Modern business demands have stretched traditional network architectures to their limits, making networking taps a necessity for maximizing visibility. Data volumes coming into and flowing out of your network continue to increase exponentially.
Without the right visibility solutions in place, you risk cybersecurity tools overlooking malicious packets and monitoring tools failing to identify performance issues. This guide explains the basics of networking taps—what they are, what they do, the tap vs. span debate, and how to choose the best taps for your needs.
A networking TAP is an external network device that enables port mirroring and creates copies of traffic for use by various monitoring devices. These devices are introduced at a point in the path of the network that requires observation, copying data IP packets and sending them to a network monitoring tool. Choosing the points where networking taps are necessary depends on your reasons for observation—data gathering, analysis, general monitoring for saturation and latency, intrusion detection, etc. Networking TAP can collect and mirror data traffic from low Ethernet transfer rates of 1 Gigabit s per second (Gbit/s) up to 100Gb and to the latest 400Gb.
While these devices tap into traffic, networking taps do not modify the flow of packets in any way, regardless of data traffic rate. That means network traffic is unaffected by monitoring and port mirroring, which is critical for maintaining the integrity of data as it is routed to security and analysis tools.
These out of band scenarios ensure monitoring is performed on copies of traffic by devices external to the network, enabling your networking tap to act as an unobtrusive observer. By feeding copies of data to any/all attached devices, you get full visibility at the network point. In the case that a networking tap or monitoring device fails, you know that traffic flow will remain unaffected, ensuring the operating system remains secure and available.
While the overall objective of a networking tap is always to provide access to data packets without interrupting traffic flow across the wire, these visibility solutions can address more advanced scenarios, too. The need to monitor tools ranging from next-gen firewalls to data leakage protection, application performance monitoring, SIEM, digital forensics, IPS, IDS, and more has forced networking taps to evolve.
In addition to providing complete copies of traffic and maintaining availability, modern networking taps can address three key use cases.
Just because a networking tap can create a 100% copy of data packets at a certain point doesn’t mean that every monitoring and security tool needs to see it all. Streaming traffic in real time to all network monitoring and security tools will only result in oversubscription, hurting the performing of the tools and your network in the process.
Putting the right networking taps in place can help filter packets when routing to monitoring tools, distributing the right data to the right out-of-band tools. Examples of such tools include Intrusion Detection systems (IDS), Data Loss Prevention (DLP), Security Information and Event Management (SIEM), forensics analysis and many more.
As network monitoring and security demands increase, network engineers must find ways to accomplish more with existing IT budgets. But at a certain point, you can’t keep adding new appliances to the stack and increasing the complexity of the network. Maximizing the utilization of your monitoring and security tools is essential.
Networking taps can help by aggregating multiple network traffic flows (both eastbound and westbound), sending the data packets to attached devices through a single port. Deploying visibility tools this way will reduce the number of monitoring tools you need. As East-West data traffic in data center and between data centers keep on rising, requirement for networking taps is critical to keep visibility across all dimensional flow of high capacity data.
In-line security devices can effectively block malicious activity from affecting network performance or enabling data breaches. But placing any monitoring or security appliances in-line creates points of failure across your network, which is a problem given demands for high availability.
Networking taps with bypass capabilities ensure traffic flows are uninterrupted even if security devices fail. They also enable admins to conduct maintenance without creating downtime on the network.
Each of these use cases are critical for maintaining 100% network visibility under modern business demands. However, there is still some resistance from network engineers to shift from SPAN ports to network taps. The networking tap vs. SPAN port debate continues, but there are clear reasons to make the shift if you want to maximize visibility.
The networking tap vs. SPAN debate is nothing new. For years, network engineers have used switch port analyzer (SPAN) ports for networking monitoring purposes. Like networking taps, SPAN ports serve the function of mirroring traffic on your network and sending it to out-of-band security tools like network recorders and analyzers. They are configured via a network enterprise switch with port mirroring capabilities. These dedicated ports take mirrored copies of network traffic off of managed switches to send to security tools.
There may not seem like much of a difference between SPAN port capabilities and the networking taps that passively split traffic flowing from the network to security and monitoring tools. However, trying to keep pace with modern networking demands with SPAN ports is a mistake.
When considering the networking tap vs. SPAN port debate, there are six main reasons why taps are the superior option.
