You are on page 1of 35

What is Intrusion?

An intrusion is a type of attack on information assets in which the instigator attempts to gain entry into a system or disrupt the normal operations of a system. In Browns et al. (2002) view, intrusions are actions that attempt to bypass security mechanisms of computer systems. They are any set of actions that threatens the integrity, availability or confidentiality of the information and the information system, where integrity means that data have not been altered or destroyed in an unauthorized manner and where confidentiality means that information is not made available or disclosed to unauthorized individuals, entities or processes.

Intruder and its Types:

One of the two most publicized threats to security is the intruder (the other is viruses), generally referred to as a hacker or cracker. There are three types of intruders y y y Masquerader: An individual who is not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his privileges. Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection.

Password Protection & Privileges Escalation:

The objective of the intruder is to gain access to a system or to increase the range of privileges accessible on a system. Generally, this requires the intruder to acquire information that should have been protected. In some cases, this information is in the form of a user password. With knowledge of some other user's password, an intruder can log in to a system and exercise all the privileges accorded to the legitimate user. A system must maintain a file that associates a password with each authorized user. If such a file is stored with no protection, then it is an easy matter to gain access to it and learn passwords. Method to protect Password File y One-way function: The system stores only the value of a function based on the user's password. When the user presents a password, the system transforms that password and compares it with the stored value. In practice, the system usually performs a oneway transformation (not reversible) in which the password is used to generate a key for the one-way function and in which a fixed-length output is produced. Access control: Access to the password file is limited to one or a very few accounts.

Ways to Gain Password and illegitimate Access

1. By Learning Password 2. Buffer Overflow attack 3. Privileges Escalation

1. By Learning Password:
1. Try default passwords used with standard accounts that are shipped with the system. Many administrators do not bother to change these defaults. 2. Exhaustively try all short passwords (those of one to three characters). 3. Try words in the system's online dictionary or a list of likely passwords. Examples of the latter are readily available on hacker bulletin boards. 4. Collect information about users, such as their full names, the names of their spouse and children, pictures in their office, and books in their office that are related to hobbies. 5. Try users' phone numbers, Social Security numbers, and room numbers. 6. Try all legitimate license plate numbers for this state. 7. Use a Trojan horse to bypass restrictions on access. 8. Tap the line between a remote user and the host system. The first six methods are various ways of guessing a password. If an intruder has to verify the guess by attempting to log in, it is a tedious and easily countered means of attack. For example, a system can simply reject any login after three password attempts, thus requiring the intruder to reconnect to the host to try again. Under these circumstances, it is not practical to try more than a handful of passwords and intruder is unlikely to try such crude methods. The seventh method of attack listed earlier, the Trojan horse, can be particularly difficult to counter. An example of a program that bypasses access controls was cited. A lowprivilege user produced a game program and invited the system operator to use it in his or her spare time. The program did indeed play a game, but in the background it also contained code to copy the password file, which was unencrypted but access protected, into the user's file. Because the game was running under the operator's high-privilege mode, it was able to gain access to the password file.

2. Buffer over flow Attack:

A buffer overflow is an attack that could be used by a cracker to get full system access through various methods by essentially cracking a computer using brute force. Most security applications are incapable of adequate defense against these kinds of attacks. Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited.

3. Privilege Escalation
Privilege escalation means a user receives privileges they are not entitled to. These privileges can be used to delete files, view private information, or install unwanted programs such as viruses. It usually occurs when a system has a bug that allows security to be bypassed or, alternatively, has flawed design assumptions about how it will be used. Privilege escalation occurs in two forms:

Vertical privilege escalation, also known as privilege elevation, where a lower privilege user or application accesses functions or content reserved for higher privilege users or applications (e.g. Internet Banking users can access site administrative functions or the password for Smartphone can be bypassed.) Horizontal privilege escalation, where a normal user accesses functions or content reserved for other normal users (e.g. Internet Banking User A accesses the Internet bank account of User B)

Protective Measures against these Issues

1. Buffer Overflow Protection:
Buffers are data storage areas, which generally hold a pre-defined amount of finite data. A buffer overflow occurs when a program attempts to store data into a buffer, and the data is larger than the size of the buffer. During buffer overflow the extra data can overflow into adjacent memory locations, corrupting valid data and possibly changing the execution path and instructions. The ability to exploit a buffer overflow allows one possibly inject arbitrary code into the execution path. This arbitrary code could allow remote system level access, giving unauthorized access to not only malicious hackers, but also to replicating malware. How it Works Typically, buffer overflow protection modifies the organization of data in the stack frame of a function call to include a "canary" value which, when destroyed, shows that a buffer preceding it in memory has been overflowed. This gives the benefit of preventing an entire class of attacks. Canaries: Canaries or canary words are known values that are placed between a buffer and control data on the stack to monitor buffer overflows. When the buffer overflows, the first data to be corrupted will be the canary, and a failed verification of the canary data is therefore an alert of an overflow, which can then be handled, for example, by invalidating the corrupted data.

1. Stack Guard- Stack Guard was released for GCC in 1997 and it provides buffer overflow protection. It was invented by Crispin Cowan. 2. Stack-Smashing Protector (ProPolice) - it is an enhancement of the Stack Guard concept written and maintained by Hiroaki Etoh of IBM. 3. Stack Ghost (hardware-based) - Stack Ghost is a simple tweak to the register window spill/fill routines which makes buffer overflows much more difficult to exploit. It uses a unique hardware feature of the Sun Microsystems SPARC architecture to detect modifications of return pointers transparently, automatically protecting all applications without requiring binary or source modifications.

2. Privilege Escalation Protection Operating systems and users can use the following strategies to reduce the risk of privilege escalation. Some tools are discussed below. Data Execution Prevention: Data Execution Prevention (DEP) is a security feature included in modern operating systems and is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example. DEP runs in two modes: hardware-enforced DEP for CPUs that can mark memory pages as non-executable and software-enforced DEP with a limited prevention for CPUs that do not have hardware support. Security Patches: It is effective to stop successful exploitation and remove or mitigate a threats capability to exploit a specific vulnerability in an asset. Security patches are the primary method of fixing security vulnerabilities in software. Currently Microsoft releases its security patches once a month, and other operating systems and software projects have security teams dedicated to releasing the most reliable software patches as soon after a vulnerability announcement as possible.

