Introducing Hybrid TAPs and Packet Brokers
Many network managers responsible for monitoring and security visibility are welcoming the introduction of the Hybrid TAP/Packet
Broker. While this relatively new entry into the visibility market is being hailed as a very productive and budget friendly tool, it has also
caused some confusion in the market. Where are the lines drawn between TAPs and Packet Brokers? How do SPAN ports fit in to the
mix? When and how should each be deployed?
Before we talk about Hybrid TAP/Packet Brokers, we need to discuss the form and function of both TAPs and Packet Brokers individually. We will look at what differentiates TAPs from Packet Brokers and discuss the shrinking role of SPAN ports. Once clear on these visibility building blocks we can then discuss the advantages of Hybrids and best practices for deployment.
History
TAPs originally were designed as a tool to connect diagnostic equipment like a sniffer when a problem was reported on a link, thus the acronym, Test Access Point. A TAP was connected to the link between a switch and router and made a mirror copy of all the traffic that flowed between the two end points while the actual live traffic continued to pass through the network. When the problem was discovered, the TAP was put back in the closet until the next problem.
As digital networks expanded in size and became more complex, there was a need for TAPs to be permanently connected to links providing constant visibility to traffic on all links. The permanency of these new TAPs required fail-safe technology to keep the network traffic flowing if power was lost, and a design to provide visibility to all link connections.
Many networks managers were simply connecting multiple single link TAPs to meet expanded TAP requirements. Network Critical, a global innovator in network access and visibility, came up with a unique 1U design that provided fail safe protection, modular flexibility to connect copper or optical links, centralized AC or DC power, and Graphical User Interface (GUI) for easy deployment and management. That was about a decade ago.
TAPs
The primary function of a TAP is to connect various tools to network links without sacrificing the availability or reliability of the network.
This is accomplished by using fail-over technology. As the live network traffic passes through the TAP, a mirror copy of the traffic is created
and sent to the connected tool. That allows the tool to process the information off-line without adding delay to the live network.
In the event of a power failure to the TAP, relays will close that will create a hard wire connection (in copper networks) to continue to pass
traffic. In optical fiber networks, the TAP creates a secondary physical path to the attached tool splitting the light budget. A predetermined percentage of the light continues into the live network and the balance is used to send the packets to the network tool. There is no power required for an optical tap so there is no risk of downtime due to power issues. These methods create a fail-safe connection for tools in live links without jeopardizing the network.
Connecting tools to network links with TAPs is generally preferred over other methods such as SPAN or Mirror Ports. SPAN ports duplicate
live traffic in a switch and send it to the connected tool. However, problems can arise during busy hours when the switch may drop lower
priority packets such as SPAN traffic. There are also certain packets that are not passed by SPAN ports that can throw off certain types of
traffic analysis. Network Critical has published a white paper on TAP vs SPAN that can be reviewed for more detail on this subject. Go to www.networkcritical.com to access that paper.
Fast forward to 2020. TAPs have continued to add features for convenience, security and efficiency. These new TAPs are being called
intelligent TAPs as a result of their ever expanding functionality. Following are some of the newer features provided by intelligent TAPs:
• Aggregation - This feature allows the aggregation of multiple network data streams (input ports) to a single data stream (output port) connected to the diagnostic tool. This feature is a cost saving feature allowing a single tool to provide information about many links.
• Regeneration - This is the reverse of aggregation. The input from a single network connection (input) is regenerated multiple times
and sent (output) to multiple diagnostic tools. Regeneration provides for many specialized diagnostic tools to have visibility from the same data stream.
• Filtering - The filtering feature allows the network manager to provide only relevant data to the diagnostic tool. If the tool is working on an http traffic problem, filtering capability will eliminate all other data from the stream and provide only http traffic to the tool.
• By-pass - Initially, TAPs sent a mirror copy of the data stream to a tool for analysis and reporting. With the increased use of TAPs with security appliances, it is necessary to connect TAPs in-line so the security appliances can send packets back into the network to block attacks or isolate malicious traffic in real time. When connected in-line, TAPs need to be able to by-pass the appliance if it goes off line for any reason. This technology allows the network data to keep flowing even if the appliance goes off line for maintenance or other issues. The TAP introduces an out-of-band “heartbeat” packet that monitors the health of the connected appliance. If the heartbeat is not received by the TAP, it will bypass the appliance and pass the data directly into the network. This process increases reliability and availability while providing security, visibility and control of information flow.