When you rely on SPAN ports for visibility, you have to deal with the fact that they delete Ethernet packets that are corrupt and ones that are below the minimum size. By modifying the traffic flow and prioritizing certain packets, security and monitoring tools connected to SPAN ports fail to receive all traffic. This is further complicated by the way SPAN ports aggregate RX and TX high speed data traffic on a single port, increasingly the likelihood for dropped packets.
With networking taps, you capture all bi-directional traffic delivered on every single destination port—including port errors and regardless of size.
When you rely on SPAN ports for visibility, you have to deal with the fact that they delete packets that are corrupt and ones that are below the minimum size. By modifying the traffic flow and prioritizing certain packets, security and monitoring tools connected to SPAN ports fail to receive all traffic. This is further complicated by the way SPAN ports aggregate RX and TX traffic on a single port, increasingly the likelihood for dropped packets.
With networking taps, you capture all bi-directional traffic delivered on every single destination port—including port errors and regardless of size.
SPAN ports cannot monitor both sides of a link individually. Because the two sides are aggregated, you have to be careful not to oversubscribe a SPAN port. Even minor spikes in data traffic can eat up bandwidth and cause packet loss.
Networking taps eliminate packet loss by monitoring both sides of a link individually, providing visibility into 100% of packets regardless of bandwidth rates - 1/10/25/40/50/100Gb.
When you’re operating a moderate to high network utilization environment, you can’t trust SPAN ports to handle all of the traffic without dropping packets. If traffic going out of the SPAN is larger than the traffic being received, the SPAN port will be oversubscribed and forced to drop packets.
In that case, you need to add a networking tap to the SPAN port setup anyway. Without a network tap, a SPAN port requires 20Gb of capacity to capture a 10Gb of bi-directional traffic. A 10GB networking taps capture all 10Gb traffic of traffic.
Switch Port Analyzer (SPAN) grew in popularity before networking capabilities evolved with virtualization. As a result, SPAN ports often don’t allow VLAN tags to pass through. This limited visibility hurts the effectiveness of connected monitoring and security tools, makes it difficult to detect VLAN issues, and creates false issues for your networking team to review. Although new Remote SPAN and Encapsulated Remote SPAN (ERSPAN) can overcome traditional SPAN limitations, they still have various limitations in data processing and oversubscription phenomenas.
Networking taps allow all traffic to pass through - regardless of protocols and encapsulations - preventing these kinds of issues and maximizing visibility for your team, monitoring tools, and security appliances.
The switches and routers with port mirroring capabilities have very complex code to make copies of the memory data that is directed to SPAN ports. This added complexity can increase risk of security exploits. Also, because the hardware and software required to support SPAN functionality isn’t isolated, it is more vulnerable to attacks than if the system was completely separate.
Networking taps completely isolate hardware and logic from your network. These external devices continue to operate correctly and monitor ports even when a switch/router is compromised by attackers.
Solving the networking tap vs. SPAN port debate is only half the battle. Once you decide to make networking taps the building blocks of your visibility strategy, you have to determine the kinds of taps that will work best for your use cases and deployment options.
Before considering specific use cases and advanced types of networking taps, it’s important to understand the differences between the two main versions of this technology—active networking taps and passive networking taps.
An active networking tap is the chip or electronic element that enables data to flow through the device. These devices then duplicate the traffic and pass it along to a variety of inspection and analysis devices. While these taps are most common in copper environments, they also work in fiber cabling situations.
Active taps need to be powered at all times. However, in the event of a power outage, these devices typically have battery backup to keep them up and running while you respond to alert notifications. Bypass taps are one specific type of active devices, containing a relay switch that closes when power is lost. This preserves the network connection and reduces traffic interruption.
The switch-like mechanisms that enable active networking taps to manage traffic offer additional useful functionality like aggregation and traffic injection. Aggregation requires both sides of a full duplex communication to be sent to a single monitoring port while traffic injection examples include “TCP Reset” and “ICMP not available” notifications.
These visibility tools split light (data traffic) passing through fiber cables. Data flows through these taps while the tap duplicates the flow and passes it along to out-of-band security and monitoring tools.
Depending on your loss budget, you can select the split ratio for a network tap (i.e. how much light is going to the monitoring appliance and how much goes to the network. These networking taps don’t require a power source, making them a more popular option for engineers looking to avoid creating points of failure.
