Custom Systems
Chicago Microsystems, Inc. is a OEM hardware builder manufacturing custom desktop and server solutions. We utilize the highest quality components from major vendors such as ASUS, Intel, Kingston and Western Digital. Being a full service system integrator that implements and supports our systems, we have the expertise in designing a system that will best meet your needs.
Industry surveys suggest that customers are happier with custom solutions from whitebox vendors compared to tier one vendors (such as HP or Dell). Click here to learn more about the benefits of acquiring a custom system from CMI.
Monday, August 3, 2009
Sunday, July 19, 2009
Terminology
Terminology
The term network TAP is analogous to phone tap or vampire tap. Some vendors have phrases for which TAP is an acronym; however, those are most likely bacronyms.
The monitored traffic is sometimes referred to as the pass-through traffic, while the ports that are used for monitoring are the monitor ports. There is also an aggregation port where in the Full Duplex World the "A" traffic is Aggregated with the "B" traffic resulting in one stream of data /packets for monitoring the Full Duplex communication. The packets must be aligned into a single stream using a time of arrival algorithm.
Vendors will tend to use terms in their marketing such as breakout, passive, aggregating, regeneration, inline power, and others. Common meanings will be discussed later. Unfortunately, vendors do not use such terms consistently. Before buying any products, be sure to understand the available features, and check with vendors or read the product literature closely to figure out how marketing terms correspond to reality. All of the "Vendor Terms" are common within the industry and have real definitions and are valuable points of consideration when buying a TAP device.
New Filterable TAP Technology
A new type of TAP, or network access point, is now available. This new type of TAP is called a "filterable" TAP. It is especially valuable in the 10 Gigabit environment because 10-Gigabit test equipment is very expensive. Some TAPs, like those from several vendors, offer the ability to utilize less expensive and more widely available 1-Gigabit monitoring and analysis tools with these 10 Gigabit networks. When used in this fashion, some form of load-balancing or port-bonding is recommended to avoid packet loss to the monitoring tools.
A filterable TAP, that provides advanced filtering, can selectively pass data, based on application, VLAN ID, or other parameters, to the 1-Gigabit port for deep analysis and monitoring, including IDS requirements.
Filtered access is also the best way to focus on business-critical traffic, or other specific areas of your network. At higher speeds, network traffic analysis cannot be performed using the older "capture and decode everything" philosophy. In this type of environment, focused access is the best way to enable traffic analysis, and often is the only way.
Any filterable TAP you consider must have a simple user interface for easy setup and management. Furthermore, it must be able to collect the Layer 1 and Layer 2 data, while still allowing for auto saving, and easy access to data by graphing programs. Such a TAP can be part of a strategy to monitor for essential metrics, such as frame errors and corrupted frames in IPv6.
The term network TAP is analogous to phone tap or vampire tap. Some vendors have phrases for which TAP is an acronym; however, those are most likely bacronyms.
The monitored traffic is sometimes referred to as the pass-through traffic, while the ports that are used for monitoring are the monitor ports. There is also an aggregation port where in the Full Duplex World the "A" traffic is Aggregated with the "B" traffic resulting in one stream of data /packets for monitoring the Full Duplex communication. The packets must be aligned into a single stream using a time of arrival algorithm.
Vendors will tend to use terms in their marketing such as breakout, passive, aggregating, regeneration, inline power, and others. Common meanings will be discussed later. Unfortunately, vendors do not use such terms consistently. Before buying any products, be sure to understand the available features, and check with vendors or read the product literature closely to figure out how marketing terms correspond to reality. All of the "Vendor Terms" are common within the industry and have real definitions and are valuable points of consideration when buying a TAP device.
New Filterable TAP Technology
A new type of TAP, or network access point, is now available. This new type of TAP is called a "filterable" TAP. It is especially valuable in the 10 Gigabit environment because 10-Gigabit test equipment is very expensive. Some TAPs, like those from several vendors, offer the ability to utilize less expensive and more widely available 1-Gigabit monitoring and analysis tools with these 10 Gigabit networks. When used in this fashion, some form of load-balancing or port-bonding is recommended to avoid packet loss to the monitoring tools.
A filterable TAP, that provides advanced filtering, can selectively pass data, based on application, VLAN ID, or other parameters, to the 1-Gigabit port for deep analysis and monitoring, including IDS requirements.
