Experiences with "advanced" network taps.

Darren Bolding darren at bolding.org
Mon May 23 18:34:18 PDT 2011 

We are planning on purchasing some network taps for a couple of locations in
our network, and we expect to make significantly greater use of them in the
next year or two.

Something that is new since I last investigated taps (it has been a while)
is that many of them now allow for functionality I would typically think of
as far outside what a simple tap does.

For example:

Selective forwarding of packets based on MAC address, TCP/UDP port, IP
address range etc.
Selective forwarding/load balancing based on flow, so that you can
distribute traffic across a cluster of devices (e.g. IDS or netflow probes)
Ability to insert a device (firewall, IDS, etc) into the network flow and
via software configuration bypass traffic around the device- e.g. able to
quickly drop a device out of the network path.
- Some have the ability to send network probes, or monitor traffic
downstream of an inline device so they can automatically take the device out
of line if it fails to pass traffic.
- Some can filter which traffic goes through the inline device and merge it
back with the traffic that was not sent to the inline device for downstream
consumption.
Some can be connected and automatically be managed as if one device,
allowing monitor and replication ports to be used across the stack/mesh of
devices.

All of this is very interesting.  Of course these taps cost more than your
basic dumb tap.

More interestingly to me is that these taps are no longer dumb, and that
makes them a bit of a riskier proposition.  In evaluating some we have run
into issues ranging from misconfiguration/user error to what appear to be
crashes (with associated loss of forwarding).

I'm wondering if anyone has had significant experience deploying these more
advanced taps, whether it was good or bad, general comments you might like
to share regarding them, and whether you would recommend particular vendors.

If people reply off-list, I will make a point of summarizing back if I get
any feedback.

Thanks!

--D

-- 
--  Darren Bolding                  --
--  darren at bolding.org           --

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list