<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">

Visibility Solutions

Garland Technology is committed to educating the benefits of having a strong foundation of network visibility and access. By providing this insight we protect the security of data across your network and beyond.

Resources

Garland Technology's resource library offers free use of white papers, eBooks, use cases, infographics, data sheets, video demos and more.

Blog

The TAP into Technology blog provides the latest news and insights on network access and visibility, including: network security, network monitoring and appliance connectivity and guest blogs from Industry experts and technology partners

Partners

Our extensive technology partnership ecosystem solves critical problems when it comes to network security, monitoring, application analysis, forensics and packet inspection.

Company

Garland Technology is dedicated to high standards in quality and reliability, while delivering the greatest economical solutions for enterprise, service providers, and government agencies worldwide.

Contact

Whether you are ready to make a network TAP your foundation of visibility or just have questions, please contact us. Ask us about the Garland Difference!

The 101 Series: TAP vs SPAN in OT Environments

Securing and monitoring your network is the ultimate goal. To accomplish this goal, teams utilize ICS security solutions designed to respond and manage threats in OT environments efficiently. To properly identify, detect, and respond to security threats and breaches, most ICS security tools focus on visibility, threat detection and monitoring, and asset visibility and management.

Implementing these security solutions, OT teams face complex challenges when it comes to architecting connectivity throughout these large and sometimes aging infrastructures that weren’t initially designed with network security in mind, including:

  • Relying on legacy switch SPAN ports for visibility, that aren’t secure, reliable or available
  • Facing different media or speed connections between the network and various tools
  • Network sprawl with a need to reduce network complexity
  • May require unidirectional connectivity for their monitoring tools
  • Require a secure air-gapped solution for virtual environments


Fortunately these challenges have solutions. Optimized security and performance strategies start with 100% visibility into network traffic. And visibility starts with the packet. 

A common access point for network visibility in OT environments has been from SPAN ports on a network switch. Many times an engineer will connect directly to intrusion detection systems (IDS), or network monitoring tools.

But today, in modern ICS networks there is a more reliable option to access network packets for security and monitoring solutions to properly analyze threats and anomalies - network TAPs.


TAP vs SPAN in OT Environments

Determining when you use SPAN ports or network TAPs comes down to a multitude of issues. And many times a combination of both is a visibility architecture reality. But there are some significant differences which affect the integrity of the traffic that is being analyzed, as well as the performance of the network traffic. Let’s review some of the pros and cons of each to help you decide what works best for your network.

 

Download Now ICS Visibility Guide: Utilities | Whitepaper

1. Switch SPAN ports

A common visibility use case is to route mirrored traffic from a SPAN port on the switch to a security or monitoring tool. Port mirroring also known as SPAN (Switched Port Analyzer), is a designated port on a network switch that is programmed to mirror, or send a copy, of network packets seen on a specific port, where the packets can be analyzed. 

  • Provides access to packets for monitoring
  • SPAN sessions do not interfere with the normal operation of the switch
  • Configurable from any system connected to the switch

The concept is simple enough — the switch is already architected into the environment. Just hook up your security solution. Done. But many times the simplest path isn't the best path.

High-level SPAN challenges include:

  • SPAN takes up high value ports on the switch
  • Some legacy switches do not have SPAN ports even available
  • SPAN ports can drop packets, an additional risk for security and regulatory solutions

One of the fundamental reasons security teams do not like to use SPAN is because of dropped packets. This usually happens when the port is heavily utilized or oversubscribed. In OT environments, network switches tend to run 10M, 100M, up to 1G so you may think this will never happen. Unfortunately, ICS switches are prone to drop packets at a lower speed, even when network links are not saturated. This can happen for a variety of reasons:
  • Packets sometimes can’t be stored because of a memory shortage
  • 'PAUSE' frame attack. A bad actor can flood the SPAN disguised as a loopback, hiding bad data and forcing dropped packets
  • Packets showing a broken cyclic redundancy check (CRC) will be dropped
  • Frames smaller than 64 bytes or bigger than the configured maximum transmission unit (MTU) can be dropped because of an ingress rate limit

If dropping the packets isn’t an eye opener, did you know SPAN:

  • Will not pass corrupt packets or errors
  • Can duplicate packets if multiple VLANs are used
  • Can change the timing of the frame interactions, altering response times

The SPAN concept may have sounded easy because it was available, but after weighing packet loss and altered frames, additional SPAN security considerations include:

  • Bidirectional traffic opens back flow of traffic into the network, making switch susceptible to hacking
  • Administration/programming costs for SPAN gets progressively more time intensive and costly


2. Network TAPs

The industry best practice for packet visibility are network TAPs (test access points). Network TAPs are purpose-built hardware devices that create an exact full duplex copy of the traffic flow, continuously, 24/7 without compromising network integrity. 

Instead of connecting two network segments, such as routers and switches, directly to each other, the network TAP is placed between them to gain complete access to traffic streams. TAPs transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring all data arrives at the monitoring or security device in real time.

  • Network TAPs make a 100% full duplex copy of network traffic 
  • Network TAPs do not alter the data or dropping packets
  • Network TAPs are scalable and can provide a single copy, multiple copies (regeneration), or consolidate traffic (aggregation) to maximize the production of your monitoring tools

taps-vs-span

  • 100% full duplex copy of network traffic
  • Enables faster troubleshooting
  • Ensures no dropped packets, passing physical errors and supports jumbo frames
  • Does not alter the time relationships of frames
  • Passive or failsafe, ensuring no single point of failure (SPOF)
  • TAPs are secure, do not have an IP address or MAC address, and cannot be hacked.
  • CALEA (Commission on Accreditation for Law Enforcement Agencies) approved for lawful intercept, providing forensically sound data, ensuring 100% accurate data captured with time reference
  • Data Diode TAPs provide unidirectional traffic to protect against back flow of traffic into the network
  • Scalable for traffic optimization and can aggregate multiple links down to one
  • Plug and play; easy configure and deploy
  • Provides access to packets for monitoring 
  • Can take up high value ports on the switch
  • SPAN traffic is the lowest priority on the switch
  • Some legacy switches do not have SPAN available
  • SPAN ports drop packets, an additional risk for security and regulation solutions
  • Will not pass corrupt packets or errors 
  • Can duplicate packets if multiple VLANs are used
  • Can change the timing of the frame interactions, altering response times.
  • Bidirectional traffic opens back flow of traffic into the network, making switch susceptible to hacking
  • Administration/programming costs for SPAN can get progressively more time intensive and costly

 

Following critical infrastructure’s guiding principles — you want your network to be built to last, while ensuring minimal to no network downtime. These concepts rest on the network infrastructure and visibility architecture. Incorporating best practices like network TAPs in your network will help you achieve these goals.


Looking to add OT visibility, but not sure where to start?  Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.

ICS Visibility Guide Utilities

Written by Chris Bihary

Chris Bihary, CEO and Co-founder and of Garland Technology, has been in the network performance industry for over 20 years. Bihary has established collaborative partnerships with technology companies to complement product performance and security through the integration of network TAP visibility.

Authors

Topics

Sign Up for Blog Updates