Intrusion Attacks
Evasion: Evasion is a term used to describe techniques of bypassing an information security device in order to deliver an exploit, attack or other malware to a target network or system, without detection. Evasions are typically used to counter network-based intrusion detection and prevention systems (IPS, IDS) but can also be used to by-pass firewalls. A further target of evasions can be to crash a network security device, rendering it in-effective to subsequent targeted attacks. Evasions can be particularly nasty because a well-planned and implemented evasion can enable full sessions to be carried forth in packets that evade an IDS. Attacks carried in such sessions will happen right under the nose of the network and service administrators. Denial of Services (DoS): The hacker can play violently with your computer without penetrating into your computer. DoS intensifies the network and putting high computational load on the target system by sending many connection requests to a target system which increase the volume of data on network and by spoofing the source MAC address of the access point, the receipt has no way of telling if the requests are legitimate or illegitimate and process them, which results in degradation of the network. Other well-known DoS attacks include WinNuke, teardrop, Land, and bonk. y Flooding compromising a system by sending huge amounts of useless information to lock out legitimate traffic and deny services:

o Ping flood (Smurf) a large number of ICMP packets sent to a broadcast address, o Send mail flood - flooding with hundreds of thousands of messages in a short period of time; also POP and SMTP relaying, o SYN flood initiating huge amounts of TCP requests and not completing handshakes as required by the protocol, Spoofing and Hijacking: Hijacking is one step ahead to spoofing. Hijacking fakes someones identity in order to take over the connection that is already established. Spoofing is a technique that forwards the packets to a computer with a source address indicating that the packets are coming from trusted computer. Forceful Browsing: Forceful browsing is very fundamental and easy to execute hacking technique that allows the attacker to jump directly to pages that can normally only be accessed through authentication mechanisms. By guessing the names of files and directories the hacker can view them without going through the business logic leading to those objects. Parameter Tampering Parameter tampering is a class of attack in which a hacker modifies data sent between the client and web application, such as URL query strings, form fields and cookies. Most web applications include a backend database and the URL includes a SQL call to this database. Malicious users can manipulate the SQL code to potentially retrieve a listing of all users, passwords, credit card numbers, or any other data stored in the database. Cookie Poisoning: Cookie Poisoning is the modification of a cookie by a hacker to gain unauthorized information about a user, typically for the purposes of identity theft. The hacker will then use this information to gain access to the users accounts or fraudulently open new accounts.

Intrusion Detection System

An IDS is a device or software application that monitors network and/or information system for malicious activities or policy violations and responds to that suspicious activity by warning the system administrator by one of several ways, including displaying an alert, logging the event or even paging the administrator.

Types of Technology in IDS: There are two approaches 1. Network-Based 2. Host-Based 1. In Host-Based IDS, Both servers and workstations are protected by host-based intrusion detection systems (HID) through secure and controlled software communication channels between systems applications and operating system kernel. The HID will catch suspicious activity on the system and then, depending on the predefined rules, it will either block or allow the event to happen. 2. While Network-Based (NID) is a software or dedicated hardware system that connects directly to a network segment and protects all of the systems attached to the same or downstream network segments. An interesting aspect of network intrusion prevention system is that if the system finds an offending packet of information, it can rewrite the packet so the hack attempt will fail, but it means the organization can mark this event to gather evidence against the would be intruder, without the intruders knowledge. Detection Techniques in IDS: There are two detection techniques and IDS use one of them at 1 time. 1. Anomaly Detection 2. Signature Detection 1. Anomaly detection is designed to uncover abnormal patterns that deviate from what is considered to be normal behavior, whereas IDS establishes a baseline of normal usage patterns and anything that widely deviates from it gets flagged as a possible intrusion. An example of this would be if a user logs on and off of a machine eight times a day instead of the normal one or two. In other case, if a user in an IT department suddenly starts to access accounting programs or recompiles them, then the system must immediately raise an alarm or alert its administrators 2. Unauthorized behavior is normally detected by their misuse and is also commonly referred as Signature detection. However, this method uses known patterns of unauthorized behavior to predict and detect subsequent similar attempts. These specific patterns are called signatures. For host-based intrusion detection/prevention, one example of a signature is three failed logins. The concept behind misuse detection schemes is that there are ways to represent attacks in the form of a pattern or a signature so that even variations of the same attack can be detected. This means that these systems are not unlike virus detection systems, they can detect many or all known attack patterns.

Comparison with firewalls Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators.

IDS Products:

1. Cyber Cop Monitor Solaris

System based IDS that has the ability to detect network reconnaissance stealth port scanning over many months, warning against even the most determined attacks. Cyber Cop Monitor's unique system based Intrusion Detection architecture provides both real-time packet analysis and system event analysis. Advanced security features include the detection and alerting of attacks destined not only to the system it is trying to protect, but also when that system is being used as a "jumping off point" to launch attacks against other network assets. Monitor's C2 auditing capabilities produce a more detailed audit report and can create audit logs by user, event and class to integrate with the Solaris Basic Security Mode (BSM) functionality. This capability enables powerful logging of events down to the system call level to counter even the most skillful system misuse. 2. Real Secure Integrated network- and host-based intrusion detection and response system. This maximum level of around-the-clock surveillance extends unobtrusively across the enterprise, allowing administrators to automatically monitor network traffic and host logs, detect and respond to suspicious activity, and intercept and respond to internal or external host and network abuse before systems are compromised. 3. Silent Runner Network security solution specifically designed to address the insider threat. A passive network discovery LAN engine, consisting of ten major modules, permits the user to view in real-time network topology and activity levels, display individual terminal activity, create and execute Boolean logic alerts and sort and process network data for further detailed visualization and analysis. 4. Snort Snorts open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans

Intrusion Prevention System

The IPS is a device or software application that has all the capabilities of IDS and can also attempt to stop possible incidents. IPS is designed and developed for more active protection to improve upon the IDS and other traditional security solutions. Usually, disable prevention features in IPS products cause them to function as IDS. Response Techniques In IPS: y The IPS stops the attack itself - It Terminate the network connection or user session that is being used for the attack. It also Block access to the target (or possibly other likely targets) from the offending user account, IP address, or other attacker attribute. It Block all access to the targeted host, service, application, or other resource. The IPS changes the security environment. The IPS could change the configuration of other security controls to disrupt an attack. Common examples are reconfiguring a network device (e.g., firewall, router, switch) to block access from the attacker or to the target, and altering a host-based firewall on a target to block incoming attacks. Some IPSs can even cause patches to be applied to a host if the IPS detects that the host has vulnerabilities. The IPS changes the attacks content. Some IPS technologies can remove or replace malicious portions of an attack to make it benign. A simple example is an IPS removing an infected file attachment from an e-mail and then permitting the cleaned email to reach its recipient. A more complex example is an IPS that acts as a proxy and normalizes incoming requests, which means that the proxy repackages the payloads of the requests, discarding header information. This might cause certain attacks to be discarded as part of the normalization process.