Even with all the new features and technology, the primary function of TAPs remains the same…to safely provide traffic visibility connecting tools and appliances to network links. Network Critical, a global leader in TAPs and Packet Brokers, offers a full range of TAPs ranging from passive optical fiber break out TAPs to full featured, scalable chassis with modules to fit every media and speed from 1Gbps to 100Gbps.
Types of Network Tools That Connect Via TAPs
There are a wide variety of network tools that are helping diagnose problems, monitor networks, enhance network efficiency, help speed
up application response time and protect against malware. There can be many locations within a network where a TAP can be connected.
One example is connected to a link between a router or firewall and a switch. Therefore, all the traffic from the router to the switch and from the switch to the router passes through the TAP. The TAP makes a mirror copy of the traffic and passes it the connected tool.
Probes and sniffers provide visibility into the packets that are traversing network links. Once a copy of the network traffic is passed to the probe, processing and analysis of packets can occur. Because the probe is using a copy of the actual network traffic, there is no delay
introduced into the network while the probe does its work.
WAN acceleration tools reduce duplication of packets traveling across the network and help prioritize application traffic. Other helpful
features of these devices include protocol optimization that reduces “chattiness” and web caching to improve browser response times.
These tools can help remote offices receive LAN like performance over the WAN.
IT monitoring devices can improve performance for the end user in cloud environments. These devices monitor the user experience of
enterprise applications on a variety of devices in the network helping resolve issues and increase productivity.
There are many specialized security appliances that connect to networks via TAPs. Some of the devices analyze data copied by the tap and provide reports on unusual network activity. Many security appliances, however, require real time access to network traffic and the ability to block or isolate malware when detected. TAPs provide this in-line access to network traffic while isolating the security device from the network in the event the appliance goes off line for any reason. These security appliances come in many specialities. Some focus on intrusion prevention, some provide protection from unauthorized information being downloaded to portable devices.
Still other tools, provide specialized protection from specific threats and predictive analysis to stop attacks before they happen. Rapid
growth in number and variety of network security appliances is one of the critical drivers behind the need for Packet Brokers which expand
port access and provide additional traffic management features over basic TAP functionality.
Packet Brokers
As networks become increasingly more complex, the visibility requirements are also growing. New network architectures such as cloud, private cloud and hybrid-cloud are requiring connection of more specialized diagnostic and management tools. Malicious attacks and persistent cyber threats are causing rapid growth in specialized network protection appliances. Thus, the market for diagnostic tools and security appliances has expanded dramatically over the last few years and this market continues to expand.
The problem is how to efficiently and economically connect and provide relevant visibility to all of these appliances at ever increasing speeds and varying physical media without compromising network availability and reliability. The relatively new Network Packet Broker (NPB) is the proper tool to solve this problem.
Note that a Network Packet Broker is not just a big TAP. While some NBPs include some ports with TAP protections at lower speeds of 1G
or below, Network Packet Brokers, generally, should not be thought of as TAPs. Following are some of the primary functions of NPBs that
differentiate them from TAPs:
• NPBs are designed for more complex deployments usually combining copper and optical media, 1Gbps/ 10Gbps/ 25Gbps/ 40Gbps/ and 100Gbps speeds and a variety of diagnostic, performance and security appliance connections.
• Load Balancing - This feature allows the input of a high speed connection to be distributed among multiple lower speed appliances. This allows legacy appliances to be used with newer high speed links.
• Ethernet Packet Slicing and Masking - Slicing allows packet manipulation so the device only sends relevant data to the appliance allowing faster, more efficient processing by the appliance. The Masking feature, allows confidential payload information to be eliminated from the analysis or archiving. These features are critical functions to meet government and industry privacy compliance requirements.
• Traffic Processing from Multiple Sources - NPBs can take input traffic from SPAN ports, TAPs, By-pass TAP pass-through as well as other NPBs. The “Broker” in Network Packet Broker refers to its ability to combine, integrate, separate, manipulate and process inputs from many sources delivering the data to a wide variety of appliance and tool destinations.