Filtered access is also the best way to focus on business-critical traffic, or other specific areas of your network. At higher speeds, network traffic analysis cannot be performed using the older "capture and decode everything" philosophy. In this type of environment, focused access is the best way to enable traffic analysis, and often is the only way.
Any filterable TAP you consider must have a simple user interface for easy setup and management. Furthermore, it must be able to collect the Layer 1 and Layer 2 data, while still allowing for auto saving, and easy access to data by graphing programs. Such a TAP can be part of a strategy to monitor for essential metrics, such as frame errors and corrupted frames in IPv6.
Advantages and features
Advantages and features
Older network technologies tended to be shared. Connecting a monitoring device to a shared network segment (i.e., piece of a network) was very easy -- just connect the monitoring device as you would any other host, and enable promiscuous mode. Modern network technologies tend to be switched, meaning that devices are connected using point-to-point links. If a monitoring device is connected to such a network, it will only see its own traffic. The network TAP allows the monitoring device to view the contents of a point-to-point link.
Modern network technologies are often full-duplex, meaning that data can travel in both directions at the same time. If a network link allows 100 Mbit/s of data to flow in each direction at the same time, this means that the network really allows 200 Mbit/s of aggregate throughput. This can present a problem for monitoring technologies if they have only one monitor port. Therefore, network TAPs for full-duplex technologies usually have two monitor ports, one for each half of the connection. The listener must use channel bonding or link aggregation to merge the two connections into one aggregate interface to see both halves of the traffic. Other monitoring technologies do not deal well with the full-duplex problem.
Once a network TAP is in place, the network can be monitored without interfering with the network itself. Other network monitoring solutions require in-band changes to network devices, which means that monitoring can impact the devices being monitored.
Once a TAP is in place, a monitoring device can be connected to it as-needed without impacting the monitored network.
Some TAPs have multiple output ports, or multiple pairs of output ports for full-duplex, to allow more than one device to monitor the network at the TAP point. These are often called regeneration TAPs.
A passive fiber optic tap.Some TAPs, particularly fiber TAPs, can use no power and no electronics at all for the pass-through and monitor portion of the network traffic. This means that the TAP should never suffer any kind of electronics failure or power failure that results in a loss of network connectivity. One way this can work, for fiber-based network technologies, is that the TAP divides the incoming light using a simple physical apparatus into two outputs, one for the pass-through, one for the monitor. This can be called a passive TAP. Other TAPs use no power or electronics for the pass-through, but do use power and electronics for the monitor port. These can also be referred to as passive.
Some TAPs operate at the physical layer of the OSI model rather than the data link layer. For example, they work with multi-mode fiber rather than 1000BASE-SX. This means that they can work with most data link network technologies that use that physical media, such as ATM and some forms of Ethernet. Network TAPs that act as simple optical splitters, sometimes called passive TAPs (although that term is not used consistently) can have this property.
Some network TAPs offer both duplication of network traffic for monitoring devices and SNMP services. Most major network TAP manufacturers offer TAPs with remote management through Telnet, HTTP, or SNMP interfaces. Such network TAP hybrids can be helpful to network managers who wish to view baseline performance statistics without diverting existing tools. Alternately, SNMP alarms generated by managed TAPs can alert network managers to link conditions that merit examination by analyzers to intrusion detection systems.
Some TAPs get some of their power (i.e., for the pass-through) or all of their power (i.e., for both pass-through and monitor) from the network itself. These can be referred to as having inline power.
Some TAPs can also reproduce low-level network errors, such as short frames, bad CRC or corrupted data.
Older network technologies tended to be shared. Connecting a monitoring device to a shared network segment (i.e., piece of a network) was very easy -- just connect the monitoring device as you would any other host, and enable promiscuous mode. Modern network technologies tend to be switched, meaning that devices are connected using point-to-point links. If a monitoring device is connected to such a network, it will only see its own traffic. The network TAP allows the monitoring device to view the contents of a point-to-point link.
Modern network technologies are often full-duplex, meaning that data can travel in both directions at the same time. If a network link allows 100 Mbit/s of data to flow in each direction at the same time, this means that the network really allows 200 Mbit/s of aggregate throughput. This can present a problem for monitoring technologies if they have only one monitor port. Therefore, network TAPs for full-duplex technologies usually have two monitor ports, one for each half of the connection. The listener must use channel bonding or link aggregation to merge the two connections into one aggregate interface to see both halves of the traffic. Other monitoring technologies do not deal well with the full-duplex problem.