Types of Technology In IPS: 1. Network-Based- which monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity. 2. Wireless, which monitors wireless network traffic and analyzes it to identify suspicious activity involving the wireless networking protocols themselves. 3. Network Behavior Analysis (NBA), which examines network traffic to identify threats that generate unusual traffic flows, such as DDoS attacks, scanning, and certain forms of malware. 4. Host-Based, which monitors the characteristics of a single host and the events occurring within that host for suspicious activity.

Detection Techniques in IPS: There are two detection techniques and IDS use one of them at 1 time. 1. Anomaly Detection 2. Signature Detection 3. State full Protocol Analysis 1. Anomaly-based detection, which compares definitions of what activity, is considered normal against observed events to identify significant deviations. This method uses profiles that are developed by monitoring the characteristics of typical activity over a period of time. The IDPS then compares the characteristics of current activity to thresholds related to the profile. Anomaly-based detection methods can be very effective at detecting previously unknown threats. Common problems with anomaly-based detection are inadvertently including malicious activity within a profile, establishing profiles that are not sufficiently complex to reflect real-world computing activity, and generating many false positives. 2. Signature-based, which compares known threat signatures to observed events to identify incidents. This is very effective at detecting known threats but largely ineffective at detecting unknown threats and many variants on known threats. Signature-based detection cannot track and understand the state of complex communications, so it cannot detect most attacks that comprise multiple events. 3. Stateful protocol analysis, which compares predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations. Unlike anomaly-based detection, which uses host or network-specific profiles, stateful protocol analysis relies on vendor-developed universal profiles that specify how particular protocols should and should not be used. It is capable of understanding and tracking the state of protocols that have a notion of state, which allows it to detect many attacks that other methods cannot. Problems with stateful protocol analysis include that it is often very difficult or impossible to develop completely accurate models of protocols, it is very resource-intensive, and it cannot detect attacks that do not violate the characteristics of generally acceptable protocol behavior. IPS Products: y Honey Pots Honeypots are a highly flexible security tool with differing applications for security. They don't fix a single problem; instead they have multiple uses, such as prevention, detection, or information gathering. Honeypots all share the same concept, a security resource that should not have any production or authorized activity. This makes them very simple to use. There are two general types of honeypots, production and research. Production honeypots are easy to use, capture only limited information, and used primarily by companies or corporations.

Host Intrusion Prevention System (HIPS) Firewalls protect a host by monitoring network packets and attempting to identify good vs. bad traffic. A complement program to firewalls is Host Intrusion Prevention Systems (HIPS). HIPS works to protect a host by monitoring applications that execute. HIPS tries to look at what the program does, either by intercepting system calls or watching packets or other system activity. These may be rule based or may assign scores for certain activity. Network Intrusion Prevention System (NIPS) Network IPS sit inline on the network, statefully analyzing packet content and block certain packets that match a signature and alert on others. It is sometimes easier to explain what isn't an IPS for instance products that just block by port such as routers and many firewalls. Furthermore, the IPS must block the packet and not just use TCP resets, spoof reject packets from border devices or update border devices to shun addresses. Attack Mitigation Systems The main definition between NIPS and Mitigators would be Mitigators are designed to do one specific job - detect and mitigate against DOS/DDOS attacks and bilateral effects of worm activity. NIPS are designed to detect malicious traffic and drop the packet/stream. NIPS are not always necessarily good at mitigating DOS/DDOS attacks. Mitigators generally do not have the signature coverage to provide good NIPS functionality. NIPS are like IDS but in-line. Mitigators are like firewalls but designed to detect and prevent DOS attacks rather than enforce policy.

Justification for IDS and IPS

There is some data shown of few previous years which indicated that in last few years the number of accident has increased immensely so there is definitely a need to do a lot in this regard.

Data analysis tools

Wireshark Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable. Some intended purposes Here is some examples people use Wireshark for:
y y y y

network administrators use it to troubleshoot network problems network security engineers use it to examine security problems developers use it to debug protocol implementations people use it to learn network protocol internals

Features The following are some of the many features Wireshark provides:
y y y y y y y y y

Available for UNIX and Windows. Capture live packet data from a network interface. Display packets with very detailed protocol information. Open and Save packet data captured. Import and Export packet data from and to a lot of other capture programs. Filter packets on many criteria. Search for packets on many criteria. Colorize packet display based on filters. Create various statistics.

What Wireshark is not Here are some things Wireshark does not provide:

Wireshark isn't an intrusion detection system. It will not warn you when someone does strange things on your network that he/she isn't allowed to do. However, if strange things happen, Wireshark might help you figure out what is really going on. Wireshark will not manipulate things on the network, it will only "measure" things from it. Wireshark doesn't send packets on the network or do other active things (except for name resolutions, but even that can be disabled).

Tshark: Tshark can be used to dump network traffic into capture files for later processing. For this, we need to tell tshark which interface to listen to and which traffic to capture. This is an example.

The -f flag is used to specify a network capture filter (more on filters later). Packets that do not verify the condition following the -f flag will not be captured. In this example, only IP packets that are coming from or going to UDP port 1812 are captured. The -i flag is used to specify the interface from which we expect to see the RADIUS packets. Change 'eth0' to whatever your interface name is. The -w flag is used to specify a file where the captured traffic will be saved for later processing

Network capture rules or filters, specified by the -f option allows you to tell tshark which packets should be captured. Tshark can process network capture files and produce an output that can be exploited for analyzing and troubleshooting network protocols. The dissection capability allows for example to display some specific fields/information about each packet in a network traffic capture file. This generate the following Output (sample>;51514;;21;50914;;50366;47575;;35328;43957;;56747;36637;;33607 What tshark do Display http response codes Display Top 10 URLs Display Source IP and MAC Address. Source and Target IP Source and Target IPv6 Source IP and DNS Query

Tcpdump Tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Tcpdump is free software. Common uses Tcpdump analyzes network behavior, performance and applications that generate or receive network traffic. It can also be used for analyzing the network infrastructure itself by determining whether all necessary routing is occurring properly, allowing the user to further isolate the source of a problem. It is also possible to use tcpdump for the specific purpose of intercepting and displaying the communications of another user or computer. A user with the necessary privileges on a system acting as a router or gateway through which unencrypted traffic such as Telnet or HTTP passes can use tcpdump to view login IDs, passwords, the URLs and content of websites being viewed, or any other unencrypted information. The user may optionally apply a BPF-based filter to limit the number of packets seen by tcpdump; this renders the output more usable on networks with a high volume of traffic.

