Modern business demands have stretched traditional network architectures to their limits, making network TAP devices a necessity for maximizing visibility. Data volumes coming into and flowing out of your network continue to increase exponentially.
Without the right visibility solutions in place, you risk cybersecurity tools overlooking malicious packets and monitoring tools failing to identify performance issues. This guide explains the basics of network TAP devices —what they are, what they do, the TAP vs. SPAN debate, and how to choose the best network TAP device for your needs.
A networking TAP is an external network device that enables port mirroring and creates copies of traffic for use by various monitoring devices. These devices are introduced at a point in the path of the network that requires observation, copying data IP packets, and sending them to a network monitoring tool. Choosing the points where network TAP devices are necessary depends on your reasons for observation—data gathering, analysis, general monitoring for saturation and latency, intrusion detection, etc. Network TAP devices can collect and mirror data traffic from low Ethernet transfer rates of 1 Gigabit s per second (Gbit/s) up to 100Gbps and to the latest 400Gbps.
While these devices tap into traffic, network TAP devices do not modify the flow of packets in any way, regardless of data traffic rate. That means network traffic is unaffected by monitoring and port mirroring, which is critical for maintaining the integrity of data as it is routed to security and analysis tools.
These out of band scenarios ensure monitoring is performed on copies of traffic by devices external to the network, enabling your network TAP device to act as an unobtrusive observer. By feeding copies of data to any/all attached devices, you get full visibility at the network point. In the case that a network TAP device or monitoring device fails, you know that traffic flow will remain unaffected, ensuring the operating system remains secure and available.
While the overall objective of a network TAP device. is always to provide access to data packets without interrupting traffic flow across the wire, these visibility solutions can address more advanced scenarios, too. The need to monitor tools ranging from next-gen firewalls to data leakage protection, application performance monitoring, SIEM, digital forensics, IPS, IDS, and more has forced network TAP devices to evolve.
In addition to providing complete copies of traffic and maintaining availability, modern network TAP devices can address three key use cases.
Just because a network TAP device can create a 100% copy of data packets at a certain point doesn’t mean that every monitoring and security tool needs to see it all. Streaming traffic in real time to all network monitoring and security tools will only result in oversubscription, hurting the performing of the tools and your network in the process.
Putting the right network TAP devices in place can help filter packets when routing to monitoring tools, distributing the right data to the right out-of-band tools. Examples of such tools include Intrusion Detection systems (IDS), Data Loss Prevention (DLP), Security Information and Event Management (SIEM), forensics analysis and many more.
As network monitoring and security demands increase, network engineers must find ways to accomplish more with existing IT budgets. But at a certain point, you can’t keep adding new appliances to the stack and increasing the complexity of the network. Maximizing the utilization of your monitoring and security tools is essential.
Network TAP devices can help by aggregating multiple network traffic flows (both eastbound and westbound), sending the data packets to attached devices through a single port. Deploying visibility tools this way will reduce the number of monitoring tools you need. As East-West data traffic in data center and between data centers keep on rising, the requirement for network TAP devices is critical to keep visibility across all dimensional flow of high capacity data.
In-line security devices can effectively block malicious activity from affecting network performance or enabling data breaches. But placing any monitoring or security appliances in-line creates points of failure across your network, which is a problem given demands for high availability.
Network TAP devices with bypass capabilities ensure traffic flows are uninterrupted even if security devices fail. They also enable admins to conduct maintenance without creating downtime on the network.
Each of these use cases is critical for maintaining 100% network visibility under modern business demands. However, there is still some resistance from network engineers to shift from SPAN ports to network TAP devices. The network TAP device vs. SPAN port debate continues, but there are clear reasons to make the shift if you want to maximize visibility.
The networking TAP vs. SPAN debate is nothing new. For years, network engineers have used switch port analyzer (SPAN) ports for networking monitoring purposes. Like network TAP devices, SPAN ports serve the function of mirroring traffic on your network and sending it to out-of-band security tools like network recorders and analyzers. They are configured via a network enterprise switch with port mirroring capabilities. These dedicated ports take mirrored copies of network traffic off of managed switches to send to security tools.
There may not seem like much of a difference between SPAN port capabilities and the networking taps that passively split traffic flowing from the network to security and monitoring tools. However, trying to keep pace with modern networking demands with SPAN ports is a mistake.
