TAP’s Demystified
June 16th 2010
Samuel Battaglia
Technical Manager | Network Critical
SHARKFEST ‘10
Stanford University
June 14-17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Overview
•
•
•
•
•
•
•
What are TAP’s?
Why TAP?
Modes
Options
Technology
Portable Analysis
Configuration
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
• Analyze
• Capture
• Access
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
What are TAP’s?
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
What are TAP’s?
Traffic Access Point
An inline network device that provides access
to data as it traverses a network media.
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
What are TAP’s?
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
What are TAP’s?
• Deployed Inline
– TAP’s Process All Frames on the Media
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
What are TAP’s?
• Gaining Popularity
– TAP’s can be Active or Passive Devices
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
What are TAP’s?
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
What are TAP’s?
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Why TAP?
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Why TAP?
•
•
•
•
•
•
VoIP Monitoring
Protocol Analysis
Server & Workstation Monitoring
Compliance & Data Leakage Detection
Intrusion Detection & Prevention
The security group is hogging all the SPAN
ports and they never let me sniff any data…
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Why TAP?
There are lots of reasons…
•
•
•
•
Multiple groups will need access to data
More groups will require copies of data
What happened to my HUB?!
SPAN ports are slim pickings
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Modes
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Modes
Breakout (Directional Outputs)
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Modes
Aggregating (Combined Outputs)
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Modes
Regenerating (Duplication/Replication of Data)
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Modes
Aggregating Regenerating (TAP and SPAN) ew
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Modes
Aggregating/Filtering Backplane
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Modes
Advanced Backplane Operations
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Options
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Options
• Link Failure\Integrity\State Propagation
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Options
• Fail-to-Safe, Fail-to-Wire, Fail Closed
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Options
• Link Lock, Passive Copper (10/100 only)
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Options
• PoE Passive/Pass Through, Not Always PoE+
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Technology
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Technology
Passive TAP
• Benefits
–
–
–
–
–
TAP once and done
Live devices link directly with each other
Allows simple monitoring applications
Passes L2 errors
Link maintained on power state change
• Things to Consider
– Some degradation of live signal
– Proper deployment
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Technology
Active TAP
• Benefits
– Allows complex monitoring applications
– Allows traffic to be injected into live links
– No degradation of live signal
• Things to Consider
– May discard link errors (Switch vs FPGA)
– Link is lost on power state change
– Live network devices link with TAP
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Technology
Passive Components
• Copper 10/100M Links
– Manipulate traces and PHY connections
– Live devices physically connected
– Power state change is non-impactful
• Fiber 100M, 1G, 10G+ Links
– Optical splitters/couplers
– Isolates production and monitor data-paths
– Can provide 100% passive monitoring
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Technology
Optical Fiber Splitter/Coupler
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Technology
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Technology
Active Components
• Copper 10/100/1G Links
– Fast acting copper relays
• Fiber 1G, 10G+ Links
– Optical bypass switches
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Technology
Active Components
• Fast Acting Copper Relays / Optical Switches
– Non-Latching
• Do NOT require power to fail closed
• Less complex
– Latching
• DO require power and a trigger to activate
• More flexible
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Technology
Optical Fiber Bypass Switch
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Technology
Optical Fiber Bypass Switch
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Technology
Core Components
• Switch Chip Based Designs
–
–
–
–
–
Familiar architecture and compatibility
Built in functionality
Designed for specific tasks
Counts malformed frames and errors
May not pass error frames
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Technology
Core Components
• Field-Programmable Gate Array (FPGA)
– An integrated circuit designed to be configured after
manufacturing
– Extreme flexibility allows complex applications
– Passes malformed frames and errors
– Oversized and custom frame types
– Byte offset matching and slicing
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Technology
Core Components
• Fiber Transceiver
–
–
–
–
Two pieces of directional optics
Transmitter – Only capable of sending
Receiver – Only capable of capture
Form factors – SFF, SFP, SFP+
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Technology
Core Components
• PHY (Physical Layer)
–
–
–
–
PCS, PMA, PMD
Connects RJ45/transceiver to Switch (or FPGA)
Handles link negotiation and line protocols
Broadcom, Marvell, Intel, VIA
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
TAP Technology
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Deployment
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Deploying TAP’s
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Deploying TAP’s
Things to Consider
• Not all patch cables are created equal
– OM1 (Orange), OM2 (Grey), OM3 (Teal)
• Fiber cables may be crossover
• 10/100 network cabling (MDI, MDIX)
• Consider overall cable lengths
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Portable Analysis
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Portable Analysis
Laptop Challenges
• Where’s the Fiber port?!
• Performance of receive and capture is limited
• 1G capture appliances are not very portable
• 1 Gbps is still a LOT of data
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Portable Analysis
Solutions
• TAP’s for Media Conversion
• Modify the Capture Buffer Size
• Filter on TAP Hardware
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Portable Analysis: Media Conversion
Copper to Copper
Copper to Fiber
Fiber to Copper
Fiber to Fiber
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Portable Analysis: Bump the Capture Buffer
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Portable Analysis: Filter on TAP
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Filtering
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Configuration
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Configuration
Breakout Mapping
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Configuration
Aggregation Mapping
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Configuration
Aggregated & Filtered Mapping
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Backplane Connections
Source and Destination Ports
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Configuration
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
FYI
• TAP's with Batteries
– Require Maintenance
– Special Shipping Handling
– Existing UPS Infrastructure
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Be Cautious
• Fast Linking Gigabit
– Modifies Normal Auto-negotiation
– Not Standard Ethernet Procedure
– Is NOT 100% Guaranteed
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Other Useful Bits
Facts About Fiber Optics
www.networkcritical.com/sharkfest/fiber
Ethernet Negotiation – Rich Hernandez
www.networkcritical.com/sharkfest/autoneg
Perils of the Network: Duplex Conflicts – Apparent Networks
www.networkcritical.com/sharkfest/duplex
Catalyst SPAN Configuration – Cisco
www.networkcritical.com/sharkfest/ciscospan
TAP vs SPAN – Tim O’Neill
www.networkcritical.com/support/document-library/TAP-vs-SPAN
DIY 10/100 access?
www.hackaday.com/2008/09/14/passive-networking-tap
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010
Thank You!
sam@networkcritical.com
716-558-7280
See you next year!
SHARKFEST ‘10 | Stanford University | June 14 –17, 2010