Hardware Taps vs SPAN/Monitor Ports


When dealing with any type of security, it's always important to have visibility in the network. Any decent network security architect knows this. Looking at Windows event logs and Linux Syslog messages is not a solution to monitoring the network for security threats. You must monitor the "layers" of a network from entry, (ingress) to exit (egress) of data flow, as well as internal traffic host to host communication. If you recall the OSI model in regards to layer 1, the physical layer, makes up the cabling (ethernet or fiber) and data is very unlikely to be tampered or modified with good physical security in place.

The two most common methods to analyze traffic are:

  • TAP
  • SPAN Ports

A hardware tap or a network tap is a device that sits inline with the cabling infrastructure that copies bits (ones and zeros) and then sent to another destination for use with network and application performance, security monitoring, or management. This provides packet visibility in and out of the network, depending on the placement of the tap. Without capturing the packets on the wire, network and security traffic analysis cannot be properly inspected.

A SPAN (Switch Port ANalyzer) port is based on software and is a feature built into a switch or router to copy packets and send them to a monitoring port (mirror ports) for analysis by network monitoring and security devices. With any feature or solution built into the software, there come performance impacts that negivatily impact those features. Example: Hardware RAID vs Software RAID on the motherboard. Below list a few concerns when using SPAN ports:

  • SPAN ports can become oversubscribed when sampling and copying data
  • SPAN ports have lower priority when forwarding data to the mirror ports which results in dropped packets
  • SPAN feature on a switch or router is CPU intensive and can cause performance issues when the switch or router is processing data
  • SPAN configuration can be easily changed unknowingly resulting in missed packets for network and security analyst

An old saying from back in the day helps placement of TAPs or if SPAN ports should be used. "TAP Where You Can, SPAN Where You Can’t." If you need to troubleshoot an issue, you can easily bring a laptop with you, configure the switch as a SPAN port, and send the mirrored traffic to your laptop. Then fire up Wireshark and capture the traffic needed, afterwards removing the SPAN port configuration.

Active TAPs vs Passive TAPs

  • A passive TAP requires no power to operate and does not work with network devices attached to them. Passive TAPs use optical splitters to send copies of packets to be analyzed and do not require configuration.

*Active TAPs require their own power to regenerate the signals as they are arrived and are copied. Unlike passive TAPs where signals have split ratios, active TAP's receive and transmit the messages at the same power or light strength that arrived at the TAP. The single point of failure for active TAPs are power loss, as the signals cannot be regenerated. Some active TAPs have a bypass feature in which the hardware tap will allow signals to continue even when the active TAP suffers from a power loss.

In the lab, I will be using a Gigamon GigaVUE-420 2U hardware tap with an additional expansion bay offering four RJ-45 ports and four SFP ports. The GigaVUE-420 has a console port and a management port, as well as four RJ-45 ports for transmitting/receive and "tool" ports otherwise known as monitoring ports for data analysis.

In part 1 of my network security lab, I will explain the physical topology and how the cabling will be completed.