Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Location Chicago IL, USA

Exam SY0-501 topic 2 question 282 discussion

Actual exam question from CompTIA's SY0-501
Question #: 282
Topic #: 2
[All SY0-501 Questions]

A security analyst is interested in setting up an IDS to monitor the company network. The analyst has been told there can be no network downtime to implement the solution, but the IDS must capture all of the network traffic. Which of the following should be used for the IDS implementation?

  • A. Network tap
  • B. Honeypot
  • C. Aggregation
  • D. Port mirror
Show Suggested Answer Hide Answer

Suggested Answer: A

Comments

Autox
Highly Voted 9 months ago
So, the only way I see Network Tap being installed with no down time is by implementing redundancy in the network, fail-over to the second path, install Tap, fail-back and done.
upvoted 9 times
rameces
7 months, 2 weeks ago
you have a point
upvoted 1 times
...
...
Kudojikuto
Highly Voted 9 months ago
Answer: D If a network tap is implemented, then it will be a downtime
upvoted 8 times
...
Dion79
Most Recent 1 week ago
I'd go with A - Network Taps are analogous to phone taps. They are completely passive methods of getting network traffic to a central location. Port mirroring would get all the traffic to the IDS but is not completely passive. It requires the use of resources on switches to route a copy of the traffic. Incorrect switch configuration can cause looping. Configuring loop detection can prevent looped ports. CompTIA Security + Practice book.
upvoted 1 times
...
0mega1
2 weeks, 4 days ago
Tapping by Software Edit This type of tapping focuses on tapping by making use of software, and without making any significant change on an infrastructures hardware. This type of tapping is often the cheapest one to implement, but it needs several implementations to give a truly complete look of the network.
upvoted 1 times
...
rrcool
3 weeks ago
Port mirrror vs network tap https://bboxblog.wordpress.com/2012/09/06/network-taps-vs-mirror-ports-which-are-best/#:~:text=A%20network%20tap%20is%20a,many%20high%2Dend%20networking%20devices.
upvoted 1 times
...
L1singh
3 weeks ago
This is BS question neither answers are 100% correct. network tap requires a maintainence window as you need to bring the network port down. However once installed it sends ALL traffic. port mirroring will not cause any downtime however it may drop some packets so not 100% traffic is sent to IDS. Really can't decide out the two but I would go with TAP as its the answer selected.
upvoted 1 times
L1singh
3 weeks ago
Okay I will go for network tap, as there is something called a bypass TAP which can be installed without causing downtime
upvoted 2 times
...
...
Cindan
1 month ago
"A security analyst is interested in setting up an IDS to monitor the company network" this means analyst didn't setup IDS. How can we do port mirroring if the IDS is not set up
upvoted 3 times
...
xGAM3Rxx
1 month ago
Going with Port mirroring on this one 100% https://www.gigamon.com/resources/resource-library/white-paper/understanding-network-taps-first-step-to-visibility.html "installing or replacing a TAP in an existing environment does bring down the link while the cables are reconnected. So TAP installations are typically scheduled during pre-defined maintenance windows, or during the network architecture design phase, prior to running live traffic."
upvoted 1 times
...
MortG7
1 month, 2 weeks ago
D because -----> Taps require unplugging network cables, which has a lot of resistance from just about everyone.
upvoted 1 times
...
mdsabbir
2 months ago
Answer is A - Network tap. Please note that port mirroring may have some drawbacks, such as: It can consume significant CPU resources while active There is a risk of not receiving some packets (such as media errors) In the case of traffic congestion at the switch level, port mirroring is likely to drop some traffic (because the SPAN process does not have priority) In some cases, a better solution for long-term monitoring may be a passive TAP or an Ethernet repeater (”hub”)
upvoted 1 times
...
Helloworld__
3 months ago
Network Tap is the write answer as "Once a network tap is in place, the network can be monitored without interfering with the network itself. Other network monitoring solutions require in-band changes to network devices, which means that monitoring can impact the devices being monitored" Soruce: https://en.wikipedia.org/wiki/Network_tap#:~:text=Once%20a%20network%20tap%20is,impact%20the%20devices%20being%20monitored.
upvoted 1 times
Helloworld__
2 months, 4 weeks ago
Right*
upvoted 1 times
...
...
engineernet706
3 months, 1 week ago
key is "IDS must capture all of the network traffic" TAP capture all
upvoted 4 times
...
yalight
3 months, 3 weeks ago
Port mirror need to configure switch and restart switch that cause network downtime. Network tap just plug in and all done. lol
upvoted 1 times
...
DaddyP
5 months, 3 weeks ago
https://bboxblog.wordpress.com/2012/09/06/network-taps-vs-mirror-ports-which-are-best/#:~:text=A%20network%20tap%20is%20a,many%20high%2Dend%20networking%20devices. Tap - Best for high-speed networks with heavy traffic or for analysis that requires all network traffic. Captures send and receive data streams simultaneously, eliminating the risk of dropped packets. Provides full visibility into full-duplex networks. Captures everything on the wire—including Physical Layer errors—even when the network is saturated.
upvoted 1 times
...
DookyBoots
6 months, 2 weeks ago
To install an inline tap, the original cable must be unplugged from the switch(or other network management device) and then plugged into the tap. Then the tap is plugged into the vacated original port. A tap should be installed wherever traffic monitoring on a specific cable is required and when a port mirroring function is either not available or undesired. Port mirroring is a common feature found on managed switches: it will duplicate traffic from one or more other ports out a specific port. A switch may have a hardwired Switched Port Analyzer (SPAN) port, which duplicates the traffic for all other ports, or any port can be set as the mirror, audit, IDS, or monitoring port for one or more other ports. Port mirroring takes place on the switch itself.
upvoted 1 times
...
Chowpapa
6 months, 3 weeks ago
I chose port mirror but found this https://insights.profitap.com/tap-vs-span I’d say tap now as it’s truly passive. Port mirror can lead to packet loss in some circumstances.
upvoted 3 times
...
Hanzero
6 months, 3 weeks ago
"all of the network traffic"=Port Mirror. Answer D
upvoted 1 times
Jeff35
1 month, 2 weeks ago
?? by that quote you should be thinking tap, not port mirror... Port mirror: Frames with errors will not be mirrored and frames may be dropped under heavy load. TAPs: Unlike a SPAN, no logic decisions are made so the monitor port receives every frame—corrupt or malformed or not—and the copying is unaffected by load.
upvoted 1 times
...
...

SaveCancel