Turning the TAP
Don't rely on span ports, says TAP-maker's CEO.
Using a span port to mirror network traffic for analysis or monitoring is second nature to most network or security admins. Yet how many have connected a device to one, only to find you need to connect something else as well - or worse, that another admin's come along and disconnected your device to plug in theirs?
The problem, according to Alistair Hartrup, the founder and CEO of Network Critical, is that span ports were an after-thought, dropped in by Cisco after it realised that having Layer 3 switches not pass everything through is a bit of a problem if you are trouble-shooting.
He argues too that, in hindsight, mirroring a switch port wasn't the best way to solve the problem. The extra load on the switch's processor means most switches only allow one span or mirror port, plus they were only intended for maintenance use, so if the switch is stressed - by a DoS attack, say - it will drop the span port rather than drop traffic.
"How can you tell if you're exceeding the limitations of a span port? Maybe you had a network event and your monitoring box didn't see it," he says.
"Maybe someone borrowed the span port for a different use, or the network traffic over-ran its capacity, or the in-line device was overwhelmed. There's an over-subscription issue too, and the switch will drop error packets but those are the very fragments your analyser wants."
That, he adds, is why Network Critical came up with the idea of the network tap - although he prefers to spell it TAP, for traffic access point. This is a device that replicates an exact copy of traffic on a network cable, and can cost anything from £300 for a Fast Ethernet tap to £15,000 or more for the latest multi-way versions.
"Electrically, a TAP is relatively unsophisticated," he says. "It has zero impact, not interfering with the network at all. It sits between two network devices, and breaks out the send and receive traffic to two ports. But while it is simplistic in concept, it's not simple in engineering."
The hub of attention
Of course, in the early days of Ethernet you could do the job with a hub, but as it evolved to faster, switched versions, that became impossible - hence the span port, and now the network tap.
Initially, network taps were intended for short term use. Many of the portable taps on the market today, from Network Critical and other vendors such as Datacom Systems and Net Optics, are still built with troubleshooting in mind.
But today's admins face a whole stack of extra demands - to monitor and secure the network, ensure regulatory compliance, record traffic, and so on. Taps can therefore be needed 24x7, and in large numbers.
"The big thing at the moment is that the telcos are being forced by governments to do legal interception," Hartrup says. "And the biggest problem engineers face is change control. So BT, for example, has put optical TAPs all through its new NOC to make it easier for the engineers."
He adds that since those early days, taps have also gathered more and more functionality. It started with versions that aggregated the bidirectional traffic for feeding to single-port devices such as an IDS or IPS, and has lead to others that can produce multiple replicas of the same network traffic for different purposes.
"Test and measurement was the first to see the need for this, but there's a lot more uses for it now," he says. "Our new TAP boxes will be able to take multiple feeds in and do anything with them, for example copy the same traffic to an IPS and a Sniffer, or to an IPS and a VOIP recorder."
He notes too that some of the latest trends are actually moving away from that initial concept of having zero-impact on the tapped network. "Now, customers say things like 'Can we send kill packets to stop an attack?', so we have injection capabilities," he says.
"We can also deploy devices virtually in-line - the TAP has a heartbeat to check that the in-line application is running, and fail-through if not. There's a lot of corporate trepidation about putting devices in-line."
The newest thing, according to Hartrup, is a kind of hub - Network Critical calls its version ConneX Chassis - that can aggregate, replicate and switch feeds coming back from taps placed in different parts of the network.
"What banks and so on require is the ability to monitor huge areas of the network with the same products, such as VOIP recording, Sniffer, IDS/IPS and email filtering. They want to bring in feeds from all over, for example from server farms and the DMZ, and route them to the tools," he explains, although he adds that probably won't include TAPs on a branch office LAN.
"For remote sites, people are more likely to have an analyser next to the TAP and access that remotely, rather than bring TAPped traffic back to the NOC over the WAN," he says.
Clever as the devices have become, Hartrup sums up by ackowledging that there's still places that network taps can't go. The big challenge is keeping up with data rates, he says, and in particular with 10GBase-T.
"TAPs are all line-rate, there are none for 10Gig copper yet," he adds. It's clear that as with everything else in networking, nothing stands still - so for tap designers, there's always more to do.