Successful attacks on networks have become commonplace. However, many security incidents could have been avoided if there had been sufficient visibility of all parts of the network and if the intruder had been detected in time.
A relatively cost-effective solution to create transparency in the network infrastructure can be realised easily and quickly with network TAPs.
Once installed, with the help of a TAP, all data traffic can be made available transparently, quickly, easily and without affecting the active network line, for various monitoring applications. A network TAP operates on OSI Layer 1 and has no MAC address. Therefore, it is invisible in the network and cannot be detected by any attacker. This is indispensable, especially in network forensics and security, as otherwise criminals could be aware of the presence of the TAP.
The use of TAPs has another advantage: you determine yourself at which point in the network you want to tap the data. This flexibility is of great benefit, as you are able to pick up the critical network data individually as needed, thus significantly improving the quality of your security tool.
Another advantage of network TAPs is their passive mode of operation, as it is thus possible not to influence the active data traffic in any way. Due to the additional "fail-closed" technology of the Ethernet copper TAPs, the data line is also switched through in the event of a power interruption, the network TAP works like a cable bridge and protects your productive network from a failure. This gives you accurate data for error-free analysis directly from the line.
Using SPAN ports, on the other hand, can distort the results, as this technique works in store-and-forward mode and FCS/CRC discards erroneous packets at the OSI Layer 2 level instead of outputting them on the mirror port. In contrast, Ethernet Taps route these critical Ethernet frames out without degradation, increasing visibility onto your network. In addition, a network TAP is non-reactive, preventing interference with the active network via the monitoring ports. This diode function is enormously critical and prevents both access and manipulation of your network traffic in the productive network. This access method also increases the security of your network, as it separates the data traffic to your security tool from the active network traffic by means of a galvanic separation at the physical level.
In addition, when using multiple TAPs, you get a much more accurate measurement result and can thus identify network and application errors even faster and more precisely. This saves you valuable time when troubleshooting network errors and problems. Instead of the time-consuming configuration of SPAN ports, network TAPs can be installed and commissioned plug-n-play, without any prior technical knowledge, in a very short time. For good reason, many globally active network suppliers deliberately advise against the use of such SPAN ports for network analysis.
Due to their mode of operation, network TAPs have another decisive advantage: they completely route the bi-directional data traffic. This means that you receive the send and receive direction of a full-duplex line separately and can thus analyse a 10G line, for example, without loss, even with a maximum load of 20Gbps. This means that you need two network interfaces on the analyser to record the network data. Overbooking can thus be ruled out, you can evaluate the data much better and get a better insight into what is happening in the network.
You can learn more about this topic in our lecture.
