SPAN Port or TAP? CSO Beware

Thursday 23 August 2007

By Tim O'Neill

Network engineers and managers need to think about today’s compliance requirements and the limitations of conventional data access methods. This article is focused on taps versus port mirroring / SPAN technology.

SPAN is not all bad but one must be aware of its limitations and since managed switches are integral part of the infrastructure, one must be careful not to establish a failure point. Understanding what can be monitored is important for success since SPAN ports are often overused leading to drop frames, all due to the fact that LAN switches are designed to groom data (change timing, add delay) and extract bad frames as well as ignore all layer 1 & 2 information. Furthermore, typical implementations of SPAN ports cannot handle FDX monitoring and analysis of VLAN is also problematic.

Moreover, when dealing with Data Security Compliance, the combination of the facts that SPAN ports limit views, are not secure and transporting monitored traffic through the production network could prove itself to be unacceptable in the court of law.

When used within its limits and properly focused, SPAN is a valuable resource to managers and monitoring systems. However, for 100% guaranteed view of network traffic, passive network TAP is back as a necessity for meeting many of today’s access requirements and as we approach larger deployments of 10 Gigabit and up, SPAN access limitation will become more of an issue.

To read the full article, go to http://www.lovemytool.com/blog/2007/08/span-ports-or-t.html