Network tap

Last updated

A network tap is a system that monitors events on a local network. A tap is typically a dedicated hardware device, which provides a way to access the data flowing across a computer network.

Contents

The network tap has (at least) three ports: an A port, a B port, and a monitor port. A tap inserted between A and B passes all traffic (send and receive data streams) through unimpeded in real time, but also copies that same data to its monitor port, enabling a third party to listen.

Network taps are commonly used for network intrusion detection systems, VoIP recording, network probes, RMON probes, packet sniffers, and other monitoring and collection devices and software that require access to a network segment. Taps are used in security applications because they are non-obtrusive, are not detectable on the network (having no physical or logical address), can deal with full-duplex and non-shared networks, and will usually pass through or bypass traffic even if the tap stops working or loses power.

Terminology

The term network tap is analogous to phone tap or vampire tap. Some vendors define TAP as an acronym for test access point or terminal access point; however, those are backronyms.

The monitored traffic is sometimes referred to as the pass-through traffic, while the ports that are used for monitoring are the monitor ports. There may also be an aggregation port for full-duplex traffic, wherein the A traffic is aggregated with the B traffic, resulting in one stream of data for monitoring the full-duplex communication. The packets must be aligned into a single stream using a time-of-arrival algorithm.

Vendors will tend to use terms in their marketing such as breakout, passive, aggregating, regeneration, bypass, active, inline power, and others; Unfortunately, vendors do not use such terms consistently. Before buying any product it is important to understand the available features, and check with vendors or read the product literature closely to figure out how marketing terms correspond to reality. All of the "vendor terms" are common within the industry, have real definitions and are valuable points of consideration when buying a tap device.

A distributed tap is a set of network taps that report to a centralized monitoring system or packet analyzer.

Tapping technology methods

There are various methods for monitoring a network. Many tapping methods can be used, according to the network technology, the monitoring objective, the resources available and the size of the target network. Various methods will be developed below.

Tapping by software

This type of tapping focuses on tapping by making use of software, and without making any significant change on an infrastructures hardware. This type of tapping is often the cheapest one to implement, but it needs several implementations to give a truly complete look of the network.

Monitoring software

The simplest type of monitoring is logging into an interesting device and running programs or commands that show performance statistics and other data. This is the cheapest way to monitor a network, and is highly appropriate for small networks. However, it does not scale well to large networks. It can also impact the network being monitored; see observer effect.

SNMP

Another way to monitor devices is to use a remote management protocol such as SNMP to ask devices about their performance. This scales well, but is not necessarily appropriate for all types of monitoring. The inherent problems with SNMP are the polling effect. Many vendors have alleviated this by using intelligent polling schedulers, but this may still affect the performance of the device being monitored. It also opens up a host of potential security problems.

Port mirroring

Another method to monitor networks is to use port mirroring (called "SPAN", for Switched Port Analyzer, by vendors such as Cisco, [1] and given other names, such MLXe telemetry by Brocade Communications and other vendors)(also known as MIRROR port) or a monitoring protocol such as TZSP on routers and switches. This is a low-cost alternative to network taps and solves many of the same problems. However, not all routers and switches support port mirroring, and, on those that do, using port mirroring can affect the performance of the router or switch. These technologies may also be subject to the problem with full-duplex described elsewhere in this article, and there are often limits for the router or switch on how many pass-through sessions can be monitored, or how many monitor ports (generally two) can monitor a given session. Often, when the SPAN port is overloaded, packets will be dropped before reaching the monitoring device. There is also the possibility of losing some of the error packets that may be causing problems. If this data is not sent to the monitoring device because it is dropped, it is impossible to troubleshoot, no matter how advanced a device that may be used.

Promiscuous sniffer

This tapping method consists in enabling promiscuous mode on the device that is used for the monitoring and attaching it to a network hub. This works well with older LAN technologies such as 10BASE2, FDDI, and Token Ring. On such networks, any host can automatically see what all other hosts were doing by enabling promiscuous mode. However, modern switched network technologies create point-to-point links between pairs of devices, making it impossible to tap network traffic with this method.

