<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

“Not another installation setback”

January 4, 2023

SIEM deployment gone wrong?

As my daughter approaches her 3rd birthday, we've loosened up the rules on watching cartoons. Now, we all look forward to Saturday morning cartoons … and pancakes.

Personally, I haven’t watched cartoons in 30 years. Surprisingly, it seems animators are still reusing the same “character rolls down a snowy hill and becomes a giant snowball” bit.

As an adult, I empathize with the character inside the snowball.

I think about IT network tool deployments gone wrong. With one setback after another, the project begins to literally snowball out of control.

Perhaps your installation of a brand new SIEM, NDR, IDS, Lawful Intercept, or DLP feels like it’s going downhill right now.

People often call us for help when their projects hit setbacks. These are some of the common culprits we hear about:

  • One of the existing switches is unmanaged and can’t be used reliably to connect the SIEM to the network.  Roll  
  • Another switch is already configured and reconfiguring it is not an option.  Roll  
  • Supply chain issues have delayed a vital piece of equipment for the project.  Roll  
  • The engineer sent into the field to drive resolution is stuck in an airport because of flight delays due to Covid, weather, or both.  Roll  
  • You’re trying to leave on a well-deserved vacation and you receive a call that another setback is delaying the installation.  Roll (your eyes)

TAP-vs-SPAN

In response, we generally ask these 6 questions:

  1. How are you holding up?
  2. What tool is being installed?
  3. What is the network speed?
  4. What is the media type and/or connector type?
  5. Are there other out-of-band monitoring tools that require copies of the network traffic?
  6. Do you have a network diagram you can share to help us visualize the environment or project? 


A Garland technical engineer will then recommend some options for consideration. Often, a network TAP is part of our suggested solution.


TAPs come in a wide variety of types and specs, making them a versatile, go-to solution for resolving these situations. They can help you quickly overcome installation delays and avoid disappointing stakeholders.


What’s a TAP?

A TAP is a physical device that sits between two other network appliances (like a switch and router). Traffic flows full speed through the TAP while the device simultaneously copies the packets and sends the duplicates off to monitoring and security tools (like a SIEM) for further inspection.


Fly for fun, not for work.

SIEM deployments too often hit setbacks and end up with people on planes. When this happens, you (or your engineer) become the center of the snowball, as the project quickly careens downhill.

There’s a better way! Network TAPs can help you gain control over installation delays and also help you avoid last-minute flights (aka the middle seat special) to deal with unexpected setbacks.

TAP vs SPAN

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES