Wednesday, October 04, 2006

Notes on Net Optics Think Tank

Last week I attended and spoke at the latest Net Optics Think Tank. I've presented for Net Optics twice before, but this was the first event held in northern Virginia.

The first half of the event consisted of two briefings. The first discussed tap technology. This was supposed to be a basic introduction but I learned quite a bit, especially with regards to fiber optics. Specifically, I learned of some cases where customers reverse cables when plugging in their taps, thereby causing lots of tough-to-troubleshoot problems. Furthermore, as customers move from Gigabit over fiber to 10 Gigabit over fiber, they are encountering cabling issues. Gigabit is much more forgiving than 10 Gig. At 10 Gig, you apparently have to pay close attention to the specifications, such as core size.

I learned that Net Optics is considering ways to "tag" or "label" packets collected by their link aggregator taps. When discussing matrix switches, it occurred to me that those devices are a great way to implement on-demand monitoring while keeping true to the tenets of Visiblel Ops. Rather than monkeying around with a switch SPAN port, risking making a problematic change, you tell the matrix switch which port you want to monitor. The switch is never touched.

The same idea applies to bypass switches. Net Optics (and their customers) basically convinced me that it's a bad idea to ship an appliance with a bypass switch embedded as a NIC in a security appliance. It's far better (if you have the rack space) to have a separate bypass switch. This allows you to completely power down and remove the "inline" security appliance with no effect on the network. This isn't possible with an integrated bypass NIC. The second briefing covered the Net Optics iTap product line, which I covered several months ago. Dennis Carpio (pictured at left) gave that briefing. Basically Net Optics is moving this "intelligent Tap" functionality into all of their products. I told them I would like to see the tap inspect and classify the traffic it sees, namely by doing port independent protocol identification. I would also like to see the iTaps support 802.1X, IPv6, SNMPv3, and a HTTPS Web interface.

The iTap might also support filtering at the monitoring ports. This would reduce the load of a sensor on the tap. For example, you could tell the iTap not to pass ARP or non-IP traffic to the sensor. Besides continuing to add features to taps without adding cost, Net Optics is also reducing their size. They will be able to fit six taps into 1U. They're also moving to replacing fixed ports with SFPs.

During the second half of the day Net Optics shared ideas for future products. I'll keep this to myself, since this was not exactly meant for broadcast on the Internet. Basically, if you have a network traffic access requirement you're trying to meet, get in contact with me. I can put you in touch with the right people at Net Optics and they will be able to meet your demands. I am not getting any kind of referral fee -- I just trust the people at this company to do the right thing.

Expect to see more reporting on their gear as I get demo products to test.

4 comments:

Anonymous said...

Gigamon does some of what the itap does already.

dre said...

radware secureflow has been doing ids load-balancing similar to itap since 2002 as well

Richard Bejtlich said...

dre, iTap does not do "ids load-balancing."

Mark Manion said...

Good Day Richard,

I hope as a consultant that you are keeping an open mind when evaluating TAP solutions within the industry. We are gaining rapid market share in the TAP arena at Network Critical (www.criticaltap.com) with our unique industry exclusive Enterprise TAP solutions. I know your friends from NetOptics are feeling the pressure of our solutions based on the feedback we are getting from their former clients. So call me if your are a true consultant / expert so we can share the Network Critical story with you: mark@networkcritical.com

Best Rgeards,
Mark