When considering the network TAP device vs. SPAN port debate, there are five main reasons why taps are the superior option.
When you rely on SPAN ports for visibility, you have to deal with the fact that they delete packets that are corrupt and ones that are below the minimum size. By modifying the traffic flow and prioritizing certain packets, security, and monitoring tools connected to SPAN ports fail to receive all traffic. This is further complicated by the way SPAN ports aggregate RX and TX traffic on a single port, increasing the likelihood of dropped packets.
With network TAP devices, you capture all bi-directional traffic delivered on every single destination port—including port errors and regardless of size.
SPAN ports cannot monitor both sides of a link individually. Because the two sides are aggregated, you have to be careful not to oversubscribe a SPAN port. Even minor spikes in data traffic can eat up bandwidth and cause packet loss.
Network TAP devices eliminate packet loss by monitoring both sides of a link individually, providing visibility into 100% of packets regardless of bandwidth rates - 1/10/25/40/50/100Gb.
When you’re operating a moderate to high network utilization environment, you can’t trust SPAN ports to handle all of the traffic without dropping packets. If traffic going out of the SPAN is larger than the traffic being received, the SPAN port will be oversubscribed and forced to drop packets.
If this is the case, you need to add a network TAP device to the SPAN port setup anyway. Without a network TAP device, a SPAN port requires 20Gb of capacity to capture a 10Gb of bi-directional traffic. A 10GB networking taps capture all 10Gb traffic of traffic.
Switch Port Analyzer (SPAN) grew in popularity before networking capabilities evolved with virtualization. As a result, SPAN ports often don’t allow VLAN tags to pass through. This limited visibility hurts the effectiveness of connected monitoring and security tools, makes it difficult to detect VLAN issues, and creates false issues for your networking team to review. Although new Remote SPAN and Encapsulated Remote SPAN (ERSPAN) can overcome traditional SPAN limitations, they still have various limitations in data processing and oversubscription phenomena.
Network TAP devices allow all traffic to pass through - regardless of protocols and encapsulations - preventing these kinds of issues and maximizing visibility for your team, monitoring tools, and security appliances.
The switches and routers with port mirroring capabilities have very complex code to make copies of the memory data that is directed to SPAN ports. This added complexity can increase the risk of security exploits. Also, because the hardware and software required to support SPAN functionality aren’t isolated, it is more vulnerable to attacks than if the system was completely separate.
Network TAP devices completely isolate hardware and logic from your network. These external devices continue to operate correctly and monitor ports even when a switch/router is compromised by attackers.
Solving the networking TAP vs. SPAN port debate is only half the battle. Once you decide to make network TAP devices the building blocks of your visibility strategy, you have to determine the kinds of network TAP devices that will work best for your use cases and deployment options.
Before considering specific use cases and advanced types of network TAP devices, it’s important to understand the differences between the two main versions of this technology—active networking TAPs and passive networking TAPs.
An active networking TAP is the chip or electronic element that enables data to flow through the device. These devices then duplicate the traffic and pass it along to a variety of inspection and analysis devices. While these network TAP devices are most common in copper environments, they also work in fiber cabling situations.
Active TAPs need to be powered at all times. However, in the event of a power outage, these devices typically have battery backup to keep them up and running while you respond to alert notifications. Bypass TAPs are one specific type of active devices, containing a relay switch that closes when power is lost. This preserves the network connection and reduces traffic interruption.
The switch-like mechanisms that enable active network TAP devices to manage traffic offer additional useful functionality like aggregation and traffic injection. Aggregation requires both sides of a full duplex communication to be sent to a single monitoring port while traffic injection examples include “TCP Reset” and “ICMP not available” notifications.
These visibility tools split light (data traffic) passing through fiber cables. Data flows through these networking TAP devices while the tap duplicates the flow and passes it along to out-of-band security and monitoring tools.
Depending on your loss budget, you can select the split ratio for a network TAP device (i.e. how much light is going to the monitoring appliance and how much goes to the network). These networking TAP devices don’t require a power source, making them a more popular option for engineers looking to avoid creating points of failure.
Ultimately, both categories of networking TAP devices are truly non-intrusive and seamless. They provide clear, 100% network traffic visibility into each packet of data regardless of bandwidth—without overloading network resources or consuming the processing capabilities of your switches.
