Network Computing Misses the Mark

Network Computing profiled the Net Optics 10/100BaseT Port Aggregator Tap. This device is unique in that it combines the two transmit lines from ports A and B into a single output, adding memory to buffer bursts exceeding 100 Mbps. I was glad to see this product receive attention in Network Computing, but I think the reviewer missed the mark. I was especially disappointed to read this comment:

"...the unit is cost-effective only if you » need to multiplex a full-duplex network onto a half-duplex connection, » expect short traffic bursts above 100 percent utilization or » can't risk a down link from a loss of power on the tap. If none of these conditions apply, you're better off buying a switch with a mirror port off eBay for about $300."

Does this author seriously recommend enterprise customers buy equipment from eBay? I'm a big eBay fan, having bought many servers from eBay for my home network. I wouldn't recommend doing the same at work. Furthermore, is Network Computing advocating buying Cisco gear from eBay? Do they know a purchase of auctioned Cisco gear doesn't include a license for IOS? Cisco allows customers to buy licenses for used equipment, but their pricing is so outrageous it makes sense to buy new equipment.

You can buy a new 12 port Cisco 2950 for a little over $600 at CDW.com. A cheap SMARTNet contract costs less than $100. So, for $700, you have a device with a SPAN port to watch network traffic in place of the tap. Unfortunately, the SPAN port hides link errors from the monitor. The SPAN port also isn't built to handle traffic over 100 Mbps like the memory-enhanced Net Optics Port Aggregator.

At this point the switch advocate might want to invest in a port with a gigabit SPAN port, like the 2950T. Now the cost of the switch alone is over $900 and the price advantage compared to the tap disappears. (The tap is listed at $950 in the NWC story.)

There's a reason why Net Optics priced their product as they did. They are selling professional-grade devices built for serious monitoring that preserves full duplex links.

Comments

Anonymous said…
I'd say that NC missed the point on more than just pricing:

"the unit is cost-effective only if you need to multiplex a full-duplex network onto a half-duplex connection"

It's not about half/full duplex. In fact, link duplex (which is what most readers will assume is at issue) is irrelevant for most sniffer/IDS products because they don't transmit.

The issue here is: can you use two NICs on your analysis box to multiplex the conversation together.

Richard, you said:

"the SPAN port doesn't show layer 2 traffic"

Care to elaborate?

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics