You might think that network taps are something of an esoteric, plumbing-like part of managing and monitoring networks, and to a certain extent you would be right -- the products are designed to be simple and rock solid and to not leak a single bit (or byte). But the latest offerings are going far beyond this by adding substantial intelligence for flexible deployment of monitoring products and technologies. Why is this important? Two reasons -- growing demands for access and the need to conserve cost.
Demand for access to network packet streams is increasing as IT shops feel the combined needs for live DPI-based monitoring of network-based applications (to meet QoE service objectives), packet analysis for detailed troubleshooting, full monitoring for security tools like IDSs and NBAD. On top of this, there is the emerging need for special recorders or analyzers for compliance monitoring and auditing. There are plenty of products designed to meet several of these requirements; however, the need for operational independence, especially for compliance and security objectives, means that in most cases multiple tools will be deployed.
At the recent Interop 2008 show in New York, I visited with four vendors that happened to be exhibiting - NetOptics, Gigamon, Anue Systems, and Network Critical. There are lots of other tap vendors out there, but these were representative of the current state of the art. I looked at their most fully functional intelligent tap products, sometimes also know as matrix switches -- the Anue Systems 5200 Series Tool Aggregator, the Gigamon GigaVUE-2404 Data Access Switch, the NetOptics Director, and the Network Critical SmartNA 10G Filtering TAP. Show floor conversations cannot be considered a full review or complete comparison, but here are some key observations:
1. 10G support: All four were offering support for multiple 10G Ethernet links, with Gigamon's offering the largest at 24 ports of 10G. All also offered the ability to pass 10G straight through or split it down to 1G. Given that most monitoring tools cannot process full 10G, and the fact that most 10G links today still don't operate anywhere near capacity, this can be a useful means of avoiding (or at least delaying) deployment of 10G-rated monitoring tools, which almost without exception are substantially more expensive than 1G-rated variants.
2. Intelligent filtering: Again, all four offered a means of reducing the data stream to focus on particular applications, protocols, or address ranges. This means that you could send just the database transaction traffic to a particular recorder/analyzer, for instance for SEC SOX compliance, and all of the PCI traffic to another recorder for PCI compliance, while sending a full copy of everything to an IDS.
3. Graphical interface for configuration: Some of the vendors have added simple, easy-to-use, drag-and-drop management interfaces for managing and configuring their devices. Both Anue Systems and NetOptics have Visio-like tools for fast setup with minimal effort. This is really helpful as a means to shorten the learning curve and the time spent setting up the access technology, leaving more time for working with the monitoring tools that are then attached.
4. Direct monitoring: All of the offerings included some means of recognizing total traffic flow via SNMP agents; however, one of the vendors, NetOptics, has gone further to add Basic RMON statistics. Another, Network Critical, offers a free traffic monitoring utility to visualize and report on the streams that go by, with details down to 1-second intervals. While these capabilities will not replace fully featured application-aware performance monitoring systems, they are certainly better than not having any, and if nothing else provide a useful complementary viewpoint to deployed products.
The products I looked at range from about US$15,000 to just under six figures, list, but they can still be well worth the price. Beyond the cost savings discussed above, like delaying/avoiding the cost of 10G-rated monitoring tools, there are two other very important operational advantages to be considered. First, when using a multi-port access device, it's possible to avoid the request/approval delays many organizations require to insert a new or redirect an existing tapping point -- a process which can often take days (or even weeks) to complete. And second, reducing the number of tap boxes (by having more functions in one) and the number of monitoring devices (by using aggregation features), you can help to achieve Green IT initiatives via reduced electronic materials deployment and reduced energy use.
The bottom line is that intelligent taps should be part of the thinking whenever you are planning major changes to your network, whether it is an upgrade, a new data center, or a plan to deploy more and different monitoring or compliance technologies on top of what you have out there already. The cost savings can be compelling, and the opportunity to also meet greening objectives is icing on the cake.
Frey is senior analyst at Enterprise Management Associates.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.