Back on October 6 2016, one of my colleagues at Niagara wrote a post about the five reasons a Network TAP is better than a SPAN port. There is at least one other good reason. To explain it, I’ll start with a quote from a former CTO-turned-venture-capitalist who once told me, “You have to be sane enough to know you are insane”.
As often happens with computing devices, technologists will apply human analogies to explain them. So in the context of the previous quote, the CTO meant that when something, such as a computer device, isn’t working correctly, the method used to determine it’s not working right [so that it can either failover to a backup system, or if there is no backup, shut down] does need to function correctly.
You have to be sane enough to know you are insane
As anyone who writes software knows, the more complex the software, the more chances there are for something to go wrong. Small, simple things that can be in a small number of possible states are easy to diagnose (e.g., a lamp that can be in “on” or “off” state), and in general are hard to hack.
In the case of a SPAN port, (also known as port mirroring), the switches/routers with SPAN capability have very complex code to make copies of the switch/router memory data and direct it to the SPAN port. This added complexity, to some degree, increases the risk of exploits. Plus, the hardware and software required to support SPAN functionality isn’t isolated, and therefore is more vulnerable than if it were a completely separate system. With an external Network TAP, where all of the hardware and logic is external to the switch/router, it will continue to operate correctly and monitor ports even if the switch/router is compromised, thus ensuring that at all times all network traffic is constantly monitored and nothing malicious ever infiltrates the network.