Monday, January 26, 2009

Why Network Taps

My colleagues and I are spending some time justifying the installation of network taps, instead of using SPAN ports, to gain access to network traffic. This is an old discussion. See my Dec 07 post Expert Commentary on SPAN and RSPAN Weaknesses and Net Optics' page Tap vs SPAN. For a different perspective see Scott Haugdahl's Is Spanning Bad? and Is RSPAN Bad?.

I'm using the following points when discussing the situation.

  1. Taps free SPAN ports for tactical, on-demand monitoring, especially intra-switch monitoring. Many switches have only two ports capable of SPAN, and some offer only one. If you commit a SPAN port for permanent monitoring duties, and you need to reassign it for some sort of troubleshooting on a VLAN or other aspect of the traffic, you have to deny traffic to your sensor while the SPAN port is doing other work. Keep your SPAN ports free so you can do intra-switch monitoring when you need it.

  2. Taps provide strategic, persistent monitoring. Installing a tap means you commit to a permanent method of access to network traffic. Once the tap is installed you don't need to worry about how you are going to access network traffic again. Taps should really be part of any network deployment, especially at key points in the network.

  3. Selected taps do not permit injected traffic onto the monitored link. Depending on the tap you deploy, you will find that it will not be physically capable of transmitting traffic from the sensor to the monitored link. This is not true of SPAN ports. Yes, you can configure SPAN ports to not transmit traffic, and that is the norm. However, from my consulting days I can remember one location where I was told to deploy a sensor on a box with one NIC. Yes, one NIC. That meant the same NIC used for remote SSH access also connected to a switch SPAN port. Yes, I felt dirty.

  4. What taps see is not influenced by configuration (as is the case with SPAN ports); i.e., what you see is really what is passing on the link. This is key, yet underestimated. If you own the sensor connected to a SPAN port, but not the switch, you are at the mercy of the switch owner. If the switch owner mistakenly or intentionally configures the SPAN port to not show all the traffic it should, you may or may not discover the misconfiguration. I have seen this happen countless times. With a network tap, there's no hiding the traffic passing on the monitored link. Many shops have been surprised by what is traversing a link when the finally take a direct look at the traffic.

  5. Taps do not place traffic on a switch data plane, like a SPAN port does. This point is debatable. Depending on switch architecture, SPAN ports may or may not affect the switch's ability to pass traffic. By that I mean a SPAN port may not receive all traffic when the switch is loaded, because forwarding may take precedence over SPANning.


There are other reasons to prefer network taps, but I'll direct you to the links I provided. Those are good resources.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

18 comments:

Marcus J. Carey said...

Taps should really be part of any network deployment, especially at key points in the network.

I have to agree with you on this, taps are a must. Taps are all about "location, location, location", just like real estate.

Anonymous said...

I agree with you, Richard. With only one caveat: some tap models break the link down signal. In other words, these taps do not pass the port down status to adjacent switches

Joe said...

I have zero failures or problems with NetOptics taps. I have had 4 instances when DataCom taps have brought down the network. I plugged into the monitor interface and noticed the network engineer did not mount the taps securely. This caused the poor quality power connector to briefly lose connection. This shouldn't have been a problem, but with the DataCom taps, it caused all the lights on the tap to go out.

Lesson learned: Some vendors lie about their products. Some don't. Go with what works and test it before deploying. NetOptics has never failed me.

Caveat: Maybe I received two bad Datacom taps and two bad Datacom tap power supplies that will lose power if you so much as sneeze at the tap.

Joe said...

Also, if you get dual monitor port taps, you can let the network team use one and encourage them to monitor the network if they aren't. Convince them and they'll buy taps everytime they buy new network gear.

Patrick said...

I was already a true believer in the tap, but had overlooked point 4. Excellent post, thanks!

Vivek Rajan said...

What is the best way to secure a network tap so that only authorized applications are allowed to look at traffic ?

Some switch owners fear a loss of control with taps vs span.

Enrique Martin said...

Good entry blog.

Another article about TAPS vs SPAN by Tim O´Neill: SPAN Port or TAP? CSO Beware (by Tim O’Neill)

Richard Bejtlich said...

Vivek,

Most network taps are "dumb," meaning they don't even have an interface. There is nothing to configure. So-called "smart" taps might run a Web server or allow serial access so authorized users can see network traffic statistics. There is no device on the market that will only expose traffic to "authorized applications," unless you want to put a full-fledged inline device on the wire in place of the network tap.

nr said...

Vivek, how do you physically secure the rest of your networking equipment and cabling? It's all presumably in the same place, and if the TAP is vulnerable to someone walking into the LAN closet and connecting to an interface then everything else is likely vulnerable, too. I'm not sure a TAP should be any more worrisome than a physical attack against all your other equipment.

Anonymous said...

If you're really worried about network reliability, perhaps you should use a simple optical or copper tap. Some are better than others, but you can use an aggregating tap at a higher level than the "dumb" device. This would eliminate the problem that "Joe" talked about with power failures as these devices are not powered. This also eliminates any type of software or firmware bug from possibly bringing down your network. See http://www.vssmonitoring.com for more details.

Davi Ottenheimer said...

Gigamon deserves a mention here too:

http://www.gigamon.com/span_port_or_tap.php

Tommy Landry said...

Hi Richard - we did a review of TaoSecurity on our own blog (because it's a great blog and resource). Just thought you might want to take a look here: http://www.anuesystems.com/blog/?p=39

Anonymous said...

Vivek,

I know that Network Critical ( www.networkcritical.com) provides SMART TAP’s with port lock, so you can (remotely) open en lock the monitoring ports. This prevents people from plugging in a cable and sniff the traffic.

There are so many different kind of TAP’s available. You also have to consider what you need and from there you choose the best solution. Do you want to have breakout or aggregation or work with span feeds, regeneration of the traffic. There are even SMART TAPS that you can program for every function so you always have the right choice.

You only have to keep in mind that there is a differents between Copper 10/100 and Copper Gigabit if it comes to TAP’s

Scott Burch said...

Totally agree. The main function of a switch is to deliver traffic, if it is under heavy load then not all packets will get to the SPAN port. Taps versus SPANs hasn't been the issue for me, it's the number of redundant links, tools which need to see those links, strategy about system placement (both physical and virtual). On top of this we have a bunch of 10Gb links. Currently we use taps and feed them into Gigamons so we can better meet our needs. Things get very messy fast when you need to monitor communication between tiers of application environments. :-)

Dan Glass said...

Well said. I have had to go against our network architect over this subject. The only point that counters taps is the magical word "inline" and "outage." I think I have the tide turned after bringing in a few consultant engineers to show that hardware bypass and failing open work. Now I can use a single tap to monitor traffic for a variety of security purposes.

Anonymous said...

APCON seems to have a very complementary offering to network taps with the most scalable platform I have seen in the industry. They have a very nice management offering too. www.APCON.com

Anonymous said...

We have been looking at two solutions a data aggregation switch and aggregation taps. Both are similar in features. We most likely will go with the aggregation switch for the filtering capabilities and some more basic taps as well. here is a some info I found helpful on why network taps are needed. http://www.nextgigsystems.com/network_taps/what_are_network_taps.html

trafficshare said...

Just stumbled across this article and wanted to just lend my voice to the pro-network tap side of the argument.

So many more advantages that it amazes me that more people don't utilise the hardware.

Keep up the good work.

TS