Budget network taps

NTap Network TapSometimes you fall over a product and it blows you away. Network taps have until now been exotic hardware affordable only by large IT departments with the budget to match.

Not any more! nmon have brought out a range of low cost network taps and network traffic analysers with NetFlow support. Looks like network taps just got affordable to the masses.

Why should you be interested? They’re just enterprise doodads aren’t they?

Traditionally they have been enterprise tools…but that’s mainly because of price, not because large enterprises are the only ones with a requirement for them.

Even small networks use switches. The only way you can gain visibility on a switch, without affecting the system as a whole, is via network taps. Network taps provide a great way to troubleshoot your network without affecting the network itself in any way.

But, the biggest use for network taps is for running intrusion detection systems. Network taps afford a way for the intrusion detection system itself to be completely invisible to anything running on the network.

Hopefully, enterprise grade security tools will start to trickle down to smaller and smaller networks. There are a number of open source tools eminently suited to the task.

Why do I need a network tap?

One of the big problems in a switched network is to access reliably network traffic for analysis or monitoring purposes. Many solutions require changes either to the hosts being monitored or require modifications to your network infrastructure.

Many managed switches have the ability to mirror the traffic on one or more ports. Mirroring simply involves the switch copying network traffic from one or more ports to another designated port. The switch still sends the network traffic to its original destination.

With a simple command you can start analysing the traffic on another switch port without having to touch any of the devices being analysed.

For instance, on a Cisco switch, the following command will mirror the source port to the destination port:

set span <source port> <destination port>

Port mirroring can be an ideal solution in some circumstances, it does have some problems though:

  • Port mirroring can indirectly affect the system being analysed. The switch, especially under high load, can cause the switch to drop packets and indeed to pause operation altogether;
  • Port mirroring can potentially pose a security risk. You can start mirroring a port via the switch’s command line interface, something or someone can stop mirroring it too;
  • Things become tricky on full duplex ports — in other words, where devices can send and receive at the same time, turning a 100 Mbp/s link into an effective 200 Mbp/s link — you may lose traffic if the port is running close to capacity.

The solution to the above problems comes in the shape of a network tap. Network taps remove the need to perform port mirroring on the switch so avoiding the chance that the switch’s performance will be affected.

Network taps are also completely out of band, nothing on the network can switch them off. If you wish to perform intrusion detection, you can be sure that your monitoring efforts are completely invisible to the potential intruders.

In the unlikely event of the network tap failing, the monitored system is completely unaffected.

Of course, the downside is that network taps cost money. 🙂