Once a network TAP is in place, the network can be monitored without interfering with the network itself. Other network monitoring solutions require in-band changes to network devices, which means that monitoring can impact the devices being monitored.
Once a TAP is in place, a monitoring device can be connected to it as-needed without impacting the monitored network.
Some TAPs have multiple output ports, or multiple pairs of output ports for full-duplex, to allow more than one device to monitor the network at the TAP point. These are often called regeneration TAPs.
A passive fiber optic tap.Some TAPs, particularly fiber TAPs, can use no power and no electronics at all for the pass-through and monitor portion of the network traffic. This means that the TAP should never suffer any kind of electronics failure or power failure that results in a loss of network connectivity. One way this can work, for fiber-based network technologies, is that the TAP divides the incoming light using a simple physical apparatus into two outputs, one for the pass-through, one for the monitor. This can be called a passive TAP. Other TAPs use no power or electronics for the pass-through, but do use power and electronics for the monitor port. These can also be referred to as passive.
Some TAPs operate at the physical layer of the OSI model rather than the data link layer. For example, they work with multi-mode fiber rather than 1000BASE-SX. This means that they can work with most data link network technologies that use that physical media, such as ATM and some forms of Ethernet. Network TAPs that act as simple optical splitters, sometimes called passive TAPs (although that term is not used consistently) can have this property.
Some network TAPs offer both duplication of network traffic for monitoring devices and SNMP services. Most major network TAP manufacturers offer TAPs with remote management through Telnet, HTTP, or SNMP interfaces. Such network TAP hybrids can be helpful to network managers who wish to view baseline performance statistics without diverting existing tools. Alternately, SNMP alarms generated by managed TAPs can alert network managers to link conditions that merit examination by analyzers to intrusion detection systems.
Some TAPs get some of their power (i.e., for the pass-through) or all of their power (i.e., for both pass-through and monitor) from the network itself. These can be referred to as having inline power.
Some TAPs can also reproduce low-level network errors, such as short frames, bad CRC or corrupted data.
Disadvantages and problems
Disadvantages and problems
Network TAPs require additional hardware, so are not as cheap as technologies that leverage capabilities that are built-in to the network. They are easier to manage and normally provide more data than some network devices though.
Network TAPs can require channel bonding on monitoring devices to get around the problem with full-duplex discussed above. Vendors usually refer to this as aggregation as well.
Putting a network TAP into place can disrupt the network being monitored for a short time. It's better than taking a network down multiple times to deploy a monitoring tool though. Establishing good guidelines for placement of network taps is recommended procedure.
Monitoring large networks using network Taps can require a lot of monitoring devices. Some argue that other technologies scale better.[citation needed] SPAN ports are presumed free, but require more configuration than TAPs.
Even fully passive network TAPs introduce new points of failure into the network. There are several ways that taps can cause problems and this should be considered when creating a tap architecture. Consider non-powered taps for optical-only environments. This allows you to modify the intelligent aggregation taps that may be in use and avoids any complications when upgrading from 100 Megabit to Gigabit to 10 Gigabit. Redundant power supplies are highly recommended.
Network TAPs require additional hardware, so are not as cheap as technologies that leverage capabilities that are built-in to the network. They are easier to manage and normally provide more data than some network devices though.
Network TAPs can require channel bonding on monitoring devices to get around the problem with full-duplex discussed above. Vendors usually refer to this as aggregation as well.
Putting a network TAP into place can disrupt the network being monitored for a short time. It's better than taking a network down multiple times to deploy a monitoring tool though. Establishing good guidelines for placement of network taps is recommended procedure.
Monitoring large networks using network Taps can require a lot of monitoring devices. Some argue that other technologies scale better.[citation needed] SPAN ports are presumed free, but require more configuration than TAPs.
Even fully passive network TAPs introduce new points of failure into the network. There are several ways that taps can cause problems and this should be considered when creating a tap architecture. Consider non-powered taps for optical-only environments. This allows you to modify the intelligent aggregation taps that may be in use and avoids any complications when upgrading from 100 Megabit to Gigabit to 10 Gigabit. Redundant power supplies are highly recommended.
Subscribe to:
Posts (Atom)