Question

A security analyst is interested in setting up an IDS to monitor the company network. The analyst has been told there can be no network downtime to implement the solution, but the IDS must capture all of the network traffic. Which of the following should be used for the IDS implementation?

A. Network tap

B. Honeypot

C. Aggregation

D. Port mirror

Answer 1

Answer 2

Solution: A. Network tap

Explanation: Once a network tap is in place, the network can be monitored without interfering with the network itself. Other network monitoring solutions require in-band changes to network devices, which means that monitoring can impact the devices being monitored.

Network Taps are analogous to phone taps. They are completely passive methods of getting network traffic to a central location. Port mirroring would get all the traffic to the IDS but is not completely passive. It requires the use of resources on switches to route a copy of the traffic. Incorrect switch configuration can cause looping. Configuring loop detection can prevent looped ports.