View
216
Download
3
Category
Tags:
Preview:
Citation preview
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP’s DemystifiedJune 16th 2010
Samuel BattagliaTechnical Manager | Network Critical
SHARKFEST ‘10Stanford UniversityJune 14-17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Overview
• What are TAP’s?• Why TAP?• Modes• Options• Technology• Portable Analysis• Configuration
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
• Analyze• Capture• Access
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
What are TAP’s?
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
What are TAP’s?
Traffic Access Point
An inline network device that provides accessto data as it traverses a network media.
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
What are TAP’s?
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
What are TAP’s?
• Deployed Inline– TAP’s Process All Frames on the Media
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
What are TAP’s?
• Gaining Popularity– TAP’s can be Active or Passive Devices
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
What are TAP’s?
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
What are TAP’s?
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Why TAP?
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Why TAP?
• VoIP Monitoring• Protocol Analysis• Server & Workstation Monitoring• Compliance & Data Leakage Detection• Intrusion Detection & Prevention• The security group is hogging all the SPAN
ports and they never let me sniff any data…
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Why TAP?
There are lots of reasons…
• Multiple groups will need access to data• More groups will require copies of data• What happened to my HUB?!• SPAN ports are slim pickings
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Modes
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Modes
Breakout (Directional Outputs)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Modes
Aggregating (Combined Outputs)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Modes
Regenerating (Duplication/Replication of Data)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Modes
Aggregating Regenerating (TAP and SPAN) ew
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Modes
Aggregating/Filtering Backplane
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Modes
Advanced Backplane Operations
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Options
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Options
• Link Failure\Integrity\State Propagation
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Options
• Fail-to-Safe, Fail-to-Wire, Fail Closed
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Options
• Link Lock, Passive Copper (10/100 only)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Options
• PoE Passive/Pass Through, Not Always PoE+
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Technology
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Technology
Passive TAP• Benefits– TAP once and done– Live devices link directly with each other– Allows simple monitoring applications– Passes L2 errors– Link maintained on power state change
• Things to Consider– Some degradation of live signal– Proper deployment
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Technology
Active TAP• Benefits– Allows complex monitoring applications– Allows traffic to be injected into live links– No degradation of live signal
• Things to Consider– May discard link errors (Switch vs FPGA)– Link is lost on power state change– Live network devices link with TAP
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Technology
Passive Components• Copper 10/100M Links– Manipulate traces and PHY connections– Live devices physically connected– Power state change is non-impactful
• Fiber 100M, 1G, 10G+ Links– Optical splitters/couplers– Isolates production and monitor data-paths– Can provide 100% passive monitoring
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Technology
Optical Fiber Splitter/Coupler
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Technology
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Technology
Active Components• Copper 10/100/1G Links– Fast acting copper relays
• Fiber 1G, 10G+ Links– Optical bypass switches
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Technology
Active Components• Fast Acting Copper Relays / Optical Switches– Non-Latching• Do NOT require power to fail closed• Less complex
– Latching• DO require power and a trigger to activate• More flexible
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Technology
Optical Fiber Bypass Switch
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Technology
Optical Fiber Bypass Switch
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Technology
Core Components• Switch Chip Based Designs– Familiar architecture and compatibility– Built in functionality– Designed for specific tasks– Counts malformed frames and errors– May not pass error frames
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Technology
Core Components• Field-Programmable Gate Array (FPGA)– An integrated circuit designed to be configured after
manufacturing– Extreme flexibility allows complex applications– Passes malformed frames and errors– Oversized and custom frame types– Byte offset matching and slicing
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Technology
Core Components• Fiber Transceiver– Two pieces of directional optics– Transmitter – Only capable of sending– Receiver – Only capable of capture– Form factors – SFF, SFP, SFP+
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Technology
Core Components• PHY (Physical Layer)– PCS, PMA, PMD– Connects RJ45/transceiver to Switch (or FPGA)– Handles link negotiation and line protocols– Broadcom, Marvell, Intel, VIA
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
TAP Technology
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Deployment
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Deploying TAP’s
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Deploying TAP’s
Things to Consider• Not all patch cables are created equal– OM1 (Orange), OM2 (Grey), OM3 (Teal)
• Fiber cables may be crossover• 10/100 network cabling (MDI, MDIX)• Consider overall cable lengths
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Portable Analysis
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Portable Analysis
Laptop Challenges• Where’s the Fiber port?!• Performance of receive and capture is limited• 1G capture appliances are not very portable• 1 Gbps is still a LOT of data
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Portable Analysis
Solutions• TAP’s for Media Conversion• Modify the Capture Buffer Size• Filter on TAP Hardware
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Portable Analysis: Media Conversion
Copper to Copper
Fiber to Copper
Copper to Fiber
Fiber to Fiber
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Portable Analysis: Bump the Capture Buffer
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Portable Analysis: Filter on TAP
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Filtering
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Configuration
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Configuration
Breakout Mapping
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Configuration
Aggregation Mapping
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Configuration
Aggregated & Filtered Mapping
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Backplane Connections
Source and Destination Ports
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Configuration
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
FYI
• TAP's with Batteries– Require Maintenance– Special Shipping Handling– Existing UPS Infrastructure
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Be Cautious
• Fast Linking Gigabit– Modifies Normal Auto-negotiation– Not Standard Ethernet Procedure– Is NOT 100% Guaranteed
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Other Useful BitsFacts About Fiber Optics
www.networkcritical.com/sharkfest/fiber
Ethernet Negotiation – Rich Hernandezwww.networkcritical.com/sharkfest/autoneg
Perils of the Network: Duplex Conflicts – Apparent Networkswww.networkcritical.com/sharkfest/duplex
Catalyst SPAN Configuration – Ciscowww.networkcritical.com/sharkfest/ciscospan
TAP vs SPAN – Tim O’Neillwww.networkcritical.com/support/document-library/TAP-vs-SPAN
DIY 10/100 access?www.hackaday.com/2008/09/14/passive-networking-tap
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Thank You!
sam@networkcritical.com716-558-7280
See you next year!
Recommended