What is Network Tap A network tap is a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a "network tap" may be the best way to accomplish this monitoring. The network tap has (at least) three ports: an A port, a B port, and a monitor port. A tap inserted between A and B passes all traffic through unimpeded, but also copies that same data to its monitor port, enabling a third party to listen. Network taps are commonly used for network intrusion detection systems, VoIP recording, network probes, RMON probes, packet sniffers, and other monitoring and collection devices and software that require access to a network segment. Taps are used in security applications because they are non-obtrusive, are not detectable on the network (having no physical or logical address), can deal with full-duplex. Network Topology of Network Copper Tap

Network Topology of Network Fiber Tap

Why do I need a Network TAP? There are many different methods for gaining access to your network. Some of the traditional methods used for gaining access to network traffic include using a SPAN port on your switch or connecting a monitoring device in-line on the network. There are challenges with both of these scenarios. Using a SPAN port can often be the cheapest solution, but using this method has many hazards. Often, when SPAN ports are over-subscribed, packets are dropped before data reaches the monitoring tool. There is also the risk of the losing some of the error packets that may be causing problems. If this data is never sent to the monitoring tool because it is being dropped, it is impossible to troubleshoot, no matter how advanced a tool you may be using. There are different problems when a tool is installed in-line. Especially when dealing with a critical network, it is essential that the network is available at all times because down time can be very costly. When a device is installed in-line, the network must be brought down every time updates are required or the tool needs to be re-booted. Similarly, if the monitoring tool fails, the network will go down as well. All of these problems can be solved by using a TAP. When using a TAP, you will be guaranteed that every packet is being sent from the network to the monitoring tool. Because these devices are never over-subscribed, they always pass every packet, even essential error packets that a SPAN port may drop. When a V-Line TAP is installed in-line instead of the monitoring device, you can avoid problems associated with bringing down the network.

Benefits and Features of Network Tap



View 100% of traffic including VoIP, Passive access at 10Mbps to 10Gbps without HTML, application, and layer 1 & 2 errors data stream interference Plug-and-play no configuration required Zero Delay failover on power loss for 10/100/1000 models Media conversion single-device solutions Compatible with Power-over-Ethernet (PoE) (for example, TX to SX) applications Permanent access port avoids breaking a Redundant power supplies network link each time a tool is connected Reliable passive technology ensures Multiple split ratios available for fiber models maximum network uptime Cables Included! all necessary network Secure single-direction traffic flow to cables provided monitoring ports

Types of Network TAPS

Aggregating TAPs It allows you to take the network traffic from multiple network segments and aggregate all of the information to a single monitoring port. This will allow you to use just one monitoring tool to see all of your network traffic. Aggregation Taps are basically subdivided into two groups Port Aggregation Taps and Link Aggregation Taps: y Port Aggregation Taps- Port Aggregation Taps are aggregating the RX- and TX traffic of one network link to one monitoring port. Therefore it is possible to analyze the Full Duplex network traffic on one single interface. After aggregating the TX and RX traffic to one single port, the aggregated traffic is regenerated to a second monitoring port, providing the possibility to have a second monitoring tool to analyze the Full Duplex traffic with also just one NIC. Link Aggregator Taps- These Taps are aggregating the traffic of up to 12 Full Duplex connections into one single interface after Aggregation; the traffic is regenerated to up to 24 monitoring Ports. One big advantage of this solution is that the connected monitoring system only needs one NIC to monitor all 12 connections at the same time. Link Aggregation Taps are perfectly designed for the analysis of asymmetric network traffic and redundant routes with dynamic network protocols.

Regeneration TAPs It will permit you to take traffic from one network segment and send it to multiple monitoring tools. This allows you to send a single traffic stream to a range of different monitoring tools, each serving a different purpose, whilst taking traffic from the network only once. Regeneration Taps provide permanent passive monitoring access ports for 100% visibility into your network's critical links with multiple devices. Compatible with all leading security and network management tools, Regeneration Taps support simultaneous passive deployment of intrusion detection and prevention systems, protocol analyzers, RMON probes, and other key devices. Each monitoring device connected to the Regeneration Taps sees the same traffic at the same time, providing a complete picture of link health for troubleshooting and analysis.

V-Line (Inline or Bypass) Taps V-Line TAPs (also known as Inline or Bypass TAPs) allow you to place a network tool "Virtually Inline". These TAPs are used where monitoring devices need to be placed in-line on the network to be effective, but when putting these devices inline will compromise the integrity of a critical network. By placing a V-Line TAP in its place and connecting the monitoring tool to the V-Line TAP, you can guarantee that the network will continue to flow and the device will not create a failure point in the network. The V-Line series of TAPS provides complete fail-safe protection for an inline appliance by allowing it to be installed virtually inline. This capability is vital for customers who want to deploy inline appliances on mission critical network segments, but simply cant afford the risk of unscheduled downtime or the costly dilemma of scheduled downtime for configuration changes, maintenance, or repair scenarios.

Breakout Tap Breakout TAPs are the simplest form of TAP. A Breakout TAP consists of four ports: two input ports and two output ports. The two input ports each collect traffic from the network; one collecting traffic traveling from point A to point B on the network, the other collecting traffic from point B to point A on the network. The Breakout TAP then sends a copy of this traffic out of the monitoring ports - the A to B traffic is passed out of one port and the B to A traffic out the other port. Both of these monitoring ports are then connected to some form of monitoring device. This allows a copy of the traffic from a single network segment to be monitored and/or analyzed without disturbing the network. Fixed Breakout network TAPs provide a safe and simple way to access live network traffic and provide copies to separate monitoring ports. In a full-duplex network link, a Breakout network TAP will passively copy the live traffic, separate it into RX and TX streams, and send a copy to two monitoring ports, one for each direction of traffic. This ensures a complete copy of network traffic for your monitoring tools without the risk of packet loss. The integrity of your live network is paramount. Thats why Network Critical Breakout TAPs feature fail-safe technologies to preserve the flow of live traffic. Link Lock is featured on all 10/100 Copper TAPs and all Fiber Optic TAPs in our Breakout TAP range. Link Lock ensures that the live network link will never fail, even if the TAP suffers a power outage. Breakout TAPs are available in a full range of network media and port densities to suit your deployment requirements. From portable units for strategic deployment into a single network to high density units for infrastructure deployment in the wiring cabinet, Network Critical has a solution that will fit seamlessly into your data center.

