What is a Network Splitter? Application Fields of Network Splitter
A network splitter, including the usual 2.5G taps, 10G taps, 40G taps, and Test Access Port (TAP), is a hardware device that plugs directly into a network cable and sends a network traffic to other equipment.
1. Introduction of network splitter
Network splitters are commonly used in network intrusion detection systems (IDS), network detectors and analyzers. Port mirroring. In the offload mode, the monitored UTP link (unshielded link) is divided into two parts by the TAP offload device, and the offloaded data is connected to the acquisition interface to collect data for the Internet information security monitoring system.
2. Characteristics of network splitters
It is an independent hardware, it will not have any impact on the load of the existing network equipment, which has great advantages compared with port mirroring and other methods.
It is an in-line device, which simply means that it needs to be connected to the network. However, this also brings a disadvantage, that is, it introduces a point of failure. At the same time, it is precisely because it is an online device, so during deployment, the current network needs to be interrupted. Of course, the impact of the specific interruption depends on where it is deployed. .
Transparency means that it refers to the current network. After connecting to the network splitter, it has no impact on all devices in the current network, and is completely transparent to them. Of course, this also includes the network splitter sending traffic to the monitoring device, which is also the same for the network. transparent.
3. How the network splitter works
By copying, converging and filtering the input data to the network splitter, converting 10 Gigabit POS data into Gigabit LAN data through protocol conversion, and performing load balancing output according to a specific algorithm, while outputting all data packets in the same session, Or all packets for the same IP user are output from the same interface.
4. Features of network splitter
4.1 Protocol Conversion
Because the mainstream Internet data communication interfaces used by ISPs are 40G POS, 10G POS/WAN/LAN, 2.5G POS, GE, etc., and the data receiving interfaces usually used by application servers are GE and 10GE LAN interfaces, so people usually use the Internet communication interface. The protocol conversion mentioned above mainly refers to the conversion between 40G POS, 10G POS and 2.5G POS to 10GE LAN or GE, and the two-way co-conversion of 10GE WAN to 10GE LAN and GE.
4.2 Data collection and distribution
Most data collection applications basically only extract the traffic of interest and discard the traffic that does not care. For the traffic of interest, the data traffic of a specific IP, a specific protocol, and a specific port is extracted by a five-tuple (source IP, destination IP, source port, destination port, protocol) convergence method. When outputting, according to a specific HASH algorithm, ensure the same source and the same sink, and load balance the output.
4.3 Signature Filtering
For the collection of P2P traffic, the application system is likely to only pay attention to some specific traffic, such as: streaming media PPStream, BT, Thunder, and the common keywords GET and POST on http and other feature codes, etc., can use feature code matching way to extract and converge. The splitter supports fixed-position signature filtering and floating signature filtering. The floating feature code is the offset specified on the basis of the implementation of the fixed position feature code. It is suitable for applications that specify the feature code that needs to be filtered, but the specific location of the feature code is not clear.
4.4 Session management
It can identify the traffic of session connections, and can flexibly configure the N value of session forwarding (N=1 to 1024). That is, the first N packets of each session are extracted and forwarded to the back-end application analysis system, and the packets after the N value are discarded, which saves resource overhead for the downstream application analysis platform. Usually, when monitoring events with IDS, it is not necessary to process all the packets of the entire session, and only the first N packets of each session need to be extracted to complete the analysis and monitoring of events.
4.5 Data mirroring and replication
The splitter can realize the mirroring and copying of the data on the output interface, ensuring the data access of multiple sets of application systems.
4.6 3G network data collection and offload
The collection and distribution of 3G network data is different from the traditional network analysis mode: the packets in the 3G network are transmitted in the backbone link through multi-layer encapsulation, and the packet length and encapsulation format are quite different from those in the ordinary network. Therefore, it is infeasible to simply filter and analyze the quintuple, feature code, etc.; the splitter has the function of multi-layer encapsulation format analysis, and can accurately identify and process tunnel protocols such as GTP, GRE, and multi-layer MPLS, VLAN tag data packets, and can Extract IUPS signaling packets, GTP signaling packets, and Radius packets to the designated port according to the characteristics of the packets. At the same time, it can also conduct traffic distribution according to the inner IP, and support the processing of super large packets (MTU>1522 Byte), which can perfectly realize the 3G network. Data collection and triage applications.
5. Feature Requirements for Network Splitters
5.1 Supports offloading according to L2-L7 application protocol.
5.2 Support filtering according to source IP, destination IP, source port, destination port, protocol, etc. with exact and masked 5-tuple.
5.3 Support output load balancing, output homologous and homologous.
5.4 Support filtering and forwarding according to character string feature code.
5.5 supports session management. Forward the first N packets of each session. The N value can be specified by yourself.
5.6 Supports multiple users. Data packets that hit the same rule can be provided to a third party at the same time, or the data on the output interface can be mirrored and copied, ensuring data access of multiple sets of application systems.
6. Application fields of network splitter
Network data protocol analysis, VOIP traffic, P2P traffic monitoring and control, monitoring of illegal access of broadband users, intrusion detection system IDS, burst traffic such as attack and virus monitoring and prevention, network traffic audit and other fields that operators care about.
In the financial field, network splitter is an important part of "traffic visualization analysis". It is usually used by multiple devices in a network to build a unified management traffic collection platform to collect the business traffic of the production network or office network in real time. After a series of preprocessing such as aggregation, filtering, forwarding, load balancing, packet deduplication, slicing, decapsulation, etc., it is forwarded to the back-end network performance analysis, business performance analysis, database audit, network security analysis and other traffic visualization. analyzing tool.
Previous Page:Wireless Network Standards for Wireless Internet Devices