sharkfest ‘10 | stanford university | june 14–17, 2010 tap’s demystified june 16 th 2010...

SHARKFEST ‘10 | Stanford University | June 14–17, 2010

TAP’s DemystifiedJune 16th 2010

Samuel BattagliaTechnical Manager | Network Critical

SHARKFEST ‘10Stanford UniversityJune 14-17, 2010


Overview

• What are TAP’s?• Why TAP?• Modes• Options• Technology• Portable Analysis• Configuration


• Analyze• Capture• Access


What are TAP’s?


What are TAP’s?

Traffic Access Point

An inline network device that provides accessto data as it traverses a network media.


What are TAP’s?


What are TAP’s?

• Deployed Inline– TAP’s Process All Frames on the Media


What are TAP’s?

• Gaining Popularity– TAP’s can be Active or Passive Devices


What are TAP’s?


Why TAP?


Why TAP?

• VoIP Monitoring• Protocol Analysis• Server & Workstation Monitoring• Compliance & Data Leakage Detection• Intrusion Detection & Prevention• The security group is hogging all the SPAN

ports and they never let me sniff any data…


Why TAP?

There are lots of reasons…

• Multiple groups will need access to data• More groups will require copies of data• What happened to my HUB?!• SPAN ports are slim pickings


Modes


TAP Modes

Breakout (Directional Outputs)


TAP Modes

Aggregating (Combined Outputs)


TAP Modes

Regenerating (Duplication/Replication of Data)


TAP Modes

Aggregating Regenerating (TAP and SPAN) ew


TAP Modes

Aggregating/Filtering Backplane


TAP Modes

Advanced Backplane Operations


Options


TAP Options

• Link Failure\Integrity\State Propagation


TAP Options

• Fail-to-Safe, Fail-to-Wire, Fail Closed


TAP Options

• Link Lock, Passive Copper (10/100 only)


TAP Options

• PoE Passive/Pass Through, Not Always PoE+


Technology


TAP Technology

Passive TAP• Benefits– TAP once and done– Live devices link directly with each other– Allows simple monitoring applications– Passes L2 errors– Link maintained on power state change

• Things to Consider– Some degradation of live signal– Proper deployment


TAP Technology

Active TAP• Benefits– Allows complex monitoring applications– Allows traffic to be injected into live links– No degradation of live signal

• Things to Consider– May discard link errors (Switch vs FPGA)– Link is lost on power state change– Live network devices link with TAP


TAP Technology

Passive Components• Copper 10/100M Links– Manipulate traces and PHY connections– Live devices physically connected– Power state change is non-impactful

• Fiber 100M, 1G, 10G+ Links– Optical splitters/couplers– Isolates production and monitor data-paths– Can provide 100% passive monitoring


TAP Technology

Optical Fiber Splitter/Coupler


TAP Technology


TAP Technology

Active Components• Copper 10/100/1G Links– Fast acting copper relays

• Fiber 1G, 10G+ Links– Optical bypass switches


TAP Technology

Active Components• Fast Acting Copper Relays / Optical Switches– Non-Latching• Do NOT require power to fail closed• Less complex

– Latching• DO require power and a trigger to activate• More flexible


TAP Technology

Optical Fiber Bypass Switch


TAP Technology

Core Components• Switch Chip Based Designs– Familiar architecture and compatibility– Built in functionality– Designed for specific tasks– Counts malformed frames and errors– May not pass error frames


TAP Technology

Core Components• Field-Programmable Gate Array (FPGA)– An integrated circuit designed to be configured after

manufacturing– Extreme flexibility allows complex applications– Passes malformed frames and errors– Oversized and custom frame types– Byte offset matching and slicing


TAP Technology

Core Components• Fiber Transceiver– Two pieces of directional optics– Transmitter – Only capable of sending– Receiver – Only capable of capture– Form factors – SFF, SFP, SFP+


TAP Technology

Core Components• PHY (Physical Layer)– PCS, PMA, PMD– Connects RJ45/transceiver to Switch (or FPGA)– Handles link negotiation and line protocols– Broadcom, Marvell, Intel, VIA


TAP Technology


Deployment


Deploying TAP’s


Deploying TAP’s

Things to Consider• Not all patch cables are created equal– OM1 (Orange), OM2 (Grey), OM3 (Teal)

• Fiber cables may be crossover• 10/100 network cabling (MDI, MDIX)• Consider overall cable lengths


Portable Analysis


Portable Analysis

Laptop Challenges• Where’s the Fiber port?!• Performance of receive and capture is limited• 1G capture appliances are not very portable• 1 Gbps is still a LOT of data


Portable Analysis

Solutions• TAP’s for Media Conversion• Modify the Capture Buffer Size• Filter on TAP Hardware


Portable Analysis: Media Conversion

Copper to Copper

Fiber to Copper

Copper to Fiber

Fiber to Fiber


Portable Analysis: Bump the Capture Buffer


Portable Analysis: Filter on TAP


Filtering


Configuration


Configuration

Breakout Mapping


Configuration

Aggregation Mapping


Configuration

Aggregated & Filtered Mapping


Backplane Connections

Source and Destination Ports


Configuration


FYI

• TAP's with Batteries– Require Maintenance– Special Shipping Handling– Existing UPS Infrastructure


Be Cautious

• Fast Linking Gigabit– Modifies Normal Auto-negotiation– Not Standard Ethernet Procedure– Is NOT 100% Guaranteed


Other Useful BitsFacts About Fiber Optics

www.networkcritical.com/sharkfest/fiber

Ethernet Negotiation – Rich Hernandezwww.networkcritical.com/sharkfest/autoneg

Perils of the Network: Duplex Conflicts – Apparent Networkswww.networkcritical.com/sharkfest/duplex

Catalyst SPAN Configuration – Ciscowww.networkcritical.com/sharkfest/ciscospan

TAP vs SPAN – Tim O’Neillwww.networkcritical.com/support/document-library/TAP-vs-SPAN

DIY 10/100 access?www.hackaday.com/2008/09/14/passive-networking-tap


Thank You!

[email protected]

See you next year!

sharkfest ‘10 | stanford university | june 14–17, 2010 tap’s demystified june 16 th 2010...

Documents

stanford university

options slide

technology slide

poe slide

media slide

closed slide

capture access slide

span ew slide