New Technology (Filterable Tap)

A new type of tap, or network access point, is now available. This new type of tap is called a "filterable" tap. It is especially valuable in the 10 Gigabit environments because 10-Gigabit test equipment is very expensive. Some taps, like those from several vendors, offer the ability to utilize less expensive and more widely available 1-Gigabit monitoring and analysis tools with these 10 Gigabit networks. When used in this fashion, some form of load-balancing or portbonding is recommended to avoid packet loss to the monitoring tools. A filterable tap, that provides advanced filtering, can selectively pass data, based on application, VLAN ID, or other parameters, to the 1-Gigabit port for deep analysis and monitoring, including IDS requirements. Filtered access is also the best way to focus on business-critical traffic, or other specific areas of your network. At higher speeds, network traffic analysis cannot be performed using the older "capture and decode everything" philosophy. In this type of environment, focused access is the best way to enable traffic analysis, and often is the only way. Any filterable tap you consider must have a simple user interface for easy setup and management. Furthermore, it must be able to collect the Layer 1 and Layer 2 data, while still allowing for auto saving, and easy access to data by graphing programs. Such a tap can be part of a strategy to monitor for essential metrics, such as frame errors and corrupted frames in IPv6.

Advantages and Features of Network Taps

Full Duplex Taps Modern network technologies are often full-duplex, meaning that data can travel in both directions at the same time. If a network link allows 100 Mbit/s of data to flow in each direction at the same time, this means that the network really allows 200 Mbit/s of aggregate throughput. This can present a problem for monitoring technologies if they have only one monitor port. Therefore, network taps for full-duplex technologies usually have two monitor ports, one for each half of the connection. The listener must use channel bonding or link aggregation to merge the two connections into one aggregate interface to see both halves of the traffic. Other monitoring technologies do not deal well with the full-duplex problem.

Non-Impact to Devices Once a network tap is in place, the network can be monitored without interfering with the network itself. Other network monitoring solutions require in-band changes to network devices, which mean that monitoring can impact the devices being monitored. Once a tap is in place, a monitoring device can be connected to it as-needed without impacting the monitored network.

Regeneration Taps Some taps have multiple output ports, or multiple pairs of output ports for full-duplex, to allow more than one device to monitor the network at the tap point. These are often called regeneration taps. Passive Taps Fiber taps, can use no power and no electronics at all for the pass-through and monitor portion of the network traffic. This means that the tap should never suffer any kind of electronics failure or power failure that results in a loss of network connectivity. One way this can work, for fiber-based network technologies, is that the tap divides the incoming light using a simple physical apparatus into two outputs, one for the passthrough, and one for the monitor. This can be called a passive tap. Other taps use no power or electronics for the pass-through, but do use power and electronics for the monitor port. These can also be referred to as passive. Some network taps offer both duplication of network traffic for monitoring devices and SNMP services. Most major network tap manufacturers offer taps with remote management through Telnet, HTTP, or SNMP interfaces. Such network tap hybrids can be helpful to network managers who wish to view baseline performance statistics without diverting existing tools. Remote Management Most major network tap manufacturers offer taps with remote management through Telnet, HTTP, or SNMP interfaces. Such network tap hybrids can be helpful to network managers who wish to view baseline performance statistics without diverting existing tools. Alternatively, SNMP alarms generated by managed taps can alert network managers to link conditions that merit examination by analyzers to intrusion detection systems.

Disadvantages and Problems

Require Additional Hardware Network taps require additional hardware, so are not as cheap as technologies that use capabilities that are built-in to the network. They are easier to manage and normally provide more data than some network devices though. Require Channel Bonding Network taps can require channel bonding on monitoring devices to get around the problem with full-duplex. y Channel Bonding- a computer networking arrangement in which two or more network interfaces on a host computer are combined for redundancy or increased throughput.

Disruption of Network Being Monitored Putting a network tap into place will disrupt the network being monitored for a short time. It's better than taking a network down multiple times to deploy a monitoring tool though. Place Load on the Network Devices Monitoring large networks using network taps can require a lot of monitoring devices. High end networking devices often allow ports to be enabled as mirror ports which is a software network tap. While any free port can be configured as a mirror port, software taps require configuration and place load on the network devices. y Port Mirroring- it is used on a network switch to send a copy of network packets seen on one switch port to a network monitoring connection on another switch port.

Previous Technologies for Monitoring

Logging in Technology The simplest type of monitoring is logging in to an interesting device and running programs or commands that show performance statistics and other data. This is the cheapest way to monitor a network, and is highly appropriate for small networks. However, it does not scale well to large networks. It can also impact the network being monitored. y Observer effect- is the potential impact of the act of observing a process output while the process is running. For example: if a process uses a log file to record its progress, the process could slow. Furthermore, the act of viewing the file while the process is running could cause an I/O error in the process, which could, in turn, cause it to stop.

SNMP Technology Another way to monitor devices is to use a remote management protocol such as SNMP to ask devices about their performance. This scales well, but is not necessarily appropriate for all types of monitoring. The inherent problems with SNMP are the polling effect and this may still affect the performance of the device being monitored. It also opens up a host of potential security problems. y Polling in SNMP- SNMP polling allows you to constantly monitor the status of various MIB variables. If this function is on, the program polls the values of the variables currently displayed on the screen at the specified interval. MIB- Short for Management Information Base, a database of objects that can be monitored by a network management system

Promiscuous Mode Technology Another method to monitor networks is by enable promiscuous mode on the monitoring host, and connecting it to a shared segment. This works well with older LAN technologies such as 10BASE-T Ethernet, FDDI, and token ring. On such networks, any host can automatically see what all other hosts were doing by enabling promiscuous mode. However, modern switched network technologies such as those used on modern Ethernets provide, in effect, point-to-point links between pairs of devices, so it is hard for other devices to see traffic. y Promiscuous Mode- is a mode for a network interface controller (NIC) that causes the NIC to pass all traffic it receives to the central processing unit (CPU) rather than just passing frames the NIC is intended to receive.

Port Mirroring Technology Another method to monitor networks is to use port mirroring on routers and switches. This is a low-cost alternative to network taps, and solves many of the same problems. However, not all routers and switches support port mirroring and, on those that do, using port mirroring can affect the performance of the router or switch. These technologies may also be subject to the problem with full-duplex and there are often limits for the router or switch on how many pass-through sessions can be monitored, or how many monitor ports (generally two) can monitor a given session.

Port Mirroring- it is used on a network switch to send a copy of network packets seen on one switch port to a network monitoring connection on another switch port.

