We have been advised that the availability of SPAN ports on our ASA is limited, and that we need to look to the possibility of going to a TAP should we decide to expand our current SIEM assets. At present we have an ADM, DBM, ELM, and of course the ESM itself.
My question revolves around the devices' ability to monitor the traffic across the TAP, that is, with a SPAN port we can switch the VLANs we wish to monitor and not have to worry about other network traffic, but with a TAP the devices will see everything across the TAP. Do the devices (ADM/DBM, ELM) have the capability for configuring the traffic they will "watch" across the connection, such as monitoring a specific VLAN, or will they only be able to "see" the whole traffic flow across the TAP?
I do understand that some of the devices, such as the DBM, are configured for specific servers and/or utilize agents that preclude their need to monitor traffic on the LAN. I guess my question is directed more at the "global" devices such as the ADM, for example. I would add that we are not currently utilizing this system for filtering or blocking traffic, only for monitoring.
Message was edited by: penoffd on 4/2/14 8:53:34 AM CDT