Layers 5-7 are where applications reside and where attacks on them take place. Interestingly, many vendors’ cybersecurity tools also reside here. Some vendors put the instructions on how to install their agents or virtual appliances on their web site. You will see that they are installed in the Program Files” folder - Layer 7.
Virtual Appliances in the cloud reside on an instance…. which is Layer 7.
Attacks on applications achieve success due to insecure coding practices. SQL injections are common attacks on applications. If your security vendor’s tools reside on these layers and an attacker carries out a successful Layer 7 breach, this means that the security tools on that layer are also compromised.
If Layer 5-7 can be compromised, then it is imperative to have eyes on Layers 1-4. Interestingly, some cybersecurity companies mirror ports off the switch (SPAN, if you use Cisco) to monitor Layers 1-4. Where do SPAN ports reside…. Layer 7. A normally functioning switch eliminates packets that are below minimal size and delete corrupt packets. This means that hardware and media errors are dropped, so an out-of-band monitoring device does not receive all the packets. Conservative figures state 8-10% packet loss. Others state that it can easily be 20-30%.
Let’s take this one step further. Switches are built to switch traffic. That is the priority for their resources. If overburdened, as in a brute force attack, switches take resources from secondary functions like mirroring. Depending on the size of the switch, this can easily cause 20, 30, 50,70, or even 100% traffic packet loss in extreme cases.
- In addition, overused SPAN ports tend to drop frames because LAN switches are designed to groom data (from adding delays to changing timing), extract bad frames, and ignore all layer one and two information. – Garland
- The way in which SPAN ports are typically implemented makes them incapable of handling FDX monitoring and analysis of VLAN. Understanding what you are able to monitor is essential to designing a successful network. – Garland
- "The switch treats SPAN data with a lower priority than to-port data...the best strategy is to make decisions based on the traffic levels of the configuration and when in doubt to use the SPAN port only for relatively low-throughput situations." - Cisco
- When implemented properly and used in an environment in which it will never oversubscribe, a SPAN port is a resourceful network device. But, as 10-Gigabit environments become more common, the SPAN simply won’t suffice. Ensuring complete network visibility requires the use of a network TAP. - Garland
- The potentially limited network visibility of a SPAN and its lack of security in transporting monitored traffic through your network could be a risk to your business from a Data Security Compliance perspective. In a court of law, these shortcomings may be identified as impermissible flaws, leading to costly fines. – Garland
A good analogy to this sporadic packet loss is asking someone to record a movie for you, but with the caveat that you will be missing a minimum of 10%, or more…spread throughout. Not even one defined chunk. Bummer. It is almost not worth watching.
It is far better to use a high quality, powered, fail-open network tap to capture 100% of network traffic, but this is the topic of another research article.
Happy to discuss this. Just use the link below to schedule some time on my calendar.