Tapping by hardware

This type of tapping focuses on tapping with remarkable use of hardware

In-line sniffer

A passive fiber optic tap. Fiber optic tap.png
A passive fiber optic tap.

This method consists in the installation of a device in between a network cable and the device the Admin/Attacker wishes to "tap". When a monitoring device is installed in-line, the network will stop every time the device fails, or shuts down. The "victim" device might stop receiving traffic when the tapping-device is updating/rebooting if said mechanisms weren't integrated in a smart way (aka. that would prevent this scenario from happening).

Some taps, particularly fiber taps, use no power and no electronics at all for the pass-through and monitor portion of the network traffic. This means that the tap should never suffer any kind of electronics failure or power failure that results in a loss of network connectivity. One way this can work, for fiber-based network technologies, is that the tap divides the incoming light using a simple physical apparatus into two outputs, one for the pass-through, one for the monitor. This can be called a passive tap. Other taps use no power or electronics for the pass-through, but do use power and electronics for the monitor port. These can also be referred to as passive.

V-Line tapping

V-Line Tapping is the most important Tapping system methods. V-Line Tapping (also known as Bypass Tapping) allows placing the served system virtually in-line. Putting this device in-line will compromise the integrity of a critical network. By placing a Tapping system instead of the monitoring device and connecting the monitoring device to the Tapping system, it can guarantee that the traffic will continue to flow and the device will not create a failure point in the network. [2] This method always passes every packet, even error packets that a SPAN port may drop, to the monitoring device. This method involves using spying-software on the target machine. For a system-admin, this type of solution is the easiest to implement and the most cost-effective one; However, for an attacker, this type of tapping is very risky, as this is easily detectable by system scans. The tapping system will be removed after a reboot if the spying software was installed in a non-persistent way on a system that is executing a Live-OS.

Advantages and features

Modern network technologies are often full-duplex, meaning that data can travel in both directions at the same time. If a network link allows 100 Mbit/s of data to flow in each direction at the same time, this means that the network really allows 200 Mbit/s of aggregate throughput. This can present a problem for monitoring technologies if they have only one monitor port. Therefore, network taps for full-duplex technologies usually have two monitor ports, one for each half of the connection. The listener must use channel bonding or link aggregation to merge the two connections into one aggregate interface to see both halves of the traffic. Other monitoring technologies, such as passive fiber network TAPs do not deal well with the full-duplex traffic.

Once a network tap is in place, the network can be monitored without interfering with the network itself. Other network monitoring solutions require in-band changes to network devices, which means that monitoring can impact the devices being monitored. This scenario is for active, inline security tools, such as next-generation fire walls, intrusion prevention systems and web application firewalls.

Once a tap is in place, a monitoring device can be connected to it as-needed without impacting the monitored network.

Some taps have multiple output ports, or multiple pairs of output ports for full-duplex, to allow more than one device to monitor the network at the tap point. These are often called regeneration taps.

Some taps operate at the physical layer of the OSI model rather than the data link layer. For example, they work with multi-mode fiber rather than 1000BASE-SX. This means that they can work with most data link network technologies that use that physical media, such as ATM and some forms of Ethernet. Network taps that act as simple optical splitters, sometimes called passive taps (although that term is not used consistently) can have this property.

Some network taps offer both duplication of network traffic for monitoring devices and SNMP services. Most major network tap manufacturers offer taps with remote management through Telnet, HTTP, or SNMP interfaces. Such network tap hybrids can be helpful to network managers who wish to view baseline performance statistics without diverting existing tools. Alternatively, SNMP alarms generated by managed taps can alert network managers to link conditions that merit examination by analyzers to intrusion detection systems.

Some taps get some of their power (i.e., for the pass-through) or all of their power (i.e., for both pass-through and monitor) from the network itself. These can be referred to as having inline power.

Some taps can also reproduce low-level network errors, such as short frames, bad CRC or corrupted data.

