How To Properly Tap Your Data Network
2020-05-01 | 8 min read
Enterprises require 100% visibility into network traffic to ensure peak performance and security. As the network grows larger, visibility becomes harder as blind spots creep into the network. These blind spots, or the inability to completely see what is happening on the network, can compromise network quality. A visibility architecture is the only way to effectively remove blind spots.
Network taps (test access points) are a key part of the access layer of a visibility architecture because they are an unobtrusive way to capture monitoring data. The Access layer framework of a visibility architecture is focused on creating access to the business data information within the network. This is the base framework that then feeds data to network packet brokers (NPBs), in either an out-of-band visibility or inline security framework. That data can then be filtered before being be sent on to the appropriate monitoring tools. Let’s look at four common monitoring data access scenarios:
- Traditional, physical networks (commonly referred to as out-of-band)
- Inline physical networks
- Virtual Data centers
- Cloud networks
Network taps are most commonly used in physical networks to copy network data and forward a copy of that data to monitoring and security tools. While the tap is installed directly into the network, it’s a one-time disruption to the network. After that, the tap is designed to be passive functionality. This prevents the monitoring infrastructure from impacting network availability.
This type of tap provides permanent access to network traffic and allows total traffic visibility for network monitoring and security devices—without introducing costly bottlenecks or points of failure. In addition, taps are plug-and-play and do not require any costly hands-on management. They can be installed anywhere in the network, regardless of interface or network location. You simply match an appropriate tap up to the: cabling type (e.g. copper, multimode fiber, or single-mode fiber), maximum network speed required (e.g. 1/10/40/100 GE), and the desired split ratio (e.g. 50/50, 60/40, 70/30, 80/20, or 90/10) needed for your transmission distances.
Another common access consideration is whether security and monitoring tools need to be deployed in the direct path of network traffic. This is referred to as being inline. In this scenario, if the tool goes out of service for any reason (regular rebooting, maintenance, software or hardware upgrades, etc.), it will stop the flow of data in both directions for that network segment. If that inline tool, like a firewall or intrusion prevention system (IPS), is located at the main entrance to/from the data network, then this will effectively take the entire network out of service. If you have this type of architecture, a special type of type of fail-safe tap, called a bypass switch, is needed to preserve network reliability and uptime. Rather than making a copy of the traffic and funneling that traffic to a monitoring port, the bypass switch forwards the main stream of data to the monitoring port for transmission to the tools. The bypass switch then receives the analyzed data back from the tool(s) and lets it pass downstream at that point.
The bypass switch can also increase network availability. In the event that the inline tool(s) do go out of service, the bypass switch has integrated failover capability so that the network traffic can continue on downstream. This allows for minimal, if any, disruption to network performance during normal operation but also supports multi-tool or multi-network deployments maximizing security and network up time. Adding a network packet broker after the bypass switch adds even more flexibility and capabilities.
Virtual Data Center Monitoring
We’ve discussed how to tap physical networks but what about the virtual data center? According to Gartner Research, up to 80% of virtualized data center traffic is east-west (i.e. inter- and intra-virtual machine traffic) so it never reaches the top of the rack where it can be monitored by traditional tap and SPAN technology. You could, and probably are, missing key performance and security information because of this.
In this situation, a virtual tap is used to solve the virtual data center visibility problem. A virtual tap is simply a software version of an out-of-band physical tap. The software is installed on a VM (virtual machine) so that it can collect a copy of the virtual traffic. The traffic is then exported from the virtual server and sent to your existing physical or virtual monitoring tools.
One of the best benefits of a virtual tap is that you can continue to use your existing physical monitoring and security tools. Why buy new versions of your tools for your virtual environment —simply extend the usefulness of your physical tools and save money. Once virtual data is collected, it can simply be exported to those existing physical tools. Consolidation of all of your monitoring data lets you maximize the utilization of your existing tools, capture pertinent network security related data for threat analysis, gather performance data across your whole data center, and apply consistent regulatory compliance policies.
While some virtual environments support data mirroring natively, they just make a complete copy of all east-west data. Unfortunately, double the amount of virtual data can blow out your LAN fast. This is where a well-made virtual tap, coupled with an NPB, offers a superior solution to allow you to selectively filter that virtual monitoring data so you export just the right set of data to your monitoring tools.
Cloud Network Monitoring
Do you have a cloud network? If so, you probably have a similar problem to the virtual data center in accessing inter- and intra-cloud network data. Most enterprises use an average of 6 different cloud networks to conduct their operations. Getting access to data from the different networks can be a challenge. A virtual tap can be used in this instance as well. Following the same tactics as for the virtual data center, you simply install the software on a VM in your cloud network and then export the requisite monitoring data to your NPB so that it can be delivered to the appropriate monitoring tool for analysis.
More details on tap planning and best practices can be found in this whitepaper Best Practices for Visibility Architecture Tap Planning and at this website.