The Fundamentals of Network Taps

Jose Anes By: Jose Anes June 17, 2019

Network taps are external appliances that sit between network devices to copy and monitor traffic. Because network connectivity and data security form the backbone of any business, it’s crucial to have pervasive visibility of all traffic. Taps are one of the core network visibility tools that ensure you gain insight from every packet that flows into and out of your connected systems.

But not all network taps are created equal. To get the most out of these network monitoring tools, you need to ensure you’re deploying the right tools for the right reasons. This overview of how network taps fit into a network visibility layer should help..

Four Use Cases for Deploying Network Taps

The first network taps were designed to provide access to data packets without interrupting traffic flow across the wire. And while that overall objective remains, the ever-increasing speed and complexity of your network require more advanced visibility solutions.

Now, you need to ensure every security and monitoring tool can see 100% of network data to guarantee optimal performance. With a need to monitor tools ranging from next-gen firewalls to data leakage protection, application performance monitoring, SIEM, digital forensics, intrusion prevention systems, intrusion detection systems, and beyond, network taps have evolved.

Designing an effective network visibility layer means deploying the right taps for the right functions. When choosing which network taps to deploy, the following four use cases will help maximize visibility for both monitoring and security tools.

  • Complete Traffic Copy and Availability: The most basic network tap use case is to provide a copy of 100% of traffic between two nodes. Unlike SPAN ports that can drop packets due to oversubscription, network taps can be placed on high-traffic links to aggregate and analyze data without impacting network performance.
  • Filtering Packets for Optimal Performance and Load Balancing: Not every monitoring and security tool needs a 100% copy of data. Trying to stream traffic in real time to all network monitoring tools will result in oversubscription and diminish network performance. But with network taps that offer filtering capabilities, you can aggregate data from multiple points and distribute it accordingly to multiple out-of-band tools.
  • Aggregate Links for Networking Efficiency: You can only stretch IT budgets so far when trying to deploy the right combination of network monitoring and security appliances. At a certain point, you simply can’t keep adding to the complexity of the network. Network taps can aggregate multiple network traffic flows (both eastbound and westbound) and send it to attached devices through a single port. This helps reduce the number of network monitoring tools you need.
  • Bypass Capabilities to Avoid Points of Failure: Many security devices need to be placed in-line to effectively block malicious activity from affecting network performance or enabling data breaches. Bypass capabilities ensure traffic flows are uninterrupted even if security devices fail. And they also give network admins the ability to conduct maintenance without creating downtime.

All of these tap use cases/functions will play a role in a properly-designed network visibility layer. However, when it comes time to actually invest in the devices you’re going to deploy across your network, it’s important to understand the differences between the two main categories of network taps—active and passive.

Active Network Taps vs. Passive Network Taps for Total Visibility

Choosing an active or passive network tap will greatly impact use cases and deployment options. Knowing the difference will be a critical factor in building your network visibility layer.

When you start to build your network security infrastructure, choose network monitoring tools, and design a network visibility layer, tap choices should start with a decision between these two categories:

  • Active Network Taps: These network taps use an active switching configuration to copy traffic. They also require a power source to send and receive traffic packets across the network. Copies are regenerated without any loss of signal power and, even in case of power failure, traffic flows remain uninterrupted. These types of taps are especially useful in networks that use copper cabling and in cases where there is a need to convert media and accommodate different tools.
  • Passive Network Taps: Unlike active taps, passive network taps don’t require a power supply to work. Because there’s no chance to become a point of failure, passive taps are often preferred to active. Passive taps create copies of traffic using an optical splitter that is unidirectional. When evaluating network taps for your specific needs, pay close attention to split ratios, power budgets, and light loss for an understanding of which use cases a passive tap will cover.

With an understanding of these two categories as well as the difference use cases for network taps, you can make informed decisions when designing for pervasive visibility.

Tapping Critical Links Is a Necessity, Not a Luxury

Since the creation of network taps, there have been discussions of whether to tap critical links or use SPAN ports to maintain visibility. But as networking demands increase, there is no doubt that all critical links should be tapped for maximum performance and visibility.

Network taps are just one component of a pervasive visibility layer. They should be accompanied by the right combination of network packet brokers and bypass switches to give you the necessary foundation to support all monitoring and security solutions.

If you want to learn more about what it takes to deploy the right network taps and maintain visibility as your network becomes more complex, download our free white paper, Network Visibility: A clearer View of Your Network.

How to monitor your network traffic with no impact - get the white paper