Richard Bejtlich asks the question “Why Network Taps?” over at the TaoSecurity blog this week. I’m a huge fan of network taps for IDS, general monitoring and troubleshooting. It’s hard to beat the visibility a tap provides at your network entry and exit points. Bejtlich spells out several reasons why taps are a good idea and the advantage over SPAN ports. He states “Taps should really be part of any network deployment, especially at key points in the network.” I couldn’t agree more and I think this applies equally to control system network architectures.
Network taps, for those not familiar with them, are hardware devices that allow you to see an exact copy of the network traffic going over the wire or fiber. Older taps required two network interfaces to see the full conversation but newer taps aggregate the two sides of the conversation into a single monitoring port. They provide a full view of the traffic even down to physical layer error messages. Modern taps also have buffering features so data is not lost during bursts of traffic.
Before coming to the Digital Bond team, I worked on several control system networking projects where we used network taps and the SCADA IDS signatures. The taps provide an easy way to safely get the network communication back to a central IDS server. There you can use and customize the signatures that make sense for your environment. For example, if you have separate security zones for ICCP partners or DNP3 traffic coming from remote field devices, those are great links to tap and monitor. A good set of IDS signatures for insecure protocols like Modbus TCP may even provide some mitigation for an iDay attack.
If you use a tap like the NetOptics
Since I haven’t seen it deployed or even discussed much in the context of control systems, I thought it was time to bring it up. This was a rough introduction but here’s the point for now: if you are working on control system network design and/or IDS deployment, you should consider using network taps.