Evaluating network TAPs vs. SPAN in OT, critical infrastructure environments

Evaluating network TAPs vs. SPAN in OT, critical infrastructure environments

Organizations want their networks built to last, while ensuring minimal to no downtime using various concepts, such as network TAPs, built on the network infrastructure and visibility architecture. To properly identify, detect, and respond to security threats and breaches, most industrial control systems (ICS) security tools focus on visibility, threat detection and monitoring, and asset visibility and management.

Garland Technology, for example, provides network TAPs (test access point) and SPAN (port mirroring) for network traffic access used for data monitoring and security analysis. Network TAPs can enhance SPAN deployment, as TAPs provide complete visibility to network monitoring and security tools, but as SPAN is still being used, there are many TAP use cases that can enhance current SPAN deployment. 

“Optimized security and performance strategies start with 100% visibility into network traffic. And visibility starts with the packet,” Chris Bihary, CEO and co-founder at Garland Technology, wrote in a blog post. “A common access point for network visibility in OT environments has been from SPAN ports on a network switch. Many times an engineer will connect directly to intrusion detection systems (IDS), or network monitoring tools,” he added.

There may also exist situations when there are not enough SPAN/mirrored ports available on a router or switch to allow access to all of the monitoring tools that need to see the traffic of the link. In such instances, introducing a regeneration/SPAN Mode TAP provides a way to distribute a link’s traffic to up to multiple network tools.

Garland’s network TAPs have SPAN or regeneration mode, which allows organizations to take one SPAN link and copy the same traffic to multiple tools. The company also has the option of SPAN Aggregation, which is a good practice to follow if SPAN port usage is required, then the aggregator TAPs allow organizations to take those SPAN and consolidate them into just one or two links. This optimizes and reduces network complexity. 

Garland also offers the option of Data Diode TAPs which are designed to secure SPAN links, ensuring no bidirectional traffic is sent to monitoring tools. Data Diode TAPs can be used as a traffic enforcer, guaranteeing information security or protection of critical digital systems, such as industrial control systems, from inbound cyber attacks. The unidirectional or one-way data flow in data diodes are designed to secure OT networks from external threats, eliminating inbound data flow and outside threats to OT network segments, while providing needed out-of-band data flow needed to monitor. 

Network TAPs are purpose-built hardware devices that aim to create an exact duplicate copy of the traffic flow, continuously, 24/7 without compromising network integrity. It allows access and monitors network traffic by copying packets without impacting or compromising network integrity. 

Network TAPs sit on a network segment, between two appliances such as routers, switches or firewalls, and allows network traffic to flow between its network ports without interruption, creating an exact copy of both sides of the traffic flow. TAPs transmit both the send and receive data streams simultaneously on separate dedicated channels, ensuring that all data arrives at the monitoring or security device in real-time.

Network TAPs are also scalable and can provide a single copy, multiple copies (regeneration), or consolidate traffic (aggregation) to maximize the production of monitoring tools. The raw packet copies are then used for monitoring and security analysis. They include a tested algorithm that handles the send and receive integration with consistent timing for the best visualization. TAPs are relatively inexpensive compared to the tools and infrastructure. 

Port mirroring, also known as SPAN (Switch Port Analyzer), are designated ports on a network appliance like a switch, which are programmed to send a copy of network packets seen on one port (or an entire VLAN) to another port, where the packets can be analyzed. Many switches have a limit on the number of SPAN monitoring ports that organizations can configure. This limit is often a maximum of two monitoring ports per switch.

SPAN can also vary by switch vendor, as many architectures use non blocking methods that drop overages when overrunning a port mirror, depending on the switch used, there can be an adverse effect on traffic or switch performance. SPAN are programmed ports on a switch that provide access to packets for monitoring, and its sessions do not interfere with the normal operation of the switch. It also delivers low priority processing, where the switch will drop SPAN packets if heavily utilized or oversubscribed.

SPANs are known to result in trace files with duplicated packets when the SPAN port is set up to capture both ingress and egress traffic flows. This common problem when both the ingress and egress ports are spanned, ends up sending duplicate packets to the monitoring tool, which becomes a whack-a-mole type headache.