Performance analysis 'tapped' in: aggregating taps offer a viable option for monitoring network performance and security.Effective IT security and performance management relies on visibility. IT departments need visibility of production network data to identify security vulnerabilities and violations, as well as network and application performance. Often, this involves the deployment of analysis devices capable of examining a vast quantity of data traversing tra·verse v. tra·versed, tra·vers·ing, tra·vers·es v.tr. 1. To travel or pass across, over, or through. 2. To move to and fro over; cross and recross. 3. critical network links. Intrusion detection See IDS and IPS. , intrusion protection, network monitoring The term network monitoring describes the use of a system that constantly monitors a computer network for slow or failing systems and that notifies the network administrator in case of outages via email, pager or other alarms. , application monitoring, Web monitoring See Internet monitoring. and protocol analysis are some of the solutions increasingly deployed on the network to ensure IT compliance and performance. [ILLUSTRATION OMITTED] When planning to deploy analysis solutions on the network, two questions should be answered: How will the network data be accessed, and where will the access points be placed? The answer to these questions will often determine the effectiveness and value these solutions provide to IT groups. There are several techniques that answer the question of network access. Typically, a network-security or performance-analysis device utilizes an in-line hub, a plain switch port, a mirror/SPAN port or an in-line tap. Not all of these techniques, however, are equal. The use of in-line hubs and plain switch ports are the least-desirable access method for critical-link security and performance analysis. This leaves mirror/SPAN ports or in-line taps as the primary means of network access for IT analysis. Where security and analysis devices get deployed is the other significant question. There are three locations at the center of performance and security analysis that require planned network access--the network's edge, the data center and the distribution layer. A common attribute of these three critical locations is the use of redundant, high-availability network architectures that rely on multiple paths and devices to ensure resiliency and performance. With the need for 100 percent visibility across the multiple links in a trunk, this architecture represents a challenge for security and performance analysis. Deploying multiple security and network-analysis devices on each route is one solution, but this is expensive and can involve complex, or inaccurate synchronization (1) See synchronous and synchronous transmission. (2) Ensuring that two sets of data are always the same. See data synchronization. (3) Keeping time-of-day clocks in two devices set to the same time. See NTP. between monitoring solutions. IN-LINE TAPS RECOMMENDED In-line taps connect between two end-points on the network, typically a switch, router, firewall or server. Once installed, taps provide instant plug-and-play access to the network, with full visibility into link traffic, errors, security threats and applications. Pre-installed taps on critical network segments are one solution, giving engineers instant access to data they need without configuration risks or contention issues for switch/router resources. Traditional in-line taps are best suited for use with dual-interface analysis devices. Aggregating in-line taps combine full duplex (Computers) arranged so that the information may be transmitted in both directions simultaneously; - of communications channels between computers; contrasted with (networking) Fast Ethernet - A version of Ethernet developed in the 1990s(?) which can carry 100 Mbps compared with standard Ethernet's 10 Mbps. It requires upgraded network cards and hubs. and gigabit links have data rates of 200 Mbps or 2 Gbps, respectively. Just like a mirror/SPAN port, aggregation taps can become oversubscribed Refers to connecting more users to a system than can be fully supported if all of them were using it at the same time. Networks and servers are almost always designed with some amount of oversubscription, counting on the fact that everybody does not need the service simultaneously. . While many organizations do not encounter data rates that lead to oversubscription Oversubscription The excess number of shares or bonds that investors want to buy but are not available due to high demand. , it is still an issue to consider when planning the use of aggregation taps or mirror/SPAN ports. (Note: Fast Ethernet links are fully supported with an aggregation tap when a gigabit-capable analysis device is monitoring.) The extension of full-duplex link-aggregation technology allows taps to combine data from multiple links. A dual-link, aggregation in-line tap installs on two links and combines traffic into a single gigabit data stream. For organizations utilizing redundant and asymmetrical a·sym·met·ri·cal or a·sym·met·ric adj. Abbr. a Lacking symmetry between two or more like parts; not symmetrical. network design, this tap provides a single access point for security and performance-analysis visibility across multiple network paths. Instead of purchasing a security or performance-analysis device for each link on a meshed trunk, an IT department can now spend less on monitoring solutions, while still maintaining full visibility across the critical network fabric. Packet timing issues are also resolved with dual-link aggregation taps since tricky clock synchronization Clock synchronization is a problem from computer science and engineering which deals with the idea that internal clocks of several computers may differ. Even when initially set accurately, real clocks will differ after some amount of time due to clock drift, caused by clocks between multiple monitoring devices does not skew (1) The misalignment of a document or punch card in the feed tray or hopper that prohibits it from being scanned or read properly. (2) In facsimile, the difference in rectangularity between the received and transmitted page. packet timestamps. OVERSUBSCRIPTION A PROBLEM Link aggregation See port aggregation. extends the ROI (Return On Investment) The monetary benefits derived from having spent money on developing or revising a system. In the IT world, there are more ways to compute ROI than Carter has liver pills (and for those of you who never heard of that expression, it means a lot). of network security and performance solutions, but also subjects them to greater data rates that can cause overloaded CPU CPU in full central processing unit Principal component of a digital computer, composed of a control unit, an instruction-decoding unit, and an arithmetic-logic unit. processing. In addition, as a greater number of links are aggregated, the chance of oversubscribing the monitoring ports used by security and performance-analysis devices increases. Filtering link-aggregation taps resolve these two issues. These taps have line-rate filtering built into their architecture that offloads the processing of extraneous ex·tra·ne·ous adj. 1. Not constituting a vital element or part. 2. Inessential or unrelated to the topic or matter at hand; irrelevant. See Synonyms at irrelevant. 3. data normally sent to analysis solutions. Filtering aggregation taps allow the user to filter on specific traffic within the tap. For instance, a tap can be used to block all broadcast and multicast traffic before aggregation, employing a second level of filters specific to each of the four analysis devices attached to the tap. This technique has two major benefits: It eliminates the chance of oversubscription during aggregation and frees up valuable processing cycles with the elimination of irrelevant packets. In-line models of filtering link-aggregation taps can be used on up to two links, while mirror/SPAN models can process up to four connections. Each model also allows for media conversion and remote configuration within distributed analysis environments. With four monitoring ports on each tap, there are plenty of access points for several IT groups and users. While modern network architectures make analyzing critical traffic across meshed architectures difficult, the latest generation of multilink aggregation taps eliminates this complexity and reduces the cost of analysis-solution deployment. Data regeneration offered by the latest generation of taps offers greater connectivity options and reduces the contention for data access often found with mirror/ SPAN ports. Finally, new filtering aggregation taps improve the performance of network analysis devices by limiting CPU processing spent on unnecessary packets. IT groups that spend resources on security, application and network analysis will benefit by understanding how the latest generation of taps provide greater visibility with lower overall cost and less complexity. For more information: rslouds.com/710cn-255 Robert Finlay is product manager, network management, for Fluke fluke, parasitic flatworm of the trematoda class, related to the tapeworm. Instead of the cilia, external sense organs, and epidermis of the free-living flatworms, adult flukes have sucking disks with which they cling to their hosts and an external cuticle that Networks, Everett, Wash. |
|
||||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion