If you're getting started in NetSec you've probably heard that taps are the preferred method for monitoring traffic over other methods like spanning ports. Taps have some decided advantages. They pass all packets that hit them, including malformed packets and over and under sized packets. A monitor port on a switch may drop these packets as undesirable, which from a network standpoint makes sense, but from a NSM (network security monitoring) standpoint, that isn't ideal. Maliciously crafted packets are often non-standard or malformed and the intrusion analyst needs to see those packets.
Another dis-advantage to SPAN ports is that when the switch approaches becoming oversubscribed it will stop copying packets to the monitoring port. That may be the very time you're IDS is alerting of you an attack, or would be if it saw the packets. The tap has no such restrictions nor does it need to. It's not responsible for routing or inspecting packets; it's acting as a bump in the wire and passes everything it sees.
What about all those types of taps? What are the differences?
A passive tap sends a copy of the traffic passing through it to it's monitoring ports, but does not and cannot interact with it.
An active response tap has the ability to receive packets from the monitoring devices and put that traffic back on the wire. An example of this would be an IPS that terminates connections by sending spoofed reset packets to both ends of a connection, making each end think the other is shutting the conversation down. You can do this manually with tcpkill, which is found in the dsniff suite of network tools.
An aggregation tap takes both network ports and aggregates them onto one monitoring port, reassembling the duplex network stream so that you only need one port on your monitoring device. This also removes the requirement of using channel bonding on your device to see both directions of the network stream.
And finally, a regeneration tap has the ability to send copies of the traffic to multiple monitoring ports, to allow the same traffic to be monitored and analyzed by multiple devices. You might send the traffic to one or more IDS/IPS devices, a packet capture box and a network analyzer used by your infrastructure team.
Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.