Basic functionality of an optical network tap Optical-tap-schema-wiki.gif
Basic functionality of an optical network tap

Advantages of a network tap

Here are some advantages of a network tap over port mirroring or SPAN:

Disadvantages and problems

Because network taps require additional hardware, they are not as cheap as technologies that use capabilities that are built into the network. However, network taps are easier to manage and normally provide more data than some network devices.

Network taps can require channel bonding on monitoring devices to get around the problem with full-duplex discussed above. Vendors usually refer to this as aggregation as well.

Putting a network tap into place will disrupt the network being monitored for a short time. [3] Even so, a short disruption is preferable to taking a network down multiple times to deploy a monitoring tool. Establishing good guidelines for the placement of network taps is recommended.

Monitoring large networks using network taps can require a lot of monitoring devices. High-end networking devices often allow ports to be enabled as mirror ports, which is a software network tap. While any free port can be configured as a mirror port, software taps require configuration and place load on the network devices.

Even fully passive network taps introduce new points of failure into the network. There are several ways that taps can cause problems, and this should be considered when creating a tap architecture. Consider non-powered taps for optical-only environments or throwing star network tap for copper 100BASE-TX. This allows you to modify the intelligent aggregation taps that may be in use and avoids any complications when upgrading from 100 megabit to gigabit to 10 gigabit. Redundant power supplies are highly recommended.

Fully passive is only possible on optical connections of any bandwidth and on copper connections from type G703 (2 Mbit) and Ethernet Base-T 10/100 Mbit. On Gigabit and 10 Gbit Base-T connections, passive tapping is currently not possible.

Countermeasures

Countermeasures for network taps include encryption and alarm systems. Encryption can make the stolen data unintelligible to the thief. However, encryption can be an expensive solution, and there are also concerns about network bandwidth when it is used.

Another counter-measure is to deploy a fiber-optic sensor into the existing raceway, conduit or armored cable. In this scenario, anyone attempting to physically access the data (copper or fiber infrastructure) is detected by the alarm system. A small number of alarm systems manufacturers provide a simple way to monitor the optical fiber for physical intrusion disturbances. There is also a proven solution that utilizes existing dark (unused) fiber in a multi-strand cable for the purpose of creating an alarm system.

In the alarmed cable scenario, the sensing mechanism uses optical interferometry in which modally dispersive coherent light traveling through the multi-mode fiber mixes at the fiber's terminus, resulting in a characteristic pattern of light and dark splotches called speckle. The laser speckle is stable as long as the fiber remains immobile, but flickers when the fiber is vibrated. A fiber-optic sensor works by measuring the time dependence of this speckle pattern and applying digital signal processing to the Fast Fourier Transform (FFT) of the temporal data.

The U.S. government has been concerned about the tapping threat for many years, and it also has a concern about other forms of intentional or accidental physical intrusion. In the context of classified information Department of Defense (DOD) networks, Protected Distribution Systems (PDS) is a set of military instructions and guidelines for network physical protection. PDS is defined for a system of carriers (raceways, conduits, ducts, etc.) that are used to distribute Military and National Security Information (NSI) between two or more controlled areas or from a controlled area through an area of lesser classification (i.e., outside the SCIF or other similar area). National Security Telecommunications and Information Systems Security Instruction (NSTISSI) No. 7003, Protective Distribution Systems (PDS), provides guidance for the protection of SIPRNET wire line and optical fiber PDS to transmit unencrypted classified National Security Information (NSI).

Gigabit Ethernet issues

Explains the physical connection on Gbit Ethernet Base-T-Gbit-Physics.gif
Explains the physical connection on Gbit Ethernet

The 1000BASE-T signal uses PAM 5 modulation, meaning that each cable pair transports 5 bits simultaneously in both directions. The PHY chips at each end of the cable have a very complex task at hand, because they must separate the two signals from each other. This is only possible because they know their own signal, so they can deduct their own send signals from the mixed signals on the line and then interpret the information sent by their link partners.

Schematic function of a Gbit Copper TAP Gbit-Tap-schema.gif
Schematic function of a Gbit Copper TAP

To tap a copper link as shown in the picture above it is not possible to just tap the middle of the wire because all you will see is a complex modulation of two signals. The only way to terminate the signal (as shown in the picture) is to use a PHY chip to separate the signal and then send the signal on to the link partner. This solution works but causes some other problems.