That’s why choosing between active and passive network TAP devices will largely come down to the networking environment itself. But once you start considering the specific network monitoring use cases, you can look at the specific types of network TAP devices that suit your visibility needs.
The standard network TAP device connects inspection, monitoring, and analysis tools and devices to the network at key TAP access points. However, network TAP devices come in a variety of types within the active and passive categories. Each type has its own strengths and features that will suit your unique networking needs.
If you’re familiar with network packet brokers (NPBs), you’ll notice that many of these advanced types of network TAP devices are integrated with NPB features to increase efficiency and widen the scope of deployment scenarios. When considering which network TAP device you need for specific use cases, there are 7 main options:
Analyzing network traffic at speeds of 10Gb and higher is highly resource-intensive. The purpose of filterable networking TAPs is to downsize the traffic and make it more manageable. Leveraging port capacity and using advanced filtering prevents packets from dropping and ensures pervasive visibility for all connected devices.
These TAPs are best used for analyzing business-critical traffic. By filtering access, you can monitor specific traffic and data network metrics. For example, filterable networking TAPs help you check for frame issues such as errors and corruption in IPv6.
A link aggregation TAP aggregates copies of network traffic data captured at several links and sends the copies to a single inspection port.
Port aggregation TAPs offer the advantage of a full-duplex traffic view, using a single network port instead of two. These TAPs are very similar in their functioning to standard network TAPs, where each direction is monitored on a separate port (breakout or split mode). Like the standard TAPs, they allow access to a single network segment, but these networking TAPs enable you to attach up to two inspection or monitoring tools (this is dependent on the configuration of the port aggregator).
The portable network TAP is a type of networking TAP that is designed to be simple to install in any network topology and to configure with any network device. It is a tabletop device that does not need a full rack mount and is thus also more efficient in its space requirements because of its smaller form. This also makes it more cost-effective for small deployments. One of its main strengths is its portability, making it the perfect networking TAP for remote locations.
The portable network may also support some of the TAP features that we highlighted, such as Port aggregation and Filtering.
Additional portable network TAP advantages may support both fiber and copper network links.
A regeneration TAP copies network traffic from a single link and then regenerates it onto multiple inspection ports. The mechanism enables each inspection or analysis tool to simultaneously view the exact same traffic at the same instant. You thereby achieve comprehensive and pervasive network visibility, by enabling access to permanent but passive inspection into your network’s health at key access points.
These networking TAPs also enhance network security monitoring by empowering concurrent multiple tools and devices such as protocol analyzers, remote network monitoring (RMON) tools, intrusion detection and prevention systems (IDPS), and other similar tools and devices.
Virtual TAPs are a newer breed of networking TAPs, specifically designed to enable visibility into traffic between virtual machines (VMs). Traffic in virtual machines cannot cross a physical port, therefore virtual TAPs provide east-west traffic access and transmit the ‘virtual’ monitored traffic via encapsulated tunnels to the physical inspection devices. Virtual TAPs that support the maximum number of hypervisor deployments are best.
Bidirectional (BiDi) TAPs are in a category by themselves. They are multi-mode fiber network TAPs that provide visibility to bidirectional 40Gb traffic. BiDi utilizes multiple wavelengths within a single fiber cable in its transceiver technology. The standard fiber TAP technology will not work.
Your network is a business-critical infrastructure that requires maximum availability despite being in constant flux. Issues are bound to occur, which means you need to be prepared to spot them and resolve them as quickly as possible. Without pervasive visibility across the network, response times suffer and you risk experiencing the consequences of widespread outages or costly data breaches.
Network visibility isn’t just important for managing worst-case scenarios, though. Maximizing visibility ensures you can monitor daily network activity and proactively prevent resources from becoming strained or overloaded.
None of this is possible without a foundation of networking TAP connectivity. Selecting the right combination of network TAP devices is critical not just to the effectiveness of your pervasive visibility layer, but to the network monitoring and inspection superstructure as a whole. Once you’ve determined which types of network TAP devices fit your monitoring and analysis needs, you can consider adding network packet brokers and bypass switches to complete the visibility layer.
Niagara Networks offers a full portfolio of network TAP devices that cover all use cases, both active and passive, and for both copper and fiber environments at all data traffic rates. When you’re ready to get 100% visibility with a foundation of network TAP device, we’re here to help. Contact us for a consultation or check out our library of related resources to learn more.