Security Challenges
Increasing convergence of IT and OT environments has expanded the attack surface and introduced new security risks for critical infrastructure. Older and inherently vulnerable Industrial Control Systems (ICS) that were previously ‘air gapped’ or isolated are becoming increasingly exposed to threats as IT and OT converge. Additionally, as the number of industrial IoT devices has risen dramatically over the past several years, the overall level of visibility for security teams into these assets has decreased, creating easy entry points for attackers.
OT security teams continue to suffer from a growing skills shortage, tight budgets, and are understaffed compared to the IT security teams. Furthermore, as United States and European regulations on OT/ICS tighten, critical infrastructures must find a way to improve their OT security posture with an easy to deploy solution providing visibility across all Purdue Levels.
Key Solution Benefits
• Increased visibility across OT, IT, and IioT to Purdue level 1 where there is lacking existing switching infrastructure.
• Protocol and technology agnostic.
• Illuminates points of IT/OT convergence.
• Reduces risk of misconfigured switch ports.
• Guarantees unidirectional traffic flow with data diode protection.
•Reduce complexity of deployment in distributed networks.
• TAPS do not have an IP or MAC address so are not hackable from a network standpoint.
• Zero hardware subscription fees from Garland Technology.
Garland EdgeLens Solution
Garland’s EdgeLens series is an advanced bypass TAP with built-in packet broker functionality that centralizes network traffic, making network tools more efficient by sharing network traffic with monitoring and security tools. EdgeLens provides visibility for a hybrid configuration of an active, inline network device and out-of-band tools, such as LiveAction. EdgeLens provides identical network traffic streams through the active inline device and to the capture engine of LiveAction LiveWire or LiveCapture. The benefits of both devices seeing the same traffic are:
• Correlated data for real-time monitoring and root cause analysis using network packets.
• Historical look back and playback of the network traffic.
• Validating and updating network policy changes and spotting anomalies.
• Network data recording for compliance and security forensics.
• Root cause analysis for application and network related problems.
TAP -> TOOL
Network TAP Benefits
- Provide complete packet visibility with full-duplex copies of network traffic.
- Ensure no dropped packets while passing physical errors and support jumbo frames without delay or altering the data.
- Support speeds from 10/100M, 1G, 10G, 40G, 100G, and 400G are available in single-mode and multi-mode fiber or copper ethernet.
- Available in Tap ‘Breakout,’ aggregation, regeneration, bypass, and advanced filtering.
- Passive or failsafe – Does not affect the network.
- No IP address or MAC address, and cannot be hacked.
Importance of Choosing the Right Access Technology
The foundation of effective network visibility lies in the method used to access traffic data. Two primary technologies dominate this space: Test Access Points (TAPs) and Switched Port Analyzer (SPAN) ports. The choice between TAP and SPAN can significantly impact your network's security posture, performance analysis, and compliance reporting. TAPs are known for providing an unaltered and complete view of network traffic, ensuring that every packet is accounted for, including errors and anomalies. This level of access is crucial for accurate monitoring, analysis, and decision-making. On the other hand, SPAN ports, while convenient and cost-effective, may not capture every packet, especially under high traffic conditions, leading to gaps in visibility and potential security risks. Therefore, selecting the right access technology is not just a technical decision but a strategic one that affects the entirety of your network management and security strategy.
"The switch treats SPAN data with a lower priority than to-port data...the best strategy is to make decisions based on the traffic levels of the configuration and when in doubt to use the SPAN port only for relatively low-throughput situations."
Cisco
Unlocking Network Visibility: The TAP Advantage
Dive into the essentials of network visibility and discover how Test Access Points (TAPs) elevate your network monitoring and security beyond the limitations of SPAN ports. Understand the critical role TAP technology plays in ensuring complete, real-time visibility into your network traffic, essential for today's security, compliance, and monitoring requirements.
The Power of TAP: Ensuring Comprehensive Network Monitoring
Take a closer look at TAP technology and why it's considered the gold standard in network visibility. From capturing every packet without fail to supporting all network speeds without impacting performance, learn how TAPs provide the reliability, scalability, and security necessary for effective network management.
TAP vs. SPAN: Making the Informed Choice
In this final segment, compare TAP and SPAN technologies side by side to see why TAPs are the superior choice for ensuring network integrity, performance, and security. Discover the limitations of SPAN and how TAPs overcome these challenges, providing 100% accurate data capture and unmatched monitoring capabilities.
Start Improving Your Network Visibility Today
- Comparison Table
- key takeaways
- FAQ: Common Questions
Below is a detailed comparison table that highlights the key differences between Test Access Points (TAPs) and Switched Port Analyzer (SPAN) ports, focusing on several critical aspects of network monitoring and visibility.
Feature | TAPs (Test Access Points) | SPAN Ports |
---|---|---|
Data Capture | Capture 100% of traffic, including errors and all packet sizes. | May miss packets, especially during high traffic. |
Impact on Network | No impact on network performance as they are passive devices. | Can introduce latency and affect switch performance. |
Accuracy | Provide an exact, unaltered copy of the traffic for accurate monitoring and analysis. | Altered data due to processing, leading to potential inaccuracies. |
Reliability | Highly reliable as they do not depend on the network's state or configuration. | Reliability can be affected by switch CPU load or configuration errors. |
Security | More secure, offering a tamper-proof method of traffic capture. | Vulnerable to misconfigurations and potentially accessible by unauthorized users. |
Packet Loss | No packet loss, ensuring complete visibility into network activities. | Possible packet loss under heavy load, leading to gaps in visibility. |
Monitoring Impact | Passive monitoring without altering traffic flow or timing. | May alter packet timing, affecting real-time analysis. |
Implementation | Requires physical installation, which can be seen as complex and higher initial cost. | Configured through software, offering flexibility and lower initial cost. |
Scalability | Can be perceived as less scalable due to the need for physical devices for each link. | Easily scalable within the switch's capacity by reconfiguring ports. |
Legal Compliance | Forensically sound, making them suitable for compliance and legal investigations. | May not provide the level of detail required for legal compliance due to data alteration and potential packet loss. |
Visibility into Errors | Captures every packet, including error packets, for a comprehensive network assessment. | Typically filters out error packets, which can hide potential issues. |
This list encapsulates the essential insights from the whitepaper, highlighting the advantages of TAPs over SPAN ports in achieving comprehensive, secure, and reliable network visibility.