Network Tap Products

Dual 10/100/1000 Base-T Port Aggregator Tap

The iTap 10/100/1000 Port Aggregator is Net Optics most Intelligent Tap making network monitoring easier than ever. The iTap Port Aggregator displays the link utilization levels for both directions in real time, with the size and time of the last peak, right on the front panel. It is accessible from remote interfaces that provide information and control from anywhere in the network. iTap gives you the information and the passive access point you need to respond quickly to network events. Performance Aggregation The iTap 10/100/1000 Port Aggregator combines and regenerates both directions of a full-duplex stream, sending all aggregated traffic out one or two separate passive monitoring ports. Typically, full-duplex monitoring with a network tap requires two NICs (or a dual-channel NIC) one interface for each side of the full-duplex link. The Net Optics iTap Port Aggregator enables one or two devices to simultaneously monitor a full-duplex link using only one NIC per device. Buffers Absorb Bursts When the traffic levels exceed the capacity of the receiving NIC, the iTap Port Aggregator stores the overflow traffic in buffer memory. For high-load links, the iTap 10/100/1000 Dual Port Aggregator is available with 1GB of memory. The buffers clear automatically when the traffic volume falls below the receiving capacity of the NIC. These buffers allow the iTap Port Aggregator to absorb traffic bursts without dropping packets. Traffic Monitoring The iTap 10/100/1000 Port Aggregator monitors the utilization levels of both sides of the fullduplex link. This information is displayed on the front panel and is available from the remote interfaces. The iTap Port Aggregator allows you to set a threshold for each side of the fullduplex link at which an alarm is triggered. When a threshold level is exceeded, the alarm LED illuminates and the remote interfaces record the event. The iTap Port Aggregator records the level of the highest peak along with the date and time. Since the iTap Port Aggregator is monitoring the utilization levels, this information is always available regardless of the aggregation process. Half-duplex (Tap) Mode If the aggregated traffic exceeds 100 percent of the monitoring port bandwidth, there is no need to switch out the device for a conventional half-duplex Tap. Simply enable Half-duplex Mode,

and the iTap Port Aggregator stops aggregating and sends all of the traffic arriving at network Port A to monitor Port 1 and all of the traffic arriving at network Port B to monitor Port 2. Port Ordering Port Aggregators cannot guarantee the ordering of the packets in the aggregated traffic stream until now. Enable the Port Ordering feature of the iTap Port Aggregator and internal time stamping ensures that your monitoring tools see the packets in the exact time sequence that they arrived at the Tap s network ports, eliminating false protocol violations that impede speedy problem resolution. Time Stamping For accurate timing analysis, use the Time stamping feature of the iTap Port Aggregator. When enabled, the CRC bytes of each packet in the monitoring data stream are replaced with an 8 nanosecond resolution timestamp revealing the exact time the packet arrived at the network port. In addition, the most significant bit of the 32-bit timestamp field indicates which of the two network ports received the packet.

10 GigaBit SR/LR Inline Regeneration Type Lc-Type

Real-time, simultaneous passive monitoring of one 10 Gigabit fiber network link with one to eight 10 Gbps intrusion detection systems, protocol analyzers, RMON probes, and other devices. SFP+ monitor ports enable you to mix and match monitoring equipment with both single mode and multimode fiber interfaces.

10 GigaBit Regeneration Tap with SFP Monitor Ports Multimode and Single mode Fiber Net Optics 10 GigaBit Regeneration Taps add the flexibility of modular SFP+ monitor ports to solve key physical layer challenges of multi-device monitoring for 10 Gigabit networks. For a complete picture of network health, Regeneration Taps connect up to eight different network management and security devices at any single 10 Gigabit network location. One Tap, No Idle Resources Keep your intrusion detection and prevention systems, protocol analyzers, RMON probes, and other security devices productive with a single Regeneration Tap. Maximize resources and save on access points when multiple devices can monitor the same traffic simultaneously through a

single Regeneration Tap. Secure, passive access for multiple devices simply means a better return on monitoring investments. Modular SFP+ Monitoring Ports These 10 GigaBit Regeneration Taps provide the added flexibility of SFP+ monitoring ports, which enable them to attach to monitoring equipment with any type of fiber interface: single mode and multimode, and 62.5, 50, or 8.5 m diameters. Just plug in the appropriate SFP+ transceiver modules for as many and whatever types of tools you want to connect. (1G SFP transceivers are not supported; the Regeneration Tap does not perform data rate conversion.) Security and Visibility Without an IP address, monitoring devices are isolated from the network, dramatically reducing their exposure to attacks. However, the monitoring device connected to the Tap still sees all fullduplex traffic as if it were inline, including Layer 1 and Layer 2 errors. Reliability For extra uptime protection, Net Optics Taps offer redundant power connections. Should one power source fail, the Tap continues to operate normally using only the remaining power source. Power LEDs on the front of the Tap indicate the current power source. Key Features y y y y y y Enables real-time, simultaneous monitoring of a single 10 Gigabit link with up to 8 monitoring devices SFP+ monitor ports attach to monitoring equipment with single mode fiber and multimode fiber interfaces Provides complete full-duplex visibility at 10 Gbps without data stream interference or introducing a point of failure Passes all traffic (including errors) from all layers for comprehensive troubleshooting No IP address is needed for the Tap or monitoring device, enhancing security Redundant power ensures monitoring uptime

Ease of Use y y y y LED indicators show redundant power, speed, link, and activity status Front-mounted connectors support easy installation and operation No custom analyzer cableseach half-duplex data stream has its own connector Compatible with all major manufacturers monitoring devices, including protocol analyzers, probes, and intrusion detection systems

Telena Monitoring Access Sytem

Enlight Data, manufacturer of Fiber Optic Breakout Taps, (FOBOTS) is dedicated to fiber optic technology to bring you: y y y y y y More effective monitoring Faster analysis Customized branding Modular units in a vibrant range of colors Superlative customer service A wealth of knowledge about fiber optics

Fiber Optic Breakout Taps (FOBOTS) installed on your Fiber Optic Network guarantees 100% of packet data (including error data) is copied to your monitoring tool. FOBOTS are never oversubscribed, as with other less reliable access methods such as a Switched Port Analyzer (SPAN). Once integrated with your network FOBOTS reliability in their passive role ensure they will never be a point of failure. Furthermore it doesnt require maintenance.

Fiber Optic Breakout Taps (FOBOTS) are used to monitor real-time network traffic between two points in a network infrastructure. FOBOTS provide an exact duplicate of the network signal without any disruption to the network activity. Fiber Optic Breakout Taps consists of 6 ports. Ports A (live network in) Ports B (live network out) Monitor Ports x 2 The A and B ports collect the live traffic from the network while the monitoring ports provide a copy of the traffic to a monitoring device. Fiber Optic Breakout Taps are attached to the fiber optic network between two points. A full copy of the network traffic is routed passively though the FOBOTS, and is completely transparent to the network.

10/100UTP Tap / Portable model

It offers the most complete and cost effective solution for the field service engineer. The Dual compartment Zipper Pouch protects the Tap and the accessories. It is highly portable. The Link/Activity LEDs confirm instantly that your Tap is wired up correctly. To visualize PoE is an absolute must today. The Tap ports are galvanic separated from the network and protecting your analyzer from PoE and Ground Potential Difference.

