Cyber warfare is unfortunately no longer found only in speculative fiction; it is with us today. Distributed denial-of-service (DDoS) attacks have been launched against the United States, South Korea, Kyrgyzstan, Estonia, and Georgia in recent years, and military and government computer systems around the world are assaulted by intruders daily. Some attacks come from nation-states, but others are perpetrated by transnational and unaligned rogue groups. Those bent on inflicting harm on nations and citizens not only use networks as an attack vector, but also for organizing, recruiting, and publicizing their beliefs and activities.

Terrorism informatics analyzes information from data-at-rest sources such as blogs, social media, and databases. For other types of analyses, it is necessary to examine data in motion, in other words, information as it travels on a network. Access to data-in-motion is often obtained by eavesdropping on the network traffic using Span ports in vlan switches. This paper focuses specifically on the implications of using Span ports in counter-terrorism monitoring applications. It shows that Span ports are particularly ill-suited to this use. Note also that the security vulnerabilities of Span ports in counter-terrorism applications apply equally when Span ports are used for other monitoring needs such as performance or compliance monitoring.

The first issue with Span ports in a counter-terrorism application is that the visibility of network traffic is less than perfect. In counter-terrorism monitoring, a fundamental requirement is that the security device must be able to see every single packet on the wire. An IDS cannot detect a virus if it doesn't see the packets carrying it. Span ports cannot meet this requirement because they drop packets. Spanning is the switch's lowest priority task, and Span traffic is the first thing to go when the switch gets busy. In fact, it is allowable for any port on a switch to drop packets because network protocols are specifically designed to be robust in spite of dropped packets, which are inevitable in a network. But it is not acceptable in a counter-terrorism monitoring application.

Different switches may be more or less prone to drop Span packets depending on their internal architecture, which varies from switch to switch. However, it is unlikely that the performance of the Span port was evaluated as an important criterion when the switching gear was selected. As a counter-terrorism professional, you probably don't want your security strategy to be dependent on a procurement policy that you don't control.

Nevertheless, suppose you do have lan switches with the best possible Spanning performance. Dropped packets may still be an issue depending on how much traffic you need to send through the Span port. If you need to see all of the traffic on a full-duplex 1 Gigabit link, a 1 Gigabit Span port won't do the job. Full duplex link traffic exceeds the 1 Gigabit SPAN port capacity when link utilization goes above 50 percent in both directions. To see all the traffic, you need to dedicate a 10 Gigabit port for Spanning, and now the Span port doesn't seem so inexpensive any more.