Turn the tap on: steps to a secure network

Digital transformation and cloud computing have changed the business technology landscape, bringing an enhanced focus on network security and infrastructure. A network tap can be a key implementation to optimise uptime and protect against breaches. Tony Robinson RCDD CDCDP™ CNIDP®, Global Marketing Manager, Corning Optical Communications, explains how.

  • Thursday, 4th April 2019 Posted 5 years ago in by Phil Alsop

The move into the cloud in recent years for businesses has been quick and wholesale. According to 2017 research from the Cloud Industry Forum (CIF), overall adoption among organisations in the UK is estimated to be as high as 88%. Two years on, that figure is surely higher.


There are advantages to be gained from shifting core business systems and applications into the cloud, but this move must come with the robust security to match. Disrupted services or data breaches could be catastrophic, particularly with the highly sensitive data entrusted to government bodies, including citizens’ health records and personal data. High profile breaches in particular, such as WannaCry and NotPetya, have raised the alarm for government agencies and businesses and can also mean loss of reputation and revenue.

Software is certainly important, yet hardware must be a consideration of the security mix, too.

Cloud adoption introduces new hardware vulnerabilities. Applications are hosted outside the internal data centre, making it difficult for network administrators to track and analyse network performance in real-time. System lag and switch overutilisation could crash critical applications in the data centre and storage area network (SAN).

As a result, data centre teams need to continually monitor for potential security threats such as denial-of-service attacks, and identify bottlenecks or other potential performance issues quickly.

Steps to a secure environment

There are a number of steps that organisations can take to ensure a more secure cloud environment.

Involving network administrators and structured cabling teams to adopt a preventive approach with network monitoring, is not only effective in detecting errors and offering access to performance and utilisation data, but also ensures the accuracy of changes to produce only desired results.

In addition, there are two technologies currently used in network monitoring systems: SPAN (switched port analyser), also known as port mirroring, and tap (traffic access point).

A SPAN port copies traffic from any traffic port to a single unused port. SPAN ports also prohibit bi-directional traffic on that port to protect against backflow of traffic into the network, and direct packets from its switch or router to the test device for analysis.

A tap, on the other hand, is a passive component that allows non-intrusive access to data flowing across the network and enables monitoring of network links. A tap uses passive optical splitting to transmit inline traffic to an attached monitoring device without data stream interference. So, they are completely passive and cause no disruption to the live network. 

Tap technology an uptime enabler

Maintaining uptime is a critical focus for businesses in order to maximise productivity and value for their IT networks and applications. Therefore, it is often wise to implement solutions that allow network monitoring without affecting live applications. Network monitoring when implemented optimally should allow individuals to see all network traffic including errors, regardless of packet size, in real time to allow preventative actions to be taken quickly and efficiently rather than a more costly, corrective approach after the event.

Taps are truly passive and do not add any additional load onto the live network. Because the device simply splits a signal instead of replicating it, a portion of the signal can be taken offline, or out of band, to conduct analysis of the input/output (I/O) traffic without affecting live applications.

A SPAN port must be configured by a network engineer, which can cause challenges when it comes to maintaining uptime. If a SPAN port is not disabled during a network refresh, it is possible for that port to be cabled to serve as a network port, creating a “bridging loop,” which will result in network performance issues.

Alongside passive monitoring capability, the need for a network engineer can also have a bearing on implementation costs. Usually with SPAN, cost will increase in line with higher data rates. So, for example, a 10G switch port is more expensive than a 1G switch port, whereas a tap port at 1G costs the same as a tap port at 10G or even 40G. For these reasons, optical tapping is becoming a more popular solution for higher data rates.

To integrate or not to integrate

As network taps become more popular, a decision for procurement and security teams then becomes how this solution is implemented. Not all taps are created equal, and it is important for businesses to understand the options available to them.

The first consideration is location. Presenting the tap port as an MPO connector in the rear of the module will provide maximum flexibility when designing a structured cabling network. The MPO connector footprint allows separation of live production network ports and tap ports into different cabinet locations if desired.

Using this capability to centralise the active monitoring equipment, rather than installing across multiple cabinet locations throughout the data centre, provides cost savings by optimising the use of active monitoring equipment and reducing the risk of patching errors.

There are further considerations, too. A tap can be either integrated or non-integrated into your structured cabling and can use either fused biconical taper (FBT) splitters or thin-film splitters.

Generally, integrated taps are providing better solutions for those looking to monitor their networks. Not only do they perform the same function as a normal structured cabling network, but also send a portion of light to the monitoring electronics. Conversely, non-integrated taps are deployed as standalone devices outside the structured cabling network, so whenever there is a need to change monitored ports, the link has to be temporarily disabled. An integrated tap module allows moves, adds, and changes (MACs) to monitored ports without disrupting the live network, and can annually save up to eight hours in downtime.

Options available to reduce bit error rates

A powerful advantage of an integrated tap module is that the solution can be directly installed into structured cabling. Used along with high-performance thin-film multimode and single mode splitter technology, there is reduced link attenuation, which translates into extended Ethernet and Fibre Channel distances.

While some tap modules in the market today still use FBT splitters, which can cause increased bit error rates (BER) based on where they are placed in the system, thin-film splitters do not introduce any BER penalties, so it is possible to install them anywhere in the system without BER effects.This also enables greater flexibility into the system design as thin film splitters support longer distances for both the live production network and the monitoring equipment.

Integrated tap modules enable tapping into all links straight from implementation, with the option to only monitor the required links. As network monitoring requirements grow or change, network administrators can simply add the required cabling between installed tap modules and corresponding network monitoring equipment. Because there is no need to change any cabling infrastructure, there will be no disruption of the network.

Since integrated tap modules occupy the same space as traditional MPO or LC modules, adding monitoring to an existing network is as simple as swapping out a traditional module for a tap module.

 

Tapping into the future?

The need for data and the capability for businesses to store, analyse and manage it will only increase. This, in turn, means that potential cost considerations of a data breach will also grow – in the post-GDPR world, security is paramount. From a hardware point of view, companies need to fully understand their networks, and to integrate security and monitoring solutions that are scalable. Tapping provides this possibility, making it a pragmatic and realistic option that provides a robust, long-term solution.