 |
|
|
|
|
|
|
|
|
 |
 |
 |
 |
 |
 |
 |
 |
|
AxioTAP™ FREQUENTLY ASKED QUESTIONS :
A Network TAP or Traffic Access Port , is a dedicated passive inline network monitoring solution for use with analyzers, IDSes, IPSes, inline Security Appliances and other traffic access monitoring or management devices. Designed to be permanently installed inline in any network, the TAP is a fail-safe Layer 1 network device that will not interrupt the network connection during a power failure. Even if the TAP were to lose power, network traffic will continue to pass through the TAP unimpeded. The TAP further provides the user with total visibility on all passing traffic so that both sides of a conversation, including physical layer errors, at full line rate can be monitored seamlessly without packet loss or asymmetrical delay. As a further benefit the TAP provides is a layer of stealth in the monitoring process so that intruders on the network are blocked from viewing the TAP and thereby prevented from attacking the user's network monitoring system. Network performance is not interfered with in any way and TAPs free up valuable span or mirror ports on any network switch. Whether used in half or full duplex mode, network TAPs can provide visibility to all levels of the network stack enabling comprehensive analysis even for physical layer errors.
>>> Return
2. What is the difference between the 4-port Monitor Gig Fiber tap and the 4-port Dual Gig Fiber tap?
The Dual Gig Fiber Tap unlike most fiber taps, use optical switch technology. The Dual Gig Fiber taps uniquely provide the capability of packet injection to a fiber network. The Monitor Gig Fiber taps use optical splitter technology and monitoring port traffic is isolated from the network ports traffic. Therefore, no packet injection to the fiber network is possible.
>>> Return
3. How do you ensure network traffic is not interrupted during power failure?
The input power voltage is continuously monitored by the tap, if the input power voltage is outside of nominal levels, the network ports fail-close, maintaining the network link. In this state, network traffic is not regenerated to the monitoring ports. The proprietary fail-closed circuitry is passive and requires no power.
>>> Return
4. Are AxioTAPs passive devices?
Depends on what context you define the term passive.
Yes, all AxioTAPs are passive in the context they provide permanent access ports to enable operational passive monitoring and analysis 24/7/365. Taps are in-line and do not require the monitoring device to have an IP address in order to operate, sometimes referred as "Stealth Mode".
From an electrical point of view the AxioTAPs are active because they are powered. But if power is unavailable to a Fiber or Copper Active Tap, a bypass circuit within the Tap closes so that the network data stream passes directly to the receiving network device. The bypass circuit requires no external power input, so these Taps remain totally fail-safe and passive from a monitoring perspective.
>>> Return
5. What is High-Availability (HA)?
The AxioTAP HA model supports hot stand-by and high availability network security configurations. For example; network monitoring traffic from an active network and a hot standby network can be combined in a HA tap configuration. The HA AxioTAP moderates the traffic flows coming from the two sources to a single monitor, passes critical Link failure detection to network management hardware, and will not pass the traffic from one source to the other. Upon detection of returning to on-line state, tap returns to normal operation.
>>> Return
6. Can AxioTAPs operate in half-duplex mode?
Yes, Axio TAPs are designed to operate in both half and full duplex modes. When program is set to "AUTO" mode, the AxioTAP uses auto-negotiation to recognize the network transmission speed: 10 - 100 Mbps or 100 - 1000 Mbps, and mode: half or full duplex. If the attached device(s) does not support auto-negotiation, the TAP using auto-sensing will still correctly set the speed and run at half duplex. However, full duplex can be supported if the attached device(s) also uses auto-negotiation. The TAP can be set at a "FIXED" 100Mbps or 1000Mbps rate ensuring both network and monitor ports are compatible at maximum rated traffic.
>>> Return
7. Can you have a 100% Full Duplex by using the two monitoring ports?
Yes. This is the AxioTAP advantage over most competing taps, having dual monitoring ports with full duplex capability. AxioTAP's two Monitoring ports allow two devices with single NICs, to monitor Full Duplex traffic from Side A and Side B at full line speed. Conversely, one monitoring device with two appropriately scaled NICs can accomplish the same task and reduce monitoring device cost by 50%.
>>> Return
8. How Do the Axio TAPs support Auto-negotiation?
The AxioTAPs auto negotiate between full and half-duplex. Speed, 100Mbps and 1000Mps can be preset during front panel configuration.