The transition from TAP to Packet Broker can become expensive with high growth in network environments. Adding more links, upgrading
media from copper to optical fiber to accommodate increasing bandwidth requirements can challenge the most disciplined budgets.
Changing out tools and visibility devices adds expense and complexity to the process. New products like the SmartNA PortPlus Packet Broker from Network Critical can help managers maintain visibility while growing a complex network. The SmartNA PortPlus can manage links from 1Gbps to 100Gbps using a flexible modular architecture. The small 1RU chassis allows many combinations of speeds and feeds for small networks and easily accommodate growth without changing systems. When one chassis is full, extension chassis may be added to grow port size as well as bandwidth. This innovative scale out technology is unique to Network Critical and helps to simplify the complex problem of rapid network growth and the generally slower pace of budget growth.
Combination TAP/Packet Broker
Now that we have discussed the differences between TAPs and Packet Brokers, we can look at how a combination TAP/NPB unit can provide the protection of a TAP and the advanced features of a NBP in a single modular unit. Integrating the two functions into a single modular 1RU chassis can save on rack space, power and capital cost.
A chassis/module architecture allows for a variety of modules to be integrated into a single chassis. An integrated chassis can accept TAP
modules providing the necessary network fail-safe functionality. It can also accept modules that provide packet broker features such as load balancing, packet manipulation and higher speed inputs up to 100Gbps. Copper and fiber inputs can be aggregated, processed and distributed via a high speed common backplane.
With rack space at a premium, many organizations are looking for any opportunity to consolidate network functionality. A combination TAP/Network Packet Broker allows network managers to reduce a two box solution down to a one box solution.
In a typical two box solution a tap would be inserted in the network link. Cables would connect to the network ports of the TAP insuring the pathway for live traffic would not be compromised. To visualize this connection, think of TAP ports A and B as the network in and out ports. These ports provide the uninterrupted live network traffic flow. The TAP ports B and C provide the connection to the network tools such as a probe or IDS. If many tools are going to be connected to analyze and protect the link as is often the case, the tool will not be directly connected to the TAP ports B and C. The Packet Broker will connect to these ports. Then the network tools will connect to the packet broker. This allows the advanced features of the packet broker to be included with the fail-safe capability provided by the tap.
The disadvantages of this configuration, however, are rack space, power and complexity. Deploying two boxes to achieve TAP and Packet
Broker functionality takes up more rack space, The network designer must not only allow for the space of the boxes, but also for airflow
between the boxes. A 1U TAP and a 2U packet broker, for example, would actually require 4U of rack space allowing for 1U between the
units. Then we need to look at power requirements and wiring for two units. Finally, configuration, mapping, feature programming and traffic flow planning is more complicated between the two units. There are two operating systems and two backplanes as well as inter-unit traffic considerations that need to be accommodated.
With the disadvantages noted above, a two unit configuration is not necessarily a bad thing. The point to understand is that visibility
requirements need advanced planning just as the probe, security and other connected appliances need thoughtful planning.
While TAPs can provide some NPB functions and some NPBs have integrated TAP modules, the two are generally designed for different
but complementary applications. A good rule of thumb, particularly in larger, complex networks is to use TAPs to bring network data into
NPBs. Smaller networks may be better served with a combination TAP/Packet Broker to save rack space and deployment complexity. The
SmartNA-XL by Network Critical is a great example of a Hybrid TAP/Packet Broker. The SmartNA-XL provides the fail safe TAP connectivity
that will keep network traffic flowing even when power is lost to the unit. In addition, it also includes the powerful Packet Broker features
for advanced packet processing. Capable of managing links from 1Gbps to 40Gbps the SmartNA-XL lets network managers start small
and scale out as their needs change. The integrated and revolutionary Drag’n Vu Graphical User Interface simplifies deployment and
management.
A good understanding of TAP and Packet Broker functionality provides the foundation for a sound network visibility plan. Plan tool
connectivity and visibility in harmony with monitoring and security plan to avoid last minute problems that can cause outages and
vulnerabilities.