Network Sensor Placement
Network TAP (INLINE)
A Network TAP is designed to be placed in line with your firewall and switch configuration.
Its purpose is to passively capture traffic while mirroring that traffic to other ports that can be actively tapped or sniffed.
graph LR;
A[Firewall] -->|TAP IN|B(Network Sensor)
B -->|TAP OUT|C{Core Switch}
B -->|TAP Monitor to NIC|B{Network Sensor}
PROS
- inline with the firewall and core switch, guaranteed to capture all ingress and egres traffic
- Easy configuration (harder to miss important segements of the network)
- No dropped packets
- Monitoring devices receive all packets on Layers 1&2 including errors
- No potential timestamp issues
- No need to duplicate packets
- Relieves SPAN port contention
- Completely passive - if the sensor or TAP fails - default fail mode is ‘fail open’
CONS
- Requires a brief network outage to install
- The Onboard TAP is not redundant if you have a HA Firewall configuration without another sensor
SPAN Configuration
Nearly all enterprise switches support Port Mirroring, this is often refered to as a SPAN or a PORT_MIRROR.
graph LR;
A[Firewall] -->|Switch Uplink| C{Core Switch}
C -->|SPAN Configuration| D[Network Sensor]
PROS
- No Downtime Configuration
- Very common and supported by any type of Enterprise-grade switch
- Can Easily be configured in a HA Firewall scenario
CONS
- Adds additional Load to the switch's CPU in order to copy all of the data over the monitoring session
- Can change the time frame interaction of the packets
- Switch prioritizes SPAN port data lower than actual port traffic
- Filters Physical-Layer errors
- Uses an additional switch port for the monitoring output to the network appliance