WHAT DO I NEED NETWORKS TAPS FOR?
What are Network TAPs and
what advantage do they have over SPAN ports?
The term TAP is an abbreviation and stands for Test Access Port. A Network TAP, also called Ethernet TAP , creates a passive access point to a network connection, with which the data signals transmitted via the cable can be read and evaluated for analysis purposes.
Once installed, all data traffic can be made available for various monitoring applications transparently, quickly, easily and without impairing the active network line with the help of a TAP.
A Network TAP works on OSI Layer 1 and does not have a MAC address. It is therefore invisible in the network and cannot be detected by any attacker. This is indispensable in network forensics and security, as otherwise criminals could take the TAP into account.
The use of TAPs has another advantage: You decide where you want to access the data. This flexibility is of great benefit, as you are able to greatly influence and improve the quality of your measurement results.Network TAPs are passive components and do not affect the original data traffic in any way.
Thanks to the additional “fail-open” technology in the Ethernet copper TAPs, the data line is also switched through in the event of a power failure, the Network TAP works like a cable bridge and protects your productive network from failure. This means that you receive accurate data for error-free analysis directly from the line.
By using SPAN ports, however, the result can be falsified, as this technology works in store-and-forward mode and discards FCS/CRC errors at OSI Layer 2 instead of outputting them to the Mirror Port. In contrast, Ethernet taps remove these critical CRC errors without affecting the original data.
Furthermore, a Network TAP with copper or SFP monitoring port works like a diode and does not allow access to the network via the monitoring ports for security reasons. Professional network analysis is therefore only guaranteed by using TAPs.
In addition, when using multiple TAPs, you get a much more accurate measurement result and can identify network and application errors even faster and more precisely. This saves you valuable time troubleshooting network errors.
Instead of the complex configuration of SPAN ports, Network TAPs can be plug’n play installed and put into operation without any prior technical knowledge. Cisco, the world’s leading network equipment supplier, therefore advises against using such SPAN ports for network analysis with good reason.
Due to the way they work, Network TAPs have another decisive advantage: They completely divert the bi-directional data traffic. This means that you receive the send and receive directions of a full duplex line separately and can therefore, for example, analyze a 1G line loss-free even with a maximum load of 2Gbps.
As a result, you need two network interfaces on the analyzer to record the network data.Using this method, the sending and receiving directions can be easily differentiated from one another, which eliminates another source of error.
SPAN ports, on the other hand, have to aggregate this data in the memory before it is passed on to the SPAN port, but this is not one of the primary tasks of a switch and thus has a significant negative impact on the quality of the analysis result. Furthermore, due to the use of mirror ports, the switch processor is used more heavily, which can result in data loss on the SPAN port.
Experts therefore only recommend the use of Network (Ethernet) TAPs for loss-free and reliable recording of network data!
You can find more detailed information on the topic of Network TAP vs SPAN/Mirror Port in our Whitepaper.
Aggregation TAPs
for fiber optics and copper network cables
Aggregation TAPs have the ability to bundle several data streams or, as the name suggests, to aggregate them. This results in a significant advantage: you can use this technology to evaluate the data from several lines simultaneously using a single network interface on your analyzer.
When a single network connection is aggregated, it is referred to as a Port Aggregation TAP.
If aggregation is exercised on multiple lines, this technique is called Link Aggregation.
The diagram below shows the schematic of a Port Aggregator. As you can see on this picture, the TX & RX line of a network connection is aggregated to Monitoring port A & B respectively, so you are able to capture the data of a full duplex route bundled with only one network port.
Thus, Monitoring port A and B each receive the entire traffic of a route and, using this Aggregation TAP, one could send the network data to an analyzer such as OmniPeek or Wireshark for analysis purposes and simultaneously have the network traffic monitored by a security device such as an IDS.
Furthermore, our Aggregation TAPs can also be operated in TAP mode, also called Break-out mode, and can be conveniently switched between these functions by means of a DIP switch. This is a significant advantage and allows you to use the Aggregation TAP like a conventional TAP for analysis purposes if needed.
In addition, a Port Aggregation TAP can also be used as a Regeneration TAP. In this case the applied signal on Network port A is copied to Network port B, Monitoring port A and Monitoring port B. This is a convenient way to multiply a simple signal to up to 3 ports without complex configuration, which allows you to analyze the applied data with 3 different monitoring tools simultaneously.
Available Operation Modes:
Active TAPs with RJ45/M12/SFP monitoring port can handle Breakout mode, Aggregation mode and Regeneration mode. Passive Fiber TAPs with LC/MTP monitoring port can only handle Breakout mode due to the system.
The Failsafe/Passive/Power-off mode only applies to active TAPs with RJ45/M12/SFP monitoring port and a possible power loss.
