Tapping Control System Networks
Richard Bejtlich asks the question “Why Network Taps?” over at the TaoSecurity blog this week. I’m a huge fan of network taps for IDS, general monitoring and troubleshooting. It’s hard to beat the visibility a tap provides at your network entry and exit points. Bejtlich spells out several reasons why taps are a good idea and the advantage over SPAN ports. He states “Taps should really be part of any network deployment, especially at key points in the network.” I couldn’t agree more and I think this applies equally to control system network architectures.
Network taps, for those not familiar with them, are hardware devices that allow you to see an exact copy of the network traffic going over the wire or fiber. Older taps required two network interfaces to see the full conversation but newer taps aggregate the two sides of the conversation into a single monitoring port. They provide a full view of the traffic even down to physical layer error messages. Modern taps also have buffering features so data is not lost during bursts of traffic.
Before coming to the Digital Bond team, I worked on several control system networking projects where we used network taps and the SCADA IDS signatures. The taps provide an easy way to safely get the network communication back to a central IDS server. There you can use and customize the signatures that make sense for your environment. For example, if you have separate security zones for ICCP partners or DNP3 traffic coming from remote field devices, those are great links to tap and monitor. A good set of IDS signatures for insecure protocols like Modbus TCP may even provide some mitigation for an iDay attack.
If you use a tap like the NetOptics
Since I haven’t seen it deployed or even discussed much in the context of control systems, I thought it was time to bring it up. This was a rough introduction but here’s the point for now: if you are working on control system network design and/or IDS deployment, you should consider using network taps.
Author: Jason Holcomb
Posted: January 28th, 2009 under Field Communication, Firewall / Perimeter, IDS / IPS.
Comments: 1
Comments
Comment from Philip Powell
Time: January 28, 2009, 8:40 pm
You’re absolutely right. Network taps should be used throughout the network, but performing tapping in the method suggested perhaps is not the most efficient use of the technology. There are several ways to improve upon the suggested methodology and eliminate any concerns about the tap being a problem (this is sometimes an argument people have).
1) Use simple optical or copper taps inline prior to using any device that aggregates traffic. Now, not all aggregation devices are created equal. I am partial to the VSS Monitoring technology as I tested several vendors prior to joining VSS and found that it’s failover times for copper were much faster than the other vendors. So, if budget is a concern, make sure you understand all of the details on failover times before making a decision on a vendor.
2) Increase the size of the tap chosen for aggregation. The device suggested is one of the smallest and cheapest devices available. That’s great for budget, but perhaps a bit short-sighted when considering you’ll likely need more than one device. Using suggestion #1, you’ll find the ability to aggregate traffic at a higher level much more effective. Take a look at the 12×4, 8×8, or 16×8 tap from VSS Monitoring and you’ll see what I’m talking about. You can choose to either aggregate or provide individual full-duplex links on a per-port basis. This gives you much more bang for the buck.
Now, realizing I’m partial, I suggest you look into it and make the decision yourself, but I think you’ll be glad you looked at both types of technology as, in the end, it’s a much more cost-effective solution.
Write a comment