Friday, March 03, 2006

Net Optics Introduces iTap

This morning I found I was quoted in a press release for the new Net Optics iTap GigaBit Port Aggregator tap. This is a cool device that I expect to test soon. I participated in a Think Tank where the concept of an "intelligent tap" was first introduced. From the installation guide (.pdf):

The iTap Port Aggregator displays the link utilization level, last peak with time right on the front panel so you can see real-time utilization on both directions of the network link. The iTap Port Aggregator is accessible from remote interfaces that provide information and control from anywhere in the network.

If you're scared by the thought of a tap offering network statistics via a front panel display, SNMP, and a Web interface, you can disable all of them and deploy the tap in "dumb" mode. It would be cheaper to buy a dumb tap, though!

It makes a lot of sense to introduce this device on a port aggregator model. Port aggregators are vulnerable to dropping traffic when the total bandwidth load exceeds the capacity of the output interface. With the iTap, you can see immediate and ongoing traffic statistics that ensure you're observing and collecting what you expect.



On an unrelated note:I think Blogger may be using a small set of CAPTCHAs to frustrate posting "spam". I actually recognize the CAPTCHA I had to enter for this post. I've had to manually delete several proxy list spam posts over the last few days, too.

4 comments:

Anonymous said...

Richard,

Speaking of taps, do you have any familiarity with DS3 PCI cards that can be used to plug into a NetOptics DS3 Tap? I see a few manufacturers that make DS3 cards. They all have drivers for BSD and Linux, but I have no idea where to look for non-vendor provided product information such as reviews or recommendations.

Richard Bejtlich said...

Sorry, no clue on DS3 NICs.

Chirs Byrd said...

What is your thoughts on a more intelligent 10/100 -> 1000 aggregator tap that would use GRE tunnels or some other method to encapsulate the individual segments (and isolate transmit and receive while it was at it) so that you can choose through software what you want to monitor and isolate traffic by segment?

A company we work with uses 10/100 spans into a switch with a gig 802.1q trunk link out - it works, but it has to modify the packets for 802.1q vlan tagging. You loose out on bad packets, checksums, etc.

- Chris

Richard Bejtlich said...

Hi Chris,

I have heard of people using tricks like that to collect traffic. It sounds like RSPAN. I would like to hear more though, perhaps in a post on your blog?

Once in a while I hear people talk about collecting traffic in a central location for inspection purposes. I wrote about the Army project Interrogator when I described my DoD Cybercrime 2006 experience.

I mentioned similar issues three years ago but haven't seen much public discussion since then.