-
Comprehensive Data Capture: TAPs ensure 100% visibility into network traffic, capturing every packet, including errors and anomalies, unlike SPAN ports which may miss packets under high load conditions.
-
Unaltered Traffic Analysis: With TAPs, the data is exactly as it traverses the network, providing a true picture for analysis without the risk of packet alteration or timing issues present with SPAN.
-
Enhanced Security: TAPs offer a secure method for traffic monitoring, reducing the risk of unauthorized access or tampering, making them preferable for environments where security is paramount.
-
Reliable Performance Monitoring: By delivering all packets, TAPs enable more accurate and reliable performance monitoring and troubleshooting, essential for maintaining optimal network health.
-
Zero Impact on Network Performance: TAPs operate passively, meaning they don't introduce latency or affect network traffic flow, ensuring that monitoring activities do not impact network performance.
-
Scalability for Future Growth: TAPs can support various network speeds and types, from 10M to 400G, providing a scalable solution that grows with your network needs.
-
Legal and Compliance Assurance: The forensic soundness of data captured via TAPs meets compliance requirements for auditing and legal investigations, offering a level of detail and accuracy that SPAN ports cannot guarantee.
-
Ease of Problem Resolution: The accuracy and completeness of data captured by TAPs simplify the process of diagnosing and resolving network issues, reducing downtime and improving operational efficiency.
-
Cost-Effectiveness Over Time: While the initial investment in TAPs may be higher than using SPAN ports, their durability, reliability, and minimal maintenance requirements make them a cost-effective solution in the long run.
-
Simplicity and Peace of Mind: TAPs provide a straightforward, worry-free approach to network monitoring, allowing IT professionals to focus on strategic initiatives rather than troubleshooting network visibility issues.
Q1: What is the main difference between TAP and SPAN for network monitoring?
A1: The main difference lies in how they capture data. TAPs (Test Access Points) provide an exact, unaltered copy of network traffic, including errors and all packet sizes, ensuring no packet is missed. SPAN (Switched Port Analyzer) ports, on the other hand, mirror traffic to a designated port for monitoring, which can lead to missed packets, especially under high traffic conditions, and potential data alteration.
Q2: Can using TAPs impact network performance?
A2: No, TAPs are designed to be passive devices that do not impact network performance. They make an exact copy of the traffic without altering the flow or introducing latency, ensuring the network operates as intended while providing valuable data for monitoring and analysis.
Q3: Are SPAN ports a bad choice for network monitoring?
A3: Not necessarily. SPAN ports can be suitable for certain situations, particularly for low-throughput or non-critical monitoring tasks. However, for comprehensive, accurate, and reliable network visibility, especially in high-stakes environments, TAPs are generally considered a better option.
Q4: Is it difficult to implement TAPs into an existing network?
A4: Implementing TAPs requires some planning, as they are physical devices that need to be installed in the network path. However, the process is straightforward, and the benefits of enhanced visibility and security often outweigh the initial effort.
Q5: Why are TAPs considered more secure than SPAN ports?
A5: TAPs are more secure because they are passive devices that cannot be accessed or tampered with through the network. SPAN ports, being software-configured, could potentially be misconfigured or accessed by unauthorized users, posing a security risk.
Q6: How do TAPs handle high network speeds and bandwidth?
A6: TAPs are built to support a wide range of network speeds, from 10M to 400G, and are capable of handling full duplex traffic without loss. This makes them suitable for modern, high-speed network environments where capturing every bit of data is crucial.
Q7: Are there any legal or compliance advantages to using TAPs over SPAN ports?
A7: Yes, the forensic soundness of data captured by TAPs is often required for compliance audits, legal investigations, and maintaining data integrity for security purposes. TAPs capture all packets, including errors, without alteration, providing a level of detail and accuracy essential for legal and compliance requirements.
- How It Works
- Bypass TAP Benefits
- Full PDF Solution Brief
- How It Works
- How It Works
- How It Works
Bypass manages the availability of inline tools, preventing a single point of failure in the network by “bypassing” the device in the event it fails or needs to be updated. Reducing network downtime. Bypass is unique to the other TAP modes, as it is an inline use case not out-of-band.
• Keep up with Federal security mandates
• Expedited problem resolution
• Ability to pilot or deploy need security tools
• No maintenance windows
• Simple configuration ensures a quick set-up
• Zero subscription fees so O&M expenses don’t increase
■SOLUTION EDGESAFETM BYPASS TAP
• Install a Garland Technology Bypass TAP between Cisco Firepower and the network
• Bypass TAP manages the availability of Firepower at any time without having to take down the network
• Bypass TAP continuously checks the health of Firepower with heartbeat packets and the Bypass TAP will bypass Firepower to keep the network up-and-running in the event Firepower becomes unavailable
PROBLEM 1 PORT FAILURE | ||
■WITHOUT TAP • The network |
|
■WITH TAP • Uptime • Tool is bypassed while it is being updated |
PROBLEM 1 PORT FAILURE | ||
■WITHOUT TAP • The network |
|
■WITH TAP • Uptime • Tool is bypassed while it is being replaced |