An In-depth Look at TAPs and SPAN Ports

Are you worried about your network’s security? Given the rise in cyber-attacks, many organizations are rightfully focusing on fortifying their digital fortress. A crucial part of this process is gaining complete visibility into your network to identify what traffic is good and what might pose a threat.

Security Information and Event Management (SIEM) tools like Splunk have become increasingly popular for their ability to analyze network traffic and flag potential threats. To feed these SIEM tools with the necessary data, you have two main options: Test Access Points (TAPs) and Switched Port Analyzer (SPAN) ports.

But Why Do I Need It?

In today’s digital age, having a fortified network is not enough; you need to know who’s on it and what they’re doing. TAPs and SPAN ports help provide that visibility by delivering network traffic to your SIEM for analysis.

Here’s a simplified explanation:

A TAP is like a silent observer in the middle of your network traffic, capturing an exact copy without interfering with the flow and forwarding it to the SIEM. On the other hand, a SPAN port is a feature of your network switch that performs a similar function. However, due to the numerous processes that switches handle, they may not consistently deliver all traffic to the SIEM.

The Lowdown on TAPs

1. Full Visibility: TAPs capture an exact, bi-directional copy of your network traffic, providing complete visibility without any data manipulation. You get to see everything, which is exactly what you want for comprehensive security.

2. Unbiased Data Capture: TAPs don’t discriminate based on protocol or data errors. They capture all data, and you can filter out errors if needed.

3. Passive Operation: TAPs are set-and-forget devices. Once implemented, they continuously capture and forward traffic. However, they often have optional configurations, like error checking and de-duplication, for optimized operation. For example, Gigamon TAPs offer advanced features like:

  • Traffic Intelligence: Adaptive Packet Filtering, Advanced Load Balancing, De-Duplication, Header Stripping, Masking, NetFlow Generation, Slicing, Advanced Flow Slicing, SSL/TLS Decryption, and Tunneling.
  • Application Intelligence: Application Filtering, Application Metadata, and Application Visualization.
  • Subscriber Intelligence: 5G and 4G LTE CUPS Correlation, GTP Correlation, Flow Sampling, SIP/RTP Correlation, and Video Data Records.

The Scoop on SPAN Ports

1. Potential for Over Subscription: Your switch has a lot on its plate. Relying on it to copy traffic may result in over subscription and packet drops.

2. Line Rate Not Guaranteed: Low priority traffic may be dropped, even if links aren’t overutilized. This can happen even when your link utilization is as low as 9%.

3. Performance Impact: SPAN ports could negatively impact your switch’s performance. In worst-case scenarios, CPU usage might spike to 100%.

4. Configuration Challenges: Incorrect configuration could negatively impact performance or even bring down the network.

5. Legal and Compliance Issues: SPAN ports may not pass legal and compliance audits due to the potential of missing traffic.

6. Software Bugs: Relying on software comes with the risk of encountering bugs, which could be a nightmare in a production environment.

7. Vendor Limitations: As with any technology, SPAN ports do come with certain limitations that may vary depending on the hardware vendor and the specific model of the networking equipment. For example, the Cisco Nexus series, a widely used set of switches in many enterprise networks, has the following limitations for SPAN sessions:

  1. Only two SPAN sessions can run simultaneously.
  2. Up to 128 source interfaces can be configured per session.
  3. Up to 32 source VLANs can be configured per session.
  4. Up to 32 destination interfaces can be configured per session.

These constraints are important to consider when planning your network visibility strategy. Always remember to check the specifications of your networking equipment to understand the limits and how they might impact your ability to monitor network traffic effectively.

In a nutshell, TAPs offer a robust, reliable way to capture network traffic for your SIEM. While they come with a cost, they’re an excellent investment if you value comprehensive network visibility and security.