The Permanent Network Link feature guarantees permanent network connectivity even when power fails. No packages are lost at power failure. It works at distances over 100mtr.

10/100/1000 Copper Tap

Quick Facts y y y Copy data from full-duplex copper links to monitoring equipment for analysis. Provides an accurate view of your copper network. Give monitoring equipment a complete copy of data from full-duplex network links.

Further Details y y y y y y y y y y Offers complete network visibility regardless of traffic levels. Provides pass through signals and separate copies of the TX and RX signals. Auto negotiates speed to transfer data at rates of 10, 100, and 1000 Mbps. Operates transparently. Doesnt block error packets. Can be left in place permanently. Connect and disconnect monitoring devices without network disruption. Provides continuous network data flow if the power fails. Mount three taps in one rack mount bracket. Get a complete and accurate view into the traffic on your 10-/100-/1000-Mbps Ethernet network without any network disruption or downtime.

The 10/100/1000 Copper Tap provides a complete copy of data from a full-duplex copper link to your network analyzer. First, the tap replicates the full-duplex signal from the network. Then it sends one signal back to the network and the other signal to a monitoring device equipped with a dual-receive capture card.

Use the tap with all types of equipmentnetwork and protocol analyzers, security monitoring devices, remote monitoring applications, RMON probes, and more. The tap operates passively and works regardless of traffic levels. Once you install the Tap, you can leave it in permanently without interfering with network operation and minimizing points of failure. You can even connect and disconnect different monitoring devices without interrupting the network.


The T1/E1 Passive Network Tap is a single port device that provides easy, 24 x 7 access to a T1/E1 segment. The T1/E1 Passive Tap's design is non-powered, so it will ensure that network performance and integrity will not be affected by power loss. Use with portable or distributed T1 analyzers, intrusion detection devices, probes, and monitoring devices.

y y y y y y y

Permanent tapped access eliminates the need for network connectors to be disconnected and connected each time a network segment needs to be monitored Non-powered passive tap design for total fault tolerance - network will never be interrupted due to power loss or network tap failure T1/E1 network taps provide In-Line access to critical T1/E1 links for monitoring of WAN traffic T1/E1 taps are Ideal for Security and Monitoring applications View ALL seven layers of network traffic Improve the ROI of your Network Tools Comes with convenient built-in rack-mount or use an optional rack mount package to mount 3 units (at 1U) and up to 14 units (at 4U).

Data monitoring switch

A data monitoring switch is a networking hardware appliance that provides a pool of monitoring tools with access to traffic from a large number of network links. It provides a combination of functionality that may include aggregating monitoring traffic from multiple links, regenerating traffic to multiple tools, pre-filtering traffic to offload tools, and directing traffic according to one-to-one and many-to-many port mappings. Data monitoring switches enable organizations to use their monitoring tools more efficiently, to centralize traffic monitoring functions, and to share tools and traffic access between groups. Some of these devices also provide functionality that helps justify tool purchases and simplify deployment and management of the device itself. Several other terms have been used to describe this class of device, including data access switch, tool aggregator, net tool optimizer, and distributed filter tap.

When a number of monitoring tools are connected to the data monitoring switchs tool ports, copies of traffic from any of the network ports can be switched to any of the tools using the data monitoring switchs management interface. A unique characteristic of the data monitoring switch, as opposed to matrix switches and aggregating Taps, is that it can support a flexible set of port mappings including:
y y y y

One network link to one monitoring tool One network link to many monitoring tools (regeneration) Many network links to one monitoring tool (aggregation) Many network links to many monitoring tools (dynamic many-to-many connectivity)

In addition to directing monitoring traffic, data monitoring switches are capable of filtering traffic by Layer 2 to Layer 4 protocol criteria such as VLAN or IP address, enabling only traffic of interest to be sent to specific tools. This capability can prevent tool oversubscription and facilitate drilling down on issues. Some data monitoring switches offer different management interfaces (fully integrated GUI, automation, etc.), load balancing across multiple tool ports, filtering on patterns in packet payloads, and converting media and data rates so tools can be used to monitor traffic from dissimilar links.

Device Management
Data monitoring switches support either or both of the following internal management interfaces: A text-based command-line interface (CLI) accessed with a terminal emulation program either locally over a serial port or remotely over a secure (e.g., SSH) network connection; this interface is sometimes preferred by network administrators, although many data center professionals complain that CLI is too complex. A Web browser based graphical interface; while most vendors offer drag and drop capabilities, there are a wide range of GUI options offered on these products, some requiring CLI and some not. This interface is preferred by IT generalists, executives, and IT stakeholders who manage monitoring but do not have physical access to the data center floor. External interfaces are also available as follows: A platform (Windows) based server; this interface is preferred for managing a large number of devices through a single interface Third-party SNMP(Simple Network Management Protocol) management tools; this interface in preferred in environments with centralized SNMP management systems such as IBM Tivoli(is a systems management platform) or HP OpenView(HP OpenView was the former name for a Hewlett Packard product family that consists of network and systems management products).

 Data monitoring switches facilitate centralizing network traffic monitoring in the NOC.  By providing remote monitoring and control, they save the time and expense of traveling to remote locations to install monitoring tools.  They make it easier to share tools among groups.  With data rate conversion capabilities, they enable 1 Gigabit tools to support 10 Gigabit links, and 10 Gigabit tools to monitor traffic aggregated from multiple 1 Gigabit links.  They prevent tool oversubscription by pre-filtering traffic.  They can Tap network links directly, instead of relying on switch SPAN ports for monitoring access.  They are fully passive, unable to disrupt network traffic.


 Data monitoring switches take a simple concept, the passive network Tap, and make it an
expensive, complex device that requires configuration and management.

 They are non-standard different vendor devices operate and are managed differently.

 Entry-level pricing is expensive if just a few links or tools need to be instrumented,

price per port will be high.  Advanced functionality on some products can be very cumbersome to activate and maintain over time.

Data monitoring switches feature:

y y y y y y y

Tap, aggregation, regeneration, matrix switching, and smart filtering in a single device Deep Packet Inspection (DPI), static and dynamic load balancing, and snapshot packet capture Fast ProPush statistics for microburst detection Low-latency, hardware-based TapFlow filtering engine 10 Mbps to 10 Gbps operation Inline and SPAN network modules Dual, hot-swappable power supplies

Type of Data monitoring switches

There are number of data monitoring switch, here we discuss the main two data monitoring switch.  Net Optics Director xStream  Net Optics Director

Net Optics Director xStream

Director xStream is a data monitoring switch that aggregates, regenerates, switches, filters, and load balances monitoring traffic. Director xStream empowers the NOC to share a pool of monitoring tools across a large number of network links. If more network or monitor ports are required, any port can be used for either network or monitor.

