The Role Intelligent Hybrid TAPs Play in Connecting Security Solutions

Written by

Today’s massive, high-speed networks rely on advanced monitoring and security solutions to manage performance and keep users secure. But, to ensure those platforms have the proper information, network engineers rely on TAPs, SPAN ports and Network Packet Brokers (NPB) to capture the critical data needed. Without them, these systems have nothing to analyze and little intelligence to report on. 

Traditionally, IT has deployed some combination of these access technologies to power their security/network monitoring tools, for example a TAP in conjunction with a Packet Broker. However, new hybrid TAP solutions have recently come to market that allow organizations to streamline this connection. As a result, organizations can reduce costs and simplify deployment. But, to understand how exactly hybrid TAPs accomplish this, let’s first quickly explain the traditional technology approaches.

The TAP – At a fundamental level, a TAP is a network device that’s used to safely and reliably connect network monitoring, security and performance tools to network links. TAPs are used in data centers, enterprise networks, carrier networks and cloud networks to make a mirror copy of network traffic and send that traffic to a monitoring tool while, at the same time, passing the live traffic through to the live network. Using a TAP for traffic visibility allows security tools to accurately analyze and protect networks without impacting live network performance. Fail safe technology is also built in to maintain network integrity even in the event of a power failure to the TAP device.

The SPAN Port – Another option for connecting security (and networking) tools is called a Switch Port Analyzer Network (SPAN) ports which is used in conjunction with a switch. This method can be expedient for a sporadic, temporary, non-critical monitoring connection. However, SPAN ports double the internal traffic in a switch potentially causing dropped packets during busy times. SPAN ports also do not pass 100% of the traffic, so accuracy of reporting and analysis can become an issue (and for this reason, it is becoming less and less commonly used). TAPs are the only way to ensure 100% traffic capture 100% of the time, and to protect live traffic while the mirror copy is being passed to tools. 

The Packet Broker – Packet Brokers usually include all the functionality of a TAP, but with more ports and advanced features such as packet manipulation, filtering, load balancing and port mapping (which means the device is generally quite a bit larger as well). These intelligent features are used to increase efficiency of connected monitoring tools and simplify deployment of traffic and tools in larger networks. 

Both TAPs and Packet Brokers reliably take in network traffic and send a mirror copy of traffic to a connected monitoring or security solution. While the fail-safe feature, which keeps live network traffic flowing even if a TAP loses power, is a standard TAP feature, it’s not standard in Packet Brokers. The primary function of a Packet Broker is to connect multiple tools and to simplify the management of those tools.

In a proper high-availability visibility scenario, a TAP connects network links to a Packet Broker, and the tools are then connected to the Packet Broker for consolidation, manipulation, and management. This allows the TAP to provide fail-safe, high availability connections and the Packet Broker to efficiently manage the complexity of a multi-solution (or tool) deployment. Connecting live links directly to a Packet Broker risks link loss if the Packet Broker loses power.

Because of the number of ports and diversity of feature/module options, Packet Brokers are usually two to five rack units (RU) high, while TAPs are simpler and only one to two RU high. TAPs must be deployed with Packet Brokers in order to protect traffic on live links. When both are deployed together, it’s recommended that at least 1RU of space be placed between the TAP and Packet Broker for heat dissipation.

Therefore, a typical deployment in a large data center will require 7-8 RU of space plus power for the two units. When multiple units are deployed in larger networks, there can be rows of racks dedicated to monitoring and security tools connected with TAPs and Packet Brokers.

Adding it all up, network architects are required to dedicate a significant amount of rack space and expensive real estate to monitoring and security. This is particularly difficult in dense urban areas and cell sites where space is at a premium.

This all begs the question: Why aren’t we combining TAP and Packet Broker functionality?  What if intelligent Packet Broker features could be tightly integrated into a smaller footprint like that of a TAP?

Actually, both are possible and available. New Intelligent Hybrid TAPs have hit the market that integrate the high port count and intelligent feature content of a Packet Broker with the fail-safe technology and network protection found in a TAP.

Organizations get features such as link aggregation, traffic filtering, port mapping and packet manipulation, all in a single 1RU chassis with up to 20 ports of flexible 1Gbps and 10Gbps options. As a result, live network links and monitoring/security solutions can be directly connected to a hybrid unit providing both the network protection features of a TAP and the tool management features of a Packet Broker. 

By packing all these features into a 1RU chassis organizations can save up to 6RU of rack space per grouping without sacrificing network availability. Also, larger networks can link hybrid chassis together for greater port availability. Some of these Intelligent Hybrid TAPs also have sophisticated Graphical User Interface (GUI) management systems integrated into the units that allow fast, simple and accurate deployment of security/monitoring solutions (for example drag and click formats for quick and easy changes when tools need to be moved, links added or other changes made to the network).

What do you need to know if you’re deploying an Intelligent Hybrid TAP and connecting to security platforms? Here are some tips to consider:

  • Use a bypass module to ensure failover. When connecting security tools to live links it’s often required that live traffic flow through the tool and back into the network. With an in-line connection, the live network link will go down if the security tool fails or is taken off-line. Bypass modules are designed to automatically know if the tool goes down, bypass that tool, and keep live network traffic flowing. This allows greater network security without sacrificing network reliability and availability.
  • Consider the primary purpose of the attached tool and the type of traffic it’s designed to monitor. Then use the filtering feature on the TAP to eliminate traffic that the tool does not need to see. This will help the tool work more efficiently and help eliminate port oversubscription without going to higher speed links.
  • Aggregation features will allow users to combine the traffic from multiple links into a single stream and map the aggregated traffic to a single tool. This allows fewer tools to manage more links, saving CAPEX on tool costs.
  • For high availability/high security networks, redundant tools and bypass TAPs can be deployed. If one tool goes down and is bypassed, the other TAP and tool will automatically be activated rather than simply bypassing the first tool unprotected. This provides maximum availability without sacrificing maximum security.
  • Look for simplicity of configuration, deployment and management. Some TAPs have sophisticated computational engines that do much of the hard planning math in the background and give configuration warnings if filter or mapping rules are being broken. These GUIs are also much faster and simpler to use than standard Command Line Interface language tools. The GUI cuts deployment time and increases accuracy eliminating potential network effecting configuration errors.

What’s hot on Infosecurity Magazine?