Each environment comes with its own challenges, but for every challenge there's an equally interesting solution.
New community member @dlavrichev posted an interesting question regarding TAP interfaces.
Veteran community member @Willian pointed out a tap interface is often deployed during evaluations in a plug-in type of model:
So how can a TAP mode benefit you and what can it be used for?
A TAP interface works like a wiretap: it listens for packets and tries to analyse what is going on.
First, a switch port needs to be set in SPAN mode so it copies all packets it passes to another interface. On a Cisco switch that could look like this:
PAN_CORE#sh conf | incl monitor monitor session 1 source interface Gi6/26 monitor session 1 destination interface Gi6/12 PAN_CORE#
**different switches use different commands, on Juniper 'analyzer' is used,
other cisco switches may use 'snoop' and so on, please check with your switch
vendor for exact information on setting up a SPAN port
The switch will now send all packets passed through interface Gi6/26 out of Gi6/12 also. A TAP interface connected to this switch port will be able to see all packets, but will not be able (nor will it try) to participate.
The interface needs to be set to tap mode and needs to be configured with a tap zone:
The zone can be configured just like every other zone with user identification enabled and even zone protection profiles associated to it to detect and report Reconnaissance attacks or SYN floods for example.
Lastly a security policy needs to be configured with source and destination zones set to the tap zone, and any security profiles that may be of interest.
The policy needs to be set to allow so packets are not immediately discarded and sessions can be built:
Once the configuration has been committed, the tap interface will start discarding packets, since it is not able to participate, but it will analyze all packets, build sessions and apply AppID and ContentID inspection.
admin@myNGFW(active)> show counter global filter delta yes packet-filter yes Global counters: Elapsed time since last sampling: 373.341 seconds name value rate severity category aspect description -------------------------------------------------------------------------------- flow_fwd_tap_drop 44 0 drop flow forward Packets dropped: Tap interface -------------------------------------------------------------------------------- Total counters shown: 1 --------------------------------------------------------------------------------
It could take a few minutes before the tap interface 'kicks in' as it will first see sessions in progress which may not be usable for layer7 inspection but after a while more counters, indicating layer7 inspection, will start to appear and sessions will become visible:
admin@myNGFW(active)> show counter global filter delta yes packet-filter yes Global counters: Elapsed time since last sampling: 21.431 seconds name value rate severity category aspect description -------------------------------------------------------------------------------- pkt_outstanding 1 0 info packet pktproc Outstanding packet to be transmitted pkt_alloc 16 0 info packet resource Packets allocated session_allocated 8 0 info session resource Sessions allocated session_installed 8 0 info session resource Sessions installed flow_tcp_non_syn 2 0 info flow session Non-SYN TCP packets without session match flow_tcp_non_syn_drop 2 0 drop flow session Packets dropped: non-SYN TCP without session match flow_fwd_tap_drop 13 0 drop flow forward Packets dropped: Tap interface flow_dos_syncookie_cookie_sent 1 0 info flow dos TCP SYN cookies: cookies sent, aggregate profile/zone appid_ident_by_icmp 3 0 info appid pktproc Application identified by icmp type appid_proc 5 0 info appid pktproc The number of packets processed by Application identifi cation dfa_sw 6 0 info dfa pktproc The total number of dfa match using software fpga_request 8 0 info fpga offload The outstanding requests to FPGA aho_fpga 8 0 info aho resource The total requests to FPGA for AHO aho_fpga_data 1940 90 info aho resource The total data size to FPGA for AHO ctd_process 8 0 info ctd pktproc session processed by ctd ctd_pkt_slowpath 11 0 info ctd pktproc Packets processed by slowpath -------------------------------------------------------------------------------- Total counters shown: 16 -------------------------------------------------------------------------------- admin@myNGFW(active)> show session all filter rule 'tap mode'
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
2233 dns ACTIVE FLOW 10.192.16.164[11716]/tap/17 (10.192.16.164[11716])
vsys1 8.8.8.8[53]/tap (8.8.8.8[53])
2240 ping ACTIVE FLOW 10.192.16.21[768]/tap/1 (10.192.16.21[768])
vsys1 10.192.16.164[5179]/tap (10.192.16.164[5179])
2230 dns ACTIVE FLOW 10.192.16.164[64646]/tap/17 (10.192.16.164[64646])
vsys1 8.8.8.8[53]/tap (8.8.8.8[53])
2231 dns ACTIVE FLOW 10.192.16.164[61368]/tap/17 (10.192.16.164[61368])
vsys1 8.8.8.8[53]/tap (8.8.8.8[53])
And sessions will become visible in the logs, where possible UserID has been applied:
With this information in your pocket, you're now able to install a listening device in a network in a passive listening state, allowing for full reporting and analysis of potential threats without needing to put the device inline just yet. This can be helpful during troubleshooting or convincing management you need a firewall for a specific network segment. ;)
Hope you enjoyed this information, feel free to comment or ask questions below!
Reaper out
