Connecting AthTek NetWalk to the network
One of the fundamentals of effective network monitoring and analysis is analyzer placement 鈥?connecting the analyzer to the network in a way that ensures maximum data visibility. Because of the widespread deployment of network switches, analyzer placement has been made more complicated. The beauty of a switch is that it only forwards traffic to the ports that have devices involved in a given conversation. So if Computer A on port 1 is talking to Computer B on port 2 then only machines connected to ports 1 and 2 will see the traffic. This has many advantages. Switches eliminate collisions, they reduce processing power required on terminating devices and they make malicious packet sniffing much more difficult. This last advantage of switching is a problem for AthTek NetWalk.
There are several common methods used to gain visibility into a switched network, including:
- Inserting a hub on each segment to be monitored.
- Inserting a tap on each segment to be monitored.
- Setting up port mirroring on a switch.
Inserting a Hub
The easiest and most inexpensive way to gain visibility to a switched network is to insert a hub between any two devices. Because each packet received by a hub is replicated to every port on the device, AthTek NetWalk can be connected to an open port on the hub and see all the data flowing between the two devices.
Figure 2-1 shows one example of how hubs can be used to allow network monitoring and analysis. In this example, hubs have been inserted between Protected Switch and Firewall. By connecting to an open port on the hub, AthTek NetWalk can see all the the traffic between the switch port and the firewall.
Figure 2-1
Inserting a Tap
The network tap is another approach to allowing the AthTek NetWalk to see all the traffic on a switched network. A tap is similar in function to a phone tap. The tap will typically look like 3-port switch.
Port 1 will attach to Protected Switch Port 2 will attach to Firewall and Port 3 will attach to the AthTek NetWalk. (See figure 2-2.) Every packet that is forwarded between Protected Switch and Firewall will be mirrored to the AthTek NetWalk.
Figure 2-2
Using Port Mirroring
Another popular option for adding a sniffer of any type to a network is the use of a mirror port on the switch being monitored. A mirror port is a port that is configured to have a copy of all packets sent to it. Much like a tap it does not break the full duplex nature of switched traffic. Buying a switch with a mirror port can be more expensive than purchasing one without a mirror port, but most better enterprise switches will have the functionality available without having to upgrade to a more expensive switch.
Figure 2-3 shows one example of how port mirroring can be used to allow network monitoring and analysis.
Figure 2-3
Advantages and Disadvantages
- Hubs have the advantage of being both cost-effective and easy to install.
- Unlike a hub, a network tap preserves the integrity of a full duplex link, splitting out both sides of the link separately for monitoring and analysis.
- Because taps are passive devices, they can be left on a link indefinitely, letting you monitor whenever necessary without taking the link down to insert a hub.
- Inserting a network tap adds another potential point of failure to your network. If a tap fails, it can take down the link along with it.
- Port mirroring lets you monitor or capture traffic from multiple switch ports instead of just a single port. Most implementations also let you copy all traffic for a particular VLAN to the monitor port, allowing quick analysis of a problematic configuration.
- With port mirroring, there is no hardware to install.
- Hubs are not appropriate for all networks. For example, inserting a hub on a full duplex link limits the link to half duplex speeds, slowing response times and reducing throughput.
- To see all of the traffic on your network, taps need to be installed on each full duplex network segment. This can be a costly investment.
- Inserting a network tap adds another potential point of failure to your network. If a tap fails, it can take down the link along with it.
- Not all switches support port mirroring.
- Different switches implement port mirroring differently, requiring you to learn how to configure it on the switch.
- When used incorrectly, port mirroring can potentially cause a network loop.
- It can cause the switch to drop packets before sending them to the monitor port, resulting in false error messages in the analyzer.
