoming expensive, they provide the out-of-bands tapping as a service. An out of bands tap is like having a splitter on the wire that copies the signals that pass through the wire but does not interact with the data in any other way other than to copy it.
Attackers cannot see the out-of-band tap, but they can try to attack or detect its presence.
The infamous NSA tapping of AT&T's entire communication network in California was an out of bands tap. It copied all of the communication passing through the AT&T central comms node in California to a NSA controlled data site through an out-of-bands tap installed into AT&T's network in the form of a fiber-optics splitter.
> The out-of-band network tap that Joyce describes is exactly what a product like ExtraHop delivers.
...
> Well? Can you see those intrusions, and see where they try to go next? Do you have the visibility into the East-West traffic that Joyce describes as being so crucial to stopping advanced, persistent threat actors from exploiting you?
> ExtraHop can give it to you. Our platform auto-discovers and classifies every device, every interface, and every application that touches your network, and can observe and analyze ever transaction in real time. We give you all the information you need to stay one step ahead of anyone who might be trying to break into your network.
> Read our security operations use cases or try our free demo to see how.
Fair enough. It is a blog on a company website, and the topic of the blog is relevant to the product. Pretty standard in my eyes.
I would argue the "Message to Our Customers" from Apple that sat on top all day also had a fair bit of marketing spin in it. That didn't bother me, but opinions differ & I respect that.
I disabled taps in the past because they were directly connected to the line and predictably ran Linux or BSD. High assurance field long solved this problem with one technique: one-way links (data diodes). They dont physically allow the monitor to write the network.
So, definitely use taps. Just use them with one way cables on air gapped machines. Dont trust OS or router-level isolation against High Strength Attackers.
Note: Does anyone know if this one uses a one-way cable? I didnt delve into details too much.
Good question. The statement was made by the Chief of Tailored Access Operations at the NSA, so that's some pretty high level brass.
I don't know the answer, but I'd guess it is something the brass is aware of and maybe frustrated by, and the devs have a nuanced view of the implications of it.
I think what the "worst nightmare" comment really meant was observation/monitoring that they (the NSA) could not disable. Hackers can turn off logging or even exploit monitoring agents as an attack vector (the Target breach a couple years used BMC agents as an attack vector). However, if a copy of all the network traffic is being passively analyzed by a monitoring appliance, then there's no way that they can hide from that or turn it off.
Yes, that's the whole point. The advertisement below describes how they do this in high assurance environments with nice graphics and details. Not endorsing the product so much as dropping first, good example from Google.
That's a good point, I guess.
(however, the blog is on a page of a company, that seems to me to be selling network monitoring devices.)