Breakout
Each Ethernet packet transmitted via the network line is mirrored separately in this mode while maintaining the data integrity in the TAP.
The send and receive directions are output separately on the two monitoring ports so that the network traffic can be analysed per data direction in this case.
Another great advantage of the Breakout mode is the visibility of the network traffic even with a fully loaded network connection.
In this mode, the set network speed is transferred to the monitoring ports.
Aggregation
In this mode, the data streams are bundled and output aggregated on both of the monitoring ports.
This allows you to evaluate the network data of a full duplex line simultaneously with a single network interface on your analysis device.
Due to the aggregation in hardware (FPGA), faulty packet sequences during recording are a thing of the past in this mode.
For example, you can analyse the entire data traffic aggregated in 100Base-Tx lines without loss.
Regeneration
Regeneration is used to capture 100% full duplex traffic that can be sent to multiple monitoring devices (up to 3 in this case) for analysis of your network.
In this mode, the network speed settings are synchronised as in Breakout mode and the setting on the DIP switch is applied to all ports.
Fail-Safe Mode
Since Network TAPs are usually installed in critical network lines, it must be ensured that TAPs do not affect the line in any way.
By means of fail-safe, the TAP behaves like a cable bridge in the event of a failure or arbitrary deactivation and ensures that the active network connection is not interrupted or at least continues to function without the TAP function and thus does not negatively affect the active line.
Passive/Power-Off Mode
In the event of a power failure, the active network connection is not interrupted! Only the devices connected to the monitoring port are no longer supplied with data.
Split Ratios / Light Splitting for Fiber TAPs:
In order to tap data from an optical network connection, it is necessary to decouple or split a part of the available light signal.
The split ratio is the ratio of the amount of light that is still available for the fibre optic network connection in relation to the amount of light that is diverted or split off to the monitoring ports of the (passive) fibre optic Network TAPs.
A split ratio of e.g. 70/30 means that 70% of the light is still available for the network connection and 30% is split off for the monitoring ports.
However, as these TAPs have a copper or SFP-based monitoring output, 100% signal strength is available by means of OEO conversion – i.e. conversion of the optical signal into an electrical signal – in contrast to fibre-based monitoring ports.
Data Diode Function:
Data diodes guarantee unidirectional communication and ensure that data traffic can only flow in one direction.
Unidirectional network devices are typically used to provide information security or protection of critical digital systems, such as industrial control systems or production networks from cyber-attacks.
Our TAPs work like a diode and, for security reasons, do not allow access to the network via the monitoring ports.
By adding this further security layer, it is thus not possible to compromise the network connection and the productive network.
Hardened TAPs
Specially hardened Network TAPs
PacketRaven Network TAPs are already in the standard version one of the network components through which an attack vector is excluded.
For high-security areas according to IEC 62443 and critical infrastructures (CRITIS), however, even this is sometimes not sufficient, which is why NEOX Networks now also offers a specially hardened version of its TAPs.
If desired, these TAPs can be delivered pre-configured and then do not allow any subsequent configuration changes. In addition, they are secured against unwanted or unnoticed opening by special screws and security seals.
And to round it all off, these TAPs also have a particularly secure and encrypted firmware. Secureboot checks each time the TAP is started whether the firmware to be executed has a valid signature and an authorised public key.
If this is not the case, the TAP cannot be put into operation.
ADDITIONAL SECURITY FEATURES
Secure TAPs
Extra Secure Fiber TAPs
Secure Fiber TAPs have both an additional optical isolator (Data Diode functionality) and an optical filter to ensure that unwanted incoming light signals are blocked at the monitoring port to protect the network from compromise.
A very high insertion loss of up to 35dB on the return channel of the monitoring port into the productive network to be protected prevents accidental or deliberate injections of unwanted data or light signals into the active network.
They thus provide another security layer that offers increased protection against attackers and faulty configurations.
This makes our Secure TAPs especially suitable for business-critical applications and high-security areas and CRITIS infrastructures with high requirements for securing sensitive data.
Our Secure TAPs are 100% compatible with our standard portable TAPs without Data Diode functionality.
|
Up to 400 Gbps |
|
Full Network Transparency |
|
No impairment of Data Traffic |
|
100% Network Data |
|
Invisible for Attackers |
|
No Network Access via Monitoring Port |
|
Flexible to Use |
|
Plug-n-Play |
|
Failure Protection on Power Loss |
|
PoE+ Power over Ethernet |
|
Redundant Power Supply |
|
Various Split Ratios |
|
Fast and Precise |
|
Support Jumbo Frames |
|
Various Mounting Options |
|
Hardened & Secure models available |
|
Made in Germany |