TapFlo Filtering Your pool of monitoring tools can handle more traffic, more links, and more protocols by using the Director xStream TapFlow's filtering technology to send each tool only the traffic-of-interest for its particular purpose. The TapFlow's hardware filtering engine processes traffic at full 10 Gbps line speeds, enabling you to select traffic by protocols, IP addresses, TCP/UDP ports, VLANs, and more.

Aggregation, Regeneration, and Switching Director xStream provides one-to-one, many-to-one, one-to-many, and many-to-many mappings of network links and Span ports to monitor ports. Traffic from any set of network links and Span ports can be aggregated into a single stream and copied to any monitor port. In addition, the same aggregated traffic stream can be regenerated to multiple monitor ports at the same time, enabling different groups to monitor the same data without conflicts. Multiple distinct aggregation and regeneration operations can function simultaneously without impacting speed or data integrity, even for fully-utilized 10-Gbps ports.

Load Balancing: In a monitoring application, Load Balancing splits the traffic into multiple streams so the data can be processed by two or more tools working in parallel. Director xStream supports static Load Balancing that takes the traffic from any network port or aggregated set of network ports and distributes it to two, three, four, or any number of available monitor ports. The load can be balanced by IP address, port, protocol, VLAN, and MAC address, or any other packet header field.

Data Rate & Media Conversion Director xStream automatically performs the data rate and media type conversions. Your CAPEX is lowered because you can apply tools to links with dissimilar media rather than purchasing new tools. For example, traffic from a 10-Gbps fiber link can be filtered or load balanced to multiple 1-Gbps copper-interface monitoring tools; and multiple 1-Gbps LX links can be aggregated to a 10-Gbps SR monitoring tool.

Dual Power Supplies Director xStream has two independent power supplies that provide fault tolerance: If one power supply loses power, the unit continues operating on the remaining supply.

Easy Configuration Indigo management software provides a command-line interface (CLI) for setting Director xStream parameters and filters and checking status and traffic statistics with a few keystrokes.

Security and Reliability Director xStream is a secure and reliable appliance that delivers unsurpassed monitoring access flexibility. It handles network traffic entirely in hardware, so there is no software to be loaded, maintained, or compromised. (The secure embedded management firmware cannot perturb the network data path.) Configuration variables and TapFlow filters can be changed only through the device's management port, so your monitoring access is immune to viruses, worms, and other attacks that pass through the Director Xstream network ports. Director Xstream maintains its configuration and TapFlow filters even when power are absent, making it a true appliance.

Net Optics Director

The cost and complexity of monitoring solutions are increasing at an explosive rate. More kinds of tools need to be deployed across a steadily increasing number of network links because:
y y y y

High-speed 1 Gbps and 10 Gbps links generate more traffic than ever needed to be monitored before Cost saving and operational efficiency for monitoring 10G networks using 1G tools without dropping packets or losing visibility Converged voice-video-data networks demand specialized tools to optimize different types of traffic Security threats are expanding and becoming more advanced on a daily basis requiring more advanced solutions

Industrys Highest-Port-Density Monitoring Access Solution Net Optics Director with TapFlow filtering technology enables your pool of monitoring tools to handle more traffic, more links, and more protocols than ever before. TapFlow filtering ensures that each tool sees only the traffic of interest for its particular purpose, without missing critical data. Aggregation, Regeneration, and Switching Director provides one-to-one, many-to-one, one-to-many, and many-to-many mappings of network links and Span ports to monitor ports. Director aggregates, regenerates, switches, and filters traffic completely at line speed, even for fully-utilized 10-Gbps ports.

TapFlow Filtering High-speed, multi-protocol aggregated traffic streams can be challenging for monitoring tools to handle. Often, tools use front-end pre-filters simply to strip off traffic of interestsuch as VoIP traffic for a VoIP performance analysis toolwhile discarding the rest of the packets. This seemingly simple operation can consume a significant amount of a tools processing power because it must handle every single packet on the wire. Director restores these vital processing cycles for monitoring tools by utilizing TapFlow. This does the pre-filtering job for them, selecting traffic by protocol type, IP address, port number, and even packet payload information, and sending each tool only the necessary traffic of interest.

Load Balancing Load Balancing allows traffic to be split into multiple streams so the data can be processed by two or more tools working in parallel.

Daisy-Chain Expansion Do your monitoring needs call for more than 38 ports? With Director, this is not a problem, because up to 10 Director Nodes can be daisy-chained together to act as a single logical unit with up to 380 ports and industry-leading total throughput of 740Gbps. Moreover, SR, LR, and ER 10-Gbps daisy-chain links support a reach as far as 40 km or 25 miles, enabling an entire campus or metro area to be monitored by a single logical Director installation. Policies and filters are defined on the master and populated automatically among daisy chain members.

Enterprise Manageability Director takes enterprise manageability to a whole new level. It is super-packed with functionality that is needed to manage the device and the network efficiently. Configuring and managing Director(s) is simplified by Indigo Management software.

Filter Tagging Filter tagging is ideal for situations in which you need to identify individual input streams within aggregated traffic. It allows you to identify packets that came from specific ports or filters that directed those packets. Filter tagging adds a user-defined VLAN tag to packetsenabling tools to identify the input ports. Modularity Director makes extensive use of modular interface technology to eliminate the headache of matching interfaces between monitoring tools and links. All Director monitor ports use SFP or XFP modular transceivers, so virtually any monitoring tool can be accommodated. In addition, DNMs are available for copper and Gigabit SX(50/62.5 m) or LX(8.5 m) or ZX(8.5 m) Fiber in both in-line and Span versions, increasing the flexibility of media type support. Dual Hot-Swappable Power Supplies Directors two modular power supplies provide fault tolerance: If one power supply loses power, Director continues operating on the remaining supply. For maximum reliability, each supply has its own integrated cooling fan.

Security and Reliability Director is a secure and reliable appliance that delivers unsurpassed monitoring access flexibility. It handles network traffic entirely in hardware, so there is no software to be loaded, maintained, or compromised. Configuration variables and TapFlow filters can be changed only through the devices management port, so your monitoring access is immune to viruses, worms, and other attacks that pass through the Director network ports. Director maintains its configuration and TapFlow filters even when power is absent, making it a truly unstoppable appliance. In addition, when Director is powered off, traffic flows are not impeded between the devices in-line network ports, maximizing network uptime even when Director is offline.