Exam SY0-501 topic 1 question 791 discussion

Answer: D If a network tap is implemented, then it will be a downtime

So, the only way I see Network Tap being installed with no down time is by implementing redundancy in the network, fail-over to the second path, install Tap, fail-back and done.

So key here is company's network is a local network and Network Tap is a device that must capture all of the network traffic.

I'd go with A - Network Taps are analogous to phone taps. They are completely passive methods of getting network traffic to a central location. Port mirroring would get all the traffic to the IDS but is not completely passive. It requires the use of resources on switches to route a copy of the traffic. Incorrect switch configuration can cause looping. Configuring loop detection can prevent looped ports. CompTIA Security + Practice book.

Tapping by Software Edit This type of tapping focuses on tapping by making use of software, and without making any significant change on an infrastructures hardware. This type of tapping is often the cheapest one to implement, but it needs several implementations to give a truly complete look of the network.

Port mirrror vs network tap https://bboxblog.wordpress.com/2012/09/06/network-taps-vs-mirror-ports-which-are-best/#:~:text=A%20network%20tap%20is%20a,many%20high%2Dend%20networking%20devices.

This is BS question neither answers are 100% correct. network tap requires a maintainence window as you need to bring the network port down. However once installed it sends ALL traffic. port mirroring will not cause any downtime however it may drop some packets so not 100% traffic is sent to IDS. Really can't decide out the two but I would go with TAP as its the answer selected.

"A security analyst is interested in setting up an IDS to monitor the company network" this means analyst didn't setup IDS. How can we do port mirroring if the IDS is not set up

Going with Port mirroring on this one 100% https://www.gigamon.com/resources/resource-library/white-paper/understanding-network-taps-first-step-to-visibility.html "installing or replacing a TAP in an existing environment does bring down the link while the cables are reconnected. So TAP installations are typically scheduled during pre-defined maintenance windows, or during the network architecture design phase, prior to running live traffic."

D because -----> Taps require unplugging network cables, which has a lot of resistance from just about everyone.

Answer is A - Network tap. Please note that port mirroring may have some drawbacks, such as: It can consume significant CPU resources while active There is a risk of not receiving some packets (such as media errors) In the case of traffic congestion at the switch level, port mirroring is likely to drop some traffic (because the SPAN process does not have priority) In some cases, a better solution for long-term monitoring may be a passive TAP or an Ethernet repeater (”hub”)

Network Tap is the write answer as "Once a network tap is in place, the network can be monitored without interfering with the network itself. Other network monitoring solutions require in-band changes to network devices, which means that monitoring can impact the devices being monitored" Soruce: https://en.wikipedia.org/wiki/Network_tap#:~:text=Once%20a%20network%20tap%20is,impact%20the%20devices%20being%20monitored.

key is "IDS must capture all of the network traffic" TAP capture all

Port mirror need to configure switch and restart switch that cause network downtime. Network tap just plug in and all done. lol

https://bboxblog.wordpress.com/2012/09/06/network-taps-vs-mirror-ports-which-are-best/#:~:text=A%20network%20tap%20is%20a,many%20high%2Dend%20networking%20devices. Tap - Best for high-speed networks with heavy traffic or for analysis that requires all network traffic. Captures send and receive data streams simultaneously, eliminating the risk of dropped packets. Provides full visibility into full-duplex networks. Captures everything on the wire—including Physical Layer errors—even when the network is saturated.

To install an inline tap, the original cable must be unplugged from the switch(or other network management device) and then plugged into the tap. Then the tap is plugged into the vacated original port. A tap should be installed wherever traffic monitoring on a specific cable is required and when a port mirroring function is either not available or undesired. Port mirroring is a common feature found on managed switches: it will duplicate traffic from one or more other ports out a specific port. A switch may have a hardwired Switched Port Analyzer (SPAN) port, which duplicates the traffic for all other ports, or any port can be set as the mirror, audit, IDS, or monitoring port for one or more other ports. Port mirroring takes place on the switch itself.

I chose port mirror but found this https://insights.profitap.com/tap-vs-span I’d say tap now as it’s truly passive. Port mirror can lead to packet loss in some circumstances.