  1. It is not passive any longer, so in the case of a failure the link can go down and the services on the link are interrupted. To minimize this problem each copper tap has a bypass switch (relays), which closes in a power down situation (as shown in the picture), to bring the link back up. Also this solution will not detect that the link is down for a minimum of three seconds. These three seconds are a result of the autonegotiation behavior. This can not be changed because it is a vital function of the IEEE 802.3 standard as described in clause 28 and 40. Even this short interruption time could cause big problems in a network.
    • In some cases these links cannot be re-established without shutting down the services.
    • Rerouting functions in the network may take place
    • Streaming applications can collapse and cause more issues.
  2. Some layer 1 information is not transported over a copper tap (e.g. pause frames)
  3. The clock synchronization is affected. Sync-E over a standard Gbit copper tap is impossible and IEEE 1588 is affected, because of the additional delay a copper tap produces.

See also

Related Research Articles

A network switch is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device.

<span class="mw-page-title-main">Network topology</span> Arrangement of a communication network

Network topology is the arrangement of the elements of a communication network. Network topology can be used to define or describe the arrangement of various types of telecommunication networks, including command and control radio networks, industrial fieldbusses and computer networks.

<span class="mw-page-title-main">Packet analyzer</span> Computer network equipment or software that analyzes network traffic

A packet analyzer is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

<span class="mw-page-title-main">Fast Ethernet</span> Ethernet standards that carry data at the nominal rate of 100 Mbit/s

In computer networking, Fast Ethernet physical layers carry traffic at the nominal rate of 100 Mbit/s. The prior Ethernet speed was 10 Mbit/s. Of the Fast Ethernet physical layers, 100BASE-TX is by far the most common.

<span class="mw-page-title-main">Wavelength-division multiplexing</span> Fiber-optic communications technology

In fiber-optic communications, wavelength-division multiplexing (WDM) is a technology which multiplexes a number of optical carrier signals onto a single optical fiber by using different wavelengths of laser light. This technique enables bidirectional communications over a single strand of fiber as well as multiplication of capacity.

Hybrid fiber-coaxial (HFC) is a broadband telecommunications network that combines optical fiber and coaxial cable. It has been commonly employed globally by cable television operators since the early 1990s.

JTAG is an industry standard for verifying designs of and testing printed circuit boards after manufacture.

NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination traffic, class of service, and the causes of congestion. A typical flow monitoring setup consists of three main components:

<span class="mw-page-title-main">Medium Attachment Unit</span> Transceiver in an Ethernet network

A Medium Attachment Unit (MAU) is a transceiver which converts signals on an Ethernet cable to and from Attachment Unit Interface (AUI) signals.

<span class="mw-page-title-main">Passive optical network</span> Technology used to provide broadband to the end consumer via fiber

A passive optical network (PON) is a fiber-optic telecommunications network that uses only unpowered devices to carry signals, as opposed to electronic equipment. In practice, PONs are typically used for the last mile between Internet service providers (ISP) and their customers. In this use, a PON has a point-to-multipoint topology in which an ISP uses a single device to serve many end-user sites using a system such as 10G-PON or GPON. In this one-to-many topology, a single fiber serving many sites branches into multiple fibers through a passive splitter, and those fibers can each serve multiple sites through further splitters. The light from the ISP is divided through the splitters to reach all the customer sites, and light from the customer sites is combined into the single fiber. Many fiber ISPs prefer this system.

<span class="mw-page-title-main">Link aggregation</span> Using multiple network connections in parallel to increase capacity and reliability

In computer networking, link aggregation is the combining of multiple network connections in parallel by any of several methods. Link aggregation increases total throughput beyond what a single connection could sustain, and provides redundancy where all but one of the physical links may fail without losing connectivity. A link aggregation group (LAG) is the combined collection of physical ports.