Ultimately, both categories of taps are truly non-intrusive and seamless. They provide clear, 100% network traffic visibility into each packet of data regardless of bandwidth—without overloading network resources or consuming the processing capabilities of your switches.
That’s why choosing between active and passive networking taps will largely come down to the networking environment itself. But once you start considering the specific network monitoring use cases, you can look at the specific types of taps that will fit your visibility needs.
The standard networking tap connects inspection, monitoring, and analysis tools and devices to the network at key tap access points. However, network taps come in a variety of types within the active and passive categories. Each type has its own strengths and features that will fit your unique networking needs.
If you’re familiar with network packet brokers (NPBs), you’ll notice that many of these advanced types of networking taps integrated with NPB features to increase efficiency and widen the scope of deployment scenarios. When considering which networking tap you need for specific use cases, there are 7 main options:
Analyzing network traffic at speeds of 10Gb and higher is highly resource intensive. The purpose of filterable networking taps is to downsize the traffic and make it more manageable. Leveraging port capacity and using advanced filtering prevents packets from dropping and ensures pervasive visibility for all connected devices.
These taps are best used for analyzing business-critical traffic. By filtering access, you can monitor specific traffic and data network metrics. For example, filterable networking taps help you check for frame issues such as errors and corruption in IPv6.
A link aggregation tap aggregates copies of network traffic data captured at several links and sends the copies to a single inspection port.
Port aggregation taps offer the advantage of a full duplex traffic view, using a single network port instead of two. These taps are very similar in their functioning to standard network taps, where each direction is monitored on a separate port (breakout or split mode). Like the standard taps, they allow access to a single network segment, but these taps enable you to attach up to two inspection or monitoring tools (this is dependent on the configuration of the port aggregator).
The portable network tap is a type of tap that is designed to be simple to install in any network topology and to configure with any network device. It is a tabletop device that does not need a full rack mount and is thus also more efficient in its space requirements because of its smaller form. This also makes it more cost effective for small deployments. Probably its main strength is its portability, that makes it the perfect tap for remote locations.
The portable network may also support some of the tap features that we highlighted, such as: Port aggregation and Filtering.
Additional portable network tap advantages may support both fiber and copper network links.
A regeneration tap copies network traffic from a single link and then regenerates it onto multiple inspection ports. The mechanism enables each inspection or analysis tool to simultaneously view the exact same traffic at the same instant. You thereby achieve comprehensive and pervasive network visibility, by enabling access to permanent but passive inspection into your network’s health at key access points.
These taps also enhance network security monitoring by empowering concurrent multiple tools and devices such as protocol analyzers, remote network monitoring (RMON) tools, intrusion detection and prevention systems (IDPS), and other similar tools and devices.
Virtual taps are a newer breed of taps, specifically designed to enable visibility into traffic between virtual machines (VMs). Traffic in virtual machines cannot cross a physical port, therefore virtual taps provide east-west traffic access and transmit the ‘virtual’ monitored traffic via encapsulated tunnels to the physical inspection devices. Virtual taps that support the maximum number of hypervisor deployments are best.
Bidirectional (BiDi) taps are in a category by themselves. They are multi-mode fiber network taps that provide visibility to bidirectional 40Gb traffic. Since BiDi utilizes multiple wavelengths within a single fiber cable in its transceiver technology, then the standard fiber tap technology will not work.
Your network is a business-critical infrastructure that requires maximum availability despite being in constant flux. Issues are bound to occur, which means you need to be prepared to spot them and resolve them as quickly as possible. Without pervasive visibility across the network, response times suffer and you risk experiencing the consequences of widespread outages or costly data breaches.
Network visibility isn’t just important for managing worst case scenarios, though. Maximizing visibility ensures you can monitor daily network activity and proactively prevent resources from becoming strained or overloaded.
None of this is possible without a foundation of networking tap connectivity. Selecting the right combination of taps is critical not just to the effectiveness of your pervasive visibility layer, but to the network monitoring and inspection superstructure as a whole. Once you’ve determined which types of networking taps fit your monitoring and analysis needs, you can consider adding network packet brokers and bypass switches to complete the visibility layer.
Niagara Networks offers a full portfolio of networking taps that covers all use cases, both active and passive and for both copper and fiber environments at all data traffic rates. When you’re ready to get 100% visibility with a foundation of networking taps, we’re here to help. Contact us for a consultation or check out our library of related resources to learn more.