Ethernet Network TAPs

In an earlier article, I talked about using Ethernet network TAPs to create one-way network links. Today I would like to talk about using them for their intended purpose.

First, a word about the spelling. “TAP” is capitalized, because it is said to stand for “Test Access Point”, but it could just refer to the concept of tapping the lines.

The purpose of a network TAP is to monitor network traffic without interacting with it. This has two benefits: an attacker cannot know whether or not the network is being monitored, and it is not possible for malware to corrupt the monitoring machine and use it to attack the network. 

There are a few ways to monitor the network. The article I referred to earlier lists a few do-it-yourself methods that I do not recommend. The professional methods are SPAN ports and Ethernet TAPs.

A SPAN port (said to stand for “Switched Port ANalyzer”) is a port on an Ethernet switch where copies of all packets handled by the switch are sent. The technique is also known as port mirroringIt is inexpensive, since it is built into many Ethernet switches, but under load may drop packets, keeping you from getting a clear picture of your traffic. A study by Packet Pioneer compared the results from a SPAN port and a network TAP and found that the SPAN port gave them 8% packet loss. A study by Garland Technology ran similar tests in an Industrial Control System environment. As well as experiencing packet loss at over 80% utilization, they discovered that some defective packets were delivered only to the SPAN port. This could be used by an attacker to confuse intrusion detection systems.

A network TAP taps the signals going each way, and sends them to the receive side of two tap ports. Thus, one port receives outbound packets, while the other receives inbound packets. (There are what are called aggregating TAPs.They combine the inbound and outbound packets and send them to a single port. The problem is that if you have, for example a 1000BASE-T network, it can be sending 1 GbE in each direction, so the TAP port would be receiving 2 GbE, which is too much for standard network cards.)

Here is a line diagram of a 10/100BASE-T network TAP. TAPs for 1000BASE-T Ethernet, while similar in concept, are a lot more complicated, since gigabit Ethernet uses all eight wires of the cable for sending in both directions. They are also more expensive and noisier. TAPs for 10/100BASE-T are generally passively cooled, while the added circuitry for 1000BASE-T requires a fan.

Since network TAPs are frequently placed in the main connection to the Internet, they are a single point of failure. For this reason, they usually have dual power supplies. All of them will pass the signals through when they do not have power and some, like the Finisar Shadow Tap shown at the top of this post, can go from power on to power off without even momentarily interrupting the signal.

So what do you do with the TAP A and TAP B outputs? You connect them to two network cards. The must be in promiscuous mode, which means they receive all packets, not just those addressed to their MAC address. Network analysis tools like Wireshark, and intrusion detection systems, will generally take care of this for you. If you are doing high-volume packet capture, you might use Endace DAG packet capture cards, which can capture packets more efficiently, as well as doing pre-processing on the card. For even more sophisticated processing, you might use a dedicated device like the EndaceProbe Analytics Platform

There is also a portable TAP called a field TAP. Rather than the TAP A and TAP B ports, it has a USB 3.0 cable. It can be plugged into a laptop so you can analyze packets with Wireshark when you are testing out in the field. Here is an example of a field tap from Garland Tecnhology.

The kind of network TAP we have been discussing is also known as a breakout TAP. There is another kind of TAP, the bypass TAP, which is used with Intrusion Prevention Systems (IPS). Unlike Intrusion Detection Systems (IDS), which just monitor the traffic, IPS may need to filter out or respond to packets from attackers. For example, an IPS might respond to a TCP SYN flood attack by returning TCP packets with the RST flag, to reset the half-open connections.

Since all the network traffic goes through the IPS, it becomes a single point of failure. A bypass TAP bridges around the IPS if it fails, so network traffic is not interrupted. It detects failure by inserting special packets in the stream going to the IPS, and removing them from the output of the IPS. If a packet sent to the IPS is not returned, it knows the IPS has failed and bypasses it. While the IPS is bypassed, the TAP continues to send the network stream and the special packets to the IPS. As soon as it comes back up and the TAP sees the special packets again, it stops bypassing the IPS. Here is an example of a bypass TAP from Garland Technology.


Leave a Reply

Your email address will not be published. Required fields are marked *