Traffic mirroring methods for OT monitoring
This article introduces the supported traffic mirroring methods for OT monitoring with Microsoft Defender for IoT.
To ensure that Defender for IoT only analyzes the traffic that you want to monitor, we recommend that you configure traffic mirroring on a switch or a terminal access point (TAP) that includes only industrial ICS and SCADA traffic.
Note
SPAN and RSPAN are Cisco terminology. Other brands of switches have similar functionality but might use different terminology.
Supported mirroring methods
The decision as to which traffic mirroring method to use depends on your network configuration and the needs of your organization.
Defender for IoT supports the following methods:
| Method | Description |
|---|---|
| A switch SPAN port | Mirrors local traffic from interfaces on the switch to a different interface on the same switch |
| Remote SPAN (RSPAN) port | Mirrors traffic from multiple, distributed source ports into a dedicated remote VLAN |
| An encapsulated remote switched port analyzer (ERSPAN) | Mirrors input interfaces to your OT sensor's monitoring interface |
| Active or passive aggregation (TAP) | Installs an active / passive aggregation TAP inline to your network cable, which duplicates traffic to the OT network sensor. Best method for forensic monitoring. |
| An ESXi vSwitch | Mirrors traffic using Promiscuous mode on an ESXi vSwitch. |
| A Hyper-V vSwitch | Mirrors traffic using Promiscuous mode on a Hyper-V vSwitch. |
Mirroring port scope recommendations
We recommend configuring your traffic mirroring from all of your switch's ports, even if no data is connected to them. If you don't, rogue devices can later be connected to an unmonitored port, and those devices won't be detected by the Defender for IoT network sensors.
For OT networks that use broadcast or multicast messaging, configure traffic mirroring only for RX (Recieve) transmissions. Multicast messages will be repeated for any relevant active ports, and you'll be using more bandwidth unnecessarily.
Next steps
For more information, see:
Feedback
Submit and view feedback for