Word Notes 9.29.20
Ep 17 | 9.29.20

port mirroring (noun)


Rick Howard: The word is port mirroring.

Rick Howard: Also known as: SPAN or Switched Port Analyzer, and RAP or Roving Analysis Port, and TAP or Test Access Point.

Rick Howard: Definition: A network switch configuration setting that forwards a copy of each incoming and outgoing packet to a third switch port.

Rick Howard: Example sentence: While port mirroring usually does not result in any performance impact on the switch itself, one needs to be careful not to overload the destination port.

Rick Howard: Context: When network managers and security investigators want to capture packets for analysis, they need some sort of generic TAP or test access point. You can buy specialized equipment for this operation, but most modern day switches have this capability built in. Port mirroring is implemented in local area networks or LANs, and that includes wireless LANs and virtual local area networks or VLANs to identify, monitor and troubleshoot network abnormalities and security issues. Cloud providers offer TAP services also: vTAP in Microsoft Azure, Virtual Private Cloud or VPC traffic mirroring in AWS, and Packet Mirroring in Google cloud. For security analysis, one benefit of port mirroring is that generally hackers will not know they are being monitored.

Rick Howard: In 2016, Rob Joyce, then the head of the NSA's tailored access operations unit, or TAO, the cyber offensive arm to the NSA, the Mr. Robot for the US government, gave an unprecedented talk at the USENIX Enigma conference where he described the thought process that his team used to break into their targets for the US government.

Rob Joyce: "I'll tell you, one of our worst nightmares is that out-of-band network tap that really is capturing all the data, understanding anomalous behavior going on and somebody paying attention to it."

Rick Howard: An out of network tap is accomplished through port mirroring.