The solution to the monitoring problem that we found was using a smart tap. We tested the taps from Network Critical and found that they serve very well in a variety of situations. For our work, we settled on the CriticalConneX configurable and modular tap system. This consists of a chassis and slots for two modules. We settled on two CC1220 100/1000 Aggregating Configurable TAP Modules.
Getting it to work
Our primary use for this product is monitoring both sides of a test bed with a single sniffer. We have found that by tapping around the test bed at appropriate points, we can collect data on both the input and output of the test bed, aggregate to a single input for the sniffer, and see inbound traffic and the impact of the device under test on that traffic. In reverse, we can see data leakage through an outbound filter, such as the extrusion prevention products we discussed last month.
The Network Critical product line consists of three stand-alone taps, a chassis and several modules that plug into the chassis. The products work by creating copies of the traffic passing through and passing those copies to the monitoring product. By making copies instead of reading the actual traffic, the tap introduces no latency into the network. The affect is that the monitor is seeing all the traffic without impacting the traffic at all.
CriticalConneX products can work up to gigabit speeds over fiber or copper. Because the tools are passive monitors duplicating traffic, if there is a failure in the tap the network is unaffected. We found this important because we occasionally stress products under test to the breaking point. It is important for us to be certain that what we broke was the device under test and not the test bed itself (including the tap).
There are a number of ways that you can deploy the taps. Usually they deploy at key monitoring points in the network. Because they are completely passive transparent devices, they have no impact on network traffic. That means that they can go anywhere you want to get a good picture of that traffic. Additionally, they allow aggregation, so several paths can be monitored at the same time. This aggregation does not affect the individual traffic channels, so monitoring several VLANs does not require spanning, which can allow data leakage.
We have found that universally setting up the taps is fast and simple. All that really is required is an understanding of your network topology, what you want to monitor and where that traffic will pass. Insertion of the taps is most easily done from a patch panel, and we simply patch the tap inline on the test bed. From that point on we can patch and unpatch monitoring tools, such as sniffers, IDSs or, as in the case of one of the data leakage tools reviewed elsewhere in this issue, a special purpose appliance.
Deployment
There are a number of peripheral products that can be used with the taps. As mentioned, one of the data leakage prevention tools we reviewed this month requires a tap, but other types of devices actually work better, in some cases, if they are tapped instead of spanned. We have experimented with some types of content management products, for example.
We really liked the modular approach because our lab environment is always changing. But for organizations that have more stable environments this approach allows quite a combination of choices. Additionally, as we all know, the enterprise almost is a living organism. The topology changes frequently. Having a modular tool such as this one allows one to change on a dime for not a lot more money.
The key is that the product needs to monitor data, or must at least be isolated from the actual data stream and has an out-of-band port for reporting to some other server. Many content monitoring products have a port that they use to sniff the network, and another port that delivers data to some sort of server for action. These products act like smart sniffers and do not usually intercept data. Rather, they perform some sort of logging or notification. Our experience is that the tap makes this more efficient. The effect is that the monitoring function is completely out-of-band.
The Network Critical CriticalConneX Configurable and Modular TAP System is rated SC Magazine Lab Approved. — PS
Product: CriticalConneX and CriticalTAP systems
Company: Network Critical
Availability: Now.
Price: CC1020 CriticalConneX Chassis is $2,995 (+); CriticalTAP Module Starting at $1,995.
What it does: Allows tapping of networks for out-of-band monitoring.
What we liked: Simplicity, isolation from the live network, and faithful reproduction of the data stream.
What we didn't like: Nothing. Our suite works beautifully in the SC Lab environment.