Any system is only as good as the data that is put into it. This concept has wide ranging applicability, especially when it comes to networking. Whether it is your cloud environment, analytics tools, IPS (Intrusion Prevention System) or an IDS (Intrusion Detection System), those systems will only ever be as effective as the data submitted to them. Where you acquire this data and seeing the entire data stream has never been more important. In this post we will discuss the reasons for this, and how to do it with in-line network taps on your network.
When seeing the entire network traffic is key, this might not be as simple as just mirroring your traffic to another SPAN port on a switch. Many modern firewalls and switches will, by default, drop or modify much of the network traffic that the firewall or switch deems to be errors. For most applications this is acceptable and is done to reduce bandwidth/latency. But when it comes so supplying network traffic for security related applications, all the raw data is needed. Fragmented packets, spammed SYN/RST requests and other CRC errors that can dropped or modified, need to be seen.
Visibility for fragmented packets is important to any security appliance or application due to the high likelihood of it being a sign that your network is being scanned/fingerprinted. IP fragments can be used to shield TCP packets from firewall filters. Usually, a firewall will try to re-assemble these packets, then forward them on (assuming they are not filtered out). If you place your network tap on a switch behind the firewall, you may miss this raw traffic that should be analyzed by your network security appliance or application. IP fragmentation can also be sign of an ongoing DoS (Denial of Service) or DDoS (Distributed Denial of Service) attack targeted toward your network or something on your network.
With modern network design revolving around high-availability and redundancy, a common question is this:
Where do I pull data from that does not compromise my network while also capturing all of it? The answer to this typically puts network taps into places where failures would cause a total network outage. To prevent this, you need a tap that, if a failure were to occur, would not cause a loss of network functionality. This can be easily achieved on fiber-based networks with fiber taps. but is more complex with copper-based networks. Copper-based network taps require an internal switching mechanism, which requires power. Thus, if power to the tap is lost or it fails in some other way, the tapped link needs to remain viable, and allow traffic to flow unimpeded.
Datacom System has several solutions to this problem, one being the CTP-1000. The CTP-1000 taps a full duplex, 1G copper network link. It allows tools such as IDS to perform analysis or act, based on the data copies it sees in real-time. In Non-Aggregated mode, separate copies of the Rx and Tx traffic are provided to a single tool with dual capture NICs. It also features a relay based passive bypass mechanism, which keeps the network link up even if the tap loses power. A convenient rear slider switch allows the CTP-1000 to also be used in Aggregated mode. This mode can be used if utilization of the 1G line is below 50%. It merges the Rx/Tx data copies, sending identical merged streams out each of the two monitor ports. This allows tools with only a single capture NIC to see the entre conversation, as well as allowing two different types of tools (e.g. a packet sniffer and an IDS) to view the same data simultaneously. Contact our sales team to arrange a technical discussion about the CTP-1000 and other in-line network taps provide solutions to help secure your network.