The NSA's worst nightmare

I am not an expert on network security and I have no idea what &quot;out of band network tap&quot; means... If I read it right, the article is saying that in order to have a secure network, you should monitor what is going on in it and detect anomalies, ok?<p>That&#x27;s a good point, I guess.<p>(however, the blog is on a page of a company, that seems to me to be selling network monitoring devices.)

<i>&gt; The out-of-band network tap that Joyce describes is exactly what a product like ExtraHop delivers.<p>...<p>&gt; Well? Can you see those intrusions, and see where they try to go next? Do you have the visibility into the East-West traffic that Joyce describes as being so crucial to stopping advanced, persistent threat actors from exploiting you?</i><p><i>&gt; ExtraHop can give it to you. Our platform auto-discovers and classifies every device, every interface, and every application that touches your network, and can observe and analyze ever transaction in real time. We give you all the information you need to stay one step ahead of anyone who might be trying to break into your network.</i><p><i>&gt; Read our security operations use cases or try our free demo to see how.</i><p>This reads like an advertisement.

I disabled taps in the past because they were directly connected to the line and predictably ran Linux or BSD. High assurance field long solved this problem with one technique: one-way links (data diodes). They dont physically allow the monitor to write the network.<p>So, definitely use taps. Just use them with one way cables on air gapped machines. Dont trust OS or router-level isolation against High Strength Attackers.<p>Note: Does anyone know if this one uses a one-way cable? I didnt delve into details too much.

Is this what the top brass at the NSA fear the most, or what the developers working behind the scenes fear?

I think what the &quot;worst nightmare&quot; comment really meant was observation&#x2F;monitoring that they (the NSA) could not disable. Hackers can turn off logging or even exploit monitoring agents as an attack vector (the Target breach a couple years used BMC agents as an attack vector). However, if a copy of all the network traffic is being passively analyzed by a monitoring appliance, then there&#x27;s no way that they can hide from that or turn it off.