Securing and monitoring your network is of utmost importance. However, operational technology (OT) teams often face complex challenges in architecting connectivity throughout large and sometimes aging infrastructure that wasn't initially designed with network security in mind.
To properly analyse threats and anomalies, as well as performance and regulatory conditions, there are two options to access network packets: network TAPs and SPAN ports.
One of the most common use cases for network visibility is to route mirrored traffic from a SPAN port on the switch to a security or monitoring tool. Port mirroring, also known as Switched Port Analyser (SPAN), is a specific network switch port designed to mirror or send a copy of network packets that are seen on a particular port (or an entire VLAN). As a result, the copied packets can be analyzed for network troubleshooting, security inspection, or performance monitoring purposes.
Industry Best Practice for Packet Visibility: Network TAPs (Test Access Points)
Securing the industry's gold standard in network monitoring and security means adopting network TAPs (Test Access Points) — the epitome of reliability and efficiency in achieving seamless packet visibility. These specialised hardware devices work tirelessly, providing a 24/7 exact duplicate of network packet data, a process that leaves network integrity uncompromised.
|Provides 100% full duplex copies of network traffic
|Ensures no dropped packets, passing physical errors and supports jumbo frames
|Does not alter the time relationships of frames
|Passive or failsafe, providing no single point of failure (SPOF)
|TAPs are secure, do not have an IP address or MAC address, and cannot be hacked
|CALEA (Commission on Accreditation for Law Enforcement Agencies) approved for lawful intercept, providing forensically sound data, ensuring 100% accurate data captured with time reference
|Data Diode TAPs provide unidirectional traffic to protect against the backflow of traffic into the network
|Scaleable for traffic optimization and can aggregate multiple links down to one
|Provides access to packets for monitoring
|Can take up high-value ports on the switch
|SPAN traffic is the lowest priority on the switch
|Some legacy switches do not have SPAN available
|SPAN ports drop packets, an additional risk for security and regulation solutions
|Will not pass corrupt packets or errors
|Can duplicate packets if multiple VLANs are used
|Can change the timing of the frame interactions, altering response times
|Bidirectional traffic opens backflow of traffic into the network, making the switch susceptible to hacking
|Administration/programming costs for SPAN can get progressively more time-intensive and costly
To ensure minimal to no network downtime, it is essential to build a network that adheres to critical infrastructure's guiding principles. This involves laying down a strong foundation of network infrastructure and visibility architecture, which can be achieved by incorporating best practices. By following these guidelines, you can build a network that is built to last and meets the desired goals.