Continued from The World of TAPs – Part 1
Last week we covered an introduction to what a network TAP is, why this tool is needed, and where is it used. This week we are going to look at the various types of network TAPs available in general.
A full-duplex TAP is the most comprehensive type of network TAP allowing to completely capture both directions of a full-duplex network link without any loss of packets. In a basic setup, this TAP device has four ports, e.g. A, B, M1, M2. Ports A and B are the ‘input’ or network ports, connected in-line with the network link to be monitored. Network traffic entering port A exits through port B in one direction, and traffic entering port B exits through port A in the other direction. Ports M1 and M2 are the ‘output’ or monitoring ports. In a full-duplex network link, both ports A and B would receive traffic streams from each direction.
These traffic streams are then copied and mapped onto the monitoring ports M1 and M2. Thus monitoring ports M1 and M2 would each receive a copy of the traffic entering network ports A and B respectively. This ensures that the full traffic coming into each network port is copied and transported to the host computer (or monitoring system) as it is, without the loss of any packet. While the packets are being copied, the TAP also ensures that traffic on network ports A and B continue to traverse to each direction without any hindrance.
It should be noted that the host computer receiving traffic from the TAP would need to have dual network interface cards (NIC) to be connected each with ports M1 and M2. In addition to that, the host computer would also need to combine or merge the two traffic streams (i.e. link aggregation) to be ‘seen’ as a single flow of traffic in the monitoring application. Because of this requirement of additional resources, full-duplex TAPs are often considered the most expensive solution in the TAP world.
However, it is also the most comprehensive solution, since it provides complete visibility into a network segment by capturing each and every packet that travels over it. Some TAP manufacturers also refer to full-duplex TAPs as breakout TAPs.
Most IT users view the requirement of additional resources to utilise full-duplex TAPs as a hassle or overhead in their operations. This is also seen as a ‘barrier to entry’ for the IT users to utilise network TAPs. To overcome this barrier, manufacturers introduced another type of TAP known as aggregation TAPs. As the name reveals, an aggregation TAP combines the two incoming traffic streams into a single flow of outgoing traffic. For example, in a basic setup, there are two network ports but only one ‘output’, or monitoring, port M. Network traffic entering ports A and B from each direction is then combined or merged to form a single stream of traffic.
However, this could become a source of problem if the input and output ports are of the same data rate. For example, let’s say that the input and output ports are Fast Ethernet NICs. If the input ports are taking in 100 Mbps of traffic, resulting in a combined stream of 200 Mbps of traffic, this would become a bottleneck, because it is not possible to transport 200 Mbps of traffic over an output port of 100 Mbps.
Therefore, TAP manufacturers use an internal buffer to cache the incoming packets in order to keep up with the speed of the output port. However, how long the TAP can sustain the flow of incoming packets before starting to drop them depends on the size of the buffer. There is a significant drop of packets beyond 50% of utilisation of the bandwidth of input ports. There could be a loss of as high as 50% of total packets if both the input traffic streams throttle at its full capacity. Some aggregator TAPs have memory to absorb bursts, but it has a significant effect on packet timing which is not suitable at all for analysing real time protocols.
The best way to overcome this bottleneck is to transport the aggregated traffic to a higher data rate output. In the above example, if the output port has a Gigabit Ethernet NIC (1 Gbps data rate), it can easily transport the aggregated traffic of 200 Mbps without any packet loss.
Today’s full scale enterprise networks deploy a variety of support systems to monitor, diagnose, detect, and protect their IT infrastructure. All of these systems, e.g. network monitoring, application analysis, intrusion detection & prevention systems, and security event & incident platforms, vie for access to the same set of network segments.
Typically, IT administrators who have deployed an in-line TAP on a network segment can only provide access to the traffic to one of these systems at a time. But that is not sufficient anymore. Because today’s enterprise networks are growing more complex, resulting in demands of fail-proof availability, there is a need for multiple systems to be able to access the same set of network segments at the same time.
To answer this demand, TAP manufacturers developed a new line of TAPs, known as regeneration TAPs, which provide visibility to the same network segment for multiple systems simultaneously.
Regeneration TAPs capture traffic from a single network segment, duplicate the incoming packets, and transport them to multiple output ports. This allows the IT administrator to capture traffic from one segment of the network and send it to multiple tools at the same time.
For large enterprises having multiple teams for different IT functions, a regeneration TAP is a joint requirement because they can all ‘see’ the same data at the same time. They can simultaneously monitor traffic on important links with multiple security and traffic management tools and can also correlate the data in real-time.
More about The Different Types of Network TAPs here.
Types of Media in TAPs
Apart from the differentiation in TAPs according to their internal design, TAPs can also be categorised according to the types of media they can be installed on to. These two types of media are copper and optical fiber.
Fiber-optic-based TAPs use optical splitters to split the incoming laser light into two duplicate streams, with one of them intended for the monitoring port. Fiber optic TAPs are mainly passive in nature, which means they do not require any electronic circuitry and do not depend on any power source or embedded software.
Copper-based TAPs however do require electronic circuitry and need internal hardware and software to function.