>>> Return
9. How can I maximize my security detection and analysis presence while reducing my implementation costs?
Axio LinkSafe and Dual Gig Taps offer traffic aggregation capability to their monitoring ports. Aggregation allows both network traffic sides to be combined on a single monitoring stream. During configuration, select and activate each monitor port to receive both A and B sides of the network traffic. Allows a single monitoring device to analyze both sides of the network traffic, full-duplex, with one NIC, reducing required devices by 50%. Also, with aggregation and a four (4) port AxioTAP, dual monitoring (two separate analyzing devices) are able to monitor both segments simultaneously through one tap doubling the detection capacity through the TAP.
>>> Return
10. I am monitoring my network segment via a SPAN (mirror) port on my Switch. How will I benefit by using an AxioTAP?
Network Taps are used to create permanent access ports for passive monitoring. The monitoring device connected to the Tap receives the same traffic as if it were also in-line, including physical layer errors. This is achieved through the Tap splitting or regenerating the full-duplex network signal. In contrast, a monitoring device connected to a SPAN port on a switch does not see all traffic. Corrupt network packets, or packets below minimum size, are usually dropped.
Span Port Issues:
- Packet Loss
- Switch routing, low priority
- Duplex monitoring unlikely
- Physical Layers 1 and 2 not monitored
- Port is usually oversubscribed
- Limited Stealth from Detection
- Potential Point of Failure
Switches also are constrained by the bandwidth capacity of the SPAN port. In addition, by using a Tap you put less load on your switch buffer and can eliminate "resets" by the switch.
>>> Return
11. Can I program a monitoring port to see traffic from a specific segment (A or B network segment/ link) only, or do the monitoring ports only see both sides of the network?
Axio TAPs can be programmed for either side of the network, connected to port A or port B, to be sent to either desired monitoring port 1 or 2. Maximum flexibility of monitoring schemes with no cabling changes required.
>>> Return
12. Why do I see errors instead of collisions on my monitoring device ?
When monitoring a half duplex network collisions will show up as errors on the monitored link. This is normal and expected behaviour. There are two reasons for this:
- If the monitoring device is in full duplex mode collisions cannot be identified.
- Any monitoring device cannot identify collisions, on a network link. Since 10base-T and 100base-T are designed to link only 2 end points collisions are defined as receiving data while transmitting at the same time. As the monitoring device cannot transmit on the network link then it never sees a collision, only corrupted data from the collision that happened on the network link.
>>> Return
13. Why is it necessary to have different TAPs for IDS and IPS monitoring?
The basic difference between IDS and IPS taps is the IDS taps do not monitor the link status to the monitoring device, where the IPS taps do. An IPS sensor application receives the actual network traffic rather than a regenerated copy. It is then critical that if the IPS monitor link fails, network traffic bypasses the IPS device.
- AxioTAP Class A4 - Gig IPS TAPs are specifically designed for in-line redundant IPS application devices to continuously monitor single critical full duplex Fast and Gigabit Ethernet network segments. Provides a fail over path from the Primary Monitoring Device to a Secondary Device via two (2) additional 1000Base-T ports for uninterrupted Monitoring of critical network traffic. Network traffic is directed to the inline IPS sensor and the Axio Dual IPS TAP via inline heartbeat packets continually checks the health of the sensor. If the Inline IPS primary sensor fails to pass traffic, the Axio Dual IPS TAP bypasses the sensor for FAIL SAFE primary traffic flow to the secondary sensor. The Axio Dual IPS TAP continues to test the sensor. Once heartbeat is re-established, data will flow back through sensor. If both sensors are unavailable, the tap continues in bypass mode until a sensor heartbeat is reestablished
- AxioTAP Class A1 and A3 TAPs are typically used for IDS deployments where the state of the sensor device is less critical to operation of the network. Although these taps, as all AxioTAPs do not present a single point of failure even with power loss, the operational state of the attached detection device is not monitored. The LinkSafe capability of the A1 and A3 Class AxioTAPs, however, does detect link failure on either side of the tap and ensures network hardware like a r outer can activate redundancy when switch link fails.
>>> Return
14. What interaction is there between the heartbeats to the IPS device and Packet Injection back to the Network?
The IPS tap reserves a communication link specifically for heartbeat monitoring separate from the communication channel designated for Packet Injection. There is no interaction or reduction in performance. Heartbeat rate is set at 16/sec for 64 byte packets.
>>> Return
