When determining how to ship the traffic to a Network IDS, security administrators eventually run into this question: Should I use Taps or Span Ports?.
This article will assist in discussing the pros and cons of each option, as well as give a couple recommendations.
What is a tap?
A tap, or a Network Tap is typically a piece of hardware that sits inline between a network connection with 2 devices.
The design of a tap can range anywhere from a hacked together passive 10/100, to a 100 Gigabit fiber tap. However the premise of both is the same, sit between 2 network devices and create a copy of the traffic between the two devices.
For 10/100 Ethernet, tapping is very straightforward. Since there is no modulation of the signals such as with Gigabit Ethernet, the connections can be directly tapped with copper. In theory you can create a simple network tap with a network cable and 2 Keystone Jacks. Fiber optic taps are even simpler, as mirrors are used to create a copy of the traffic. The only issue with Fiber optics is signal degradation due to the way that they work.
For Gigabit Ethernet a slightly more complex tap is needed due to the fact that PAM-5 Modulation is used to allow higher speeds.
Tap Pros
- Management
- Requires a physical device, less likely to be unplugged
- Less likely to be missed when changes happen
- Easy to troubleshoot
- Is it plugged in?
- Does the light blink?
- Completely passive
- No way to generate traffic off passive device
- In practice there are no frames that are dropped
- Transmit and Receive are on Separate Connections
- On highly utilized networks, can exceed the capacity of a single connection
Tap Cons
- Requires multiple interfaces to receive traffic
- Can be difficult when you have failover hardware (a single failover pair of firewalls will require 4 network connections)
- Can be mitigated by using an aggregation switch
- Additional Cost to Purchase
- Can range from 500-1500 depending on features
- Cannot monitor internal switch traffic
- For example, if the switch performs inter-vlan routing
What is a Span Port?
A span port(sometimes called a mirror port) is a software based method to copy traffic from one or more source port(s) and then transmit them on a destination port. The naming comes from Cisco, which named the functionality Switched Port ANalyzer.
This functionality obviously requires a switch or router that supports it, as well as the processing power on the switch to transmit the data. The
Span Pros
- Low Cost
- It is built into most managed switches
- Easy to Configure
- Most network engineers can configure it
- My home switch has this functionality
- Can be used to monitor internal connections such as vlans that are routed
- Aggregate multiple 1gb links into a single 10gig link
Span Cons
- Difficult to troubleshoot
- Often times I see asymmetric traffic patterns
- Difficult to diagnose packet loss
- Can cause issues with networking equipment
- Overutilized links and under performing network equipment can lead to downtime
- Can oversubscribe a single output
- 1 link at 1 Gig full duplex = 2 gigs of data, but can only transmit 1 gig
- Hardware errors would not be present
- Depending on Vendor/Implementation, cannot monitor vlan trunks
Conclusion
Personally, I prefer using tap ports, since it is significantly easier to troubleshoot, track and manage in large environments. Additionally, the advantages of having a physical device make it more difficult to ignore/miss during network changes. Lastly, sometimes having a piece of hardware that is 100% passive can prevent troubleshooting the wrong component, greatly improving the amount of visibility one will have.