A duplex communication system is a point-to-point system composed of two or more connected parties or devices that can communicate with one another in both directions. Duplex systems are employed in many communications networks, either to allow for simultaneous communication in both directions between two connected parties or to provide a reverse path for the monitoring and remote adjustment of equipment in the field. There are two types of duplex communication systems: full-duplex (FDX) and half-duplex (HDX).

sFlow, short for "sampled flow", is an industry standard for packet export at Layer 2 of the OSI model. sFlow was originally developed by InMon Corp. It provides a means for exporting truncated packets, together with interface counters for the purpose of network monitoring. Maintenance of the protocol is performed by the sFlow.org consortium, the authoritative source of the sFlow protocol specifications. The current version of sFlow is v5.

<span class="mw-page-title-main">Ethernet physical layer</span> Electrical or optical properties between network devices

The physical-layer specifications of the Ethernet family of computer network standards are published by the Institute of Electrical and Electronics Engineers (IEEE), which defines the electrical or optical properties and the transfer speed of the physical connection between a device and the network or between network devices. It is complemented by the MAC layer and the logical link layer. An implementation of a specific physical layer is commonly referred to as PHY.

Voice over Internet Protocol (VoIP) recording is a subset of telephone recording or voice logging, first used by call centers and now being used by all types of businesses. There are many reasons for recording voice over IP call traffic such as: reducing company vulnerability to lawsuits by maintaining recorded evidence, complying with telephone call recording laws, increasing security, employee training and performance reviews, enhancing employee control and alignment, verifying data, sharing data as well as customer satisfaction and enhancing call center agent morale.

The Remote Network Monitoring (RMON) MIB was developed by the IETF to support monitoring and protocol analysis of local area networks (LANs). The original version focused on OSI layer 1 and layer 2 information in Ethernet and Token Ring networks. It has been extended by RMON2 which adds support for Network- and Application-layer monitoring and by SMON which adds support for switched networks. It is an industry-standard specification that provides much of the functionality offered by proprietary network analyzers. RMON agents are built into many high-end switches and routers.

A bypass switch (or bypass TAP) is a hardware device that provides a fail-safe access port for an in-line active security appliance such as an intrusion prevention system (IPS), next generation firewall (NGFW), etc. Active, in-line security appliances are single points of failure in live computer networks because if the appliance loses power, experiences a software failure, or is taken off-line for updates or upgrades, traffic can no longer flow through the critical link. The bypass switch or bypass tap removes this point of failure by automatically 'switching traffic via bypass mode' to keep the critical network link up.

<span class="mw-page-title-main">ADSL</span> DSL service where downstream bandwidth exceeds upstream bandwidth

Asymmetric digital subscriber line (ADSL) is a type of digital subscriber line (DSL) technology, a data communications technology that enables faster data transmission over copper telephone lines than a conventional voiceband modem can provide. ADSL differs from the less common symmetric digital subscriber line (SDSL). In ADSL, bandwidth and bit rate are said to be asymmetric, meaning greater toward the customer premises (downstream) than the reverse (upstream). Providers usually market ADSL as an Internet access service primarily for downloading content from the Internet, but not for serving content accessed by others.

<span class="mw-page-title-main">Fiber media converter</span> Network device

A fiber media converter is a simple networking device that makes it possible to connect two dissimilar media types such as twisted pair with fiber optic cabling. They were introduced to the industry in the 1990s, and are important in interconnecting fiber optic cabling-based systems with existing copper-based structured cabling systems. They are also used in metropolitan area network (MAN) access and data transport services to enterprise customers.

A data monitoring switch is a networking hardware appliance that provides a pool of monitoring tools with access to traffic from a large number of network links. It provides a combination of functionality that may include aggregating monitoring traffic from multiple links, regenerating traffic to multiple tools, pre-filtering traffic to offload tools, and directing traffic according to one-to-one and many-to-many port mappings.

References

  1. Shashank, Singh. "Catalyst Switched Port Analyzer (SPAN) Configuration Example". Cisco. Retrieved 7 February 2020.
  2. "Datacom Systems | Network TAPs". Datacom Systems. Retrieved 2023-03-26.
  3. "Sniffing Tutorial part 1 - Intercepting Network Traffic". NETRESEC Network Security Blog. 2011.