Patent Grant
8320242
The present invention relates to an active response communications network tap.
Telecommunications networks are important for providing global data and voice communication. Monitoring the networks is important to ensure reliable operation, fault detection, timely mitigation of potentially malicious activities and more. Network taps are known for connecting to networks and providing a port to monitor the communication traffic on the network.
Conventional network taps enable full-duplex monitoring of network traffic over a link, but transmit the traffic to the monitoring device in two half-duplex streams, requiring specialized hardware to monitor both sides of the conversation. While this technique is useful, it does not provide full-duplex monitoring and communication, which would be extremely helpful. What's more, conventional network taps do not provide a mechanism for monitors to alert network other devices through the network. Rather, conventional network taps require that the monitoring equipment communicate with other network devices via separate communications channels. This is often a problem when other network devices are located far away from a monitor.
Consequently, there is need for an improved network tap that supports full-duplex monitoring and communication.
The present invention provides an improved network tap that supports full-duplex monitoring and communication. The invention is an active response communications network tap that provides network traffic to a monitor while also permitting the monitor to insert data into the network traffic destined for other network devices.
An exemplary embodiment of an active response network tap for use in monitoring a network comprises a first device interface terminal, a second device interface terminal, a first monitor interface terminal and a second monitor interface terminal. A tap structure is coupled to the first device interface terminal, second device interface terminal, first monitor interface terminal and second monitor interface terminal. A memory is coupled to the tap structure and configured to store data from burst traffic, which is retransmitted in a first-in first-out (FIFO) technique.
In one aspect of the invention, the tap structure is configured to communicate full-duplex traffic between the tap structure and a monitor device coupled to a monitor interface terminal. In another aspect of the invention, the tap structure is configured to insert data from a monitor coupled to the first monitor interface into the traffic between the first device and the second device.
Advantages of the invention include the ability to provide full-duplex monitor access to a network in order that the network can be monitored and also that the monitor can communicate with other devices on the network.
The foregoing and other features, aspects, and advantages will become more apparent from the following detailed description when read in conjunction with the following drawings, wherein:
The invention is described with reference to specific architectures and protocols. Those skilled in the art will recognize that the description is for illustration and to provide the best mode of practicing the invention. The description is not meant to be limiting. For example, reference is made to Ethernet Protocol but other protocols can be used in the invention. Likewise, reference is made to packets and cells, while other forms of data and addresses can be used in the invention.
A tap structure 122 is coupled to the terminals so facilitate the exchange of network traffic from the network devices 22, 24 to the network monitors 32, 34. A memory 124 is coupled to the tap structure and configured to store data. The memory is useful in the case of a data burst that exceeds the taps ability to support the network traffic, explained in more detail below.
The network monitors 32, 34 can observe the network traffic via the switch 122 and can then report to other systems or computers regarding a number of traffic parameters. For example, a monitor can report the network bandwidth, number of packets or messages across the network, the frequency of different packet types, origins and destinations and so forth. A network monitor can also detect the presence of malicious traffic, for example, intent on creating a denial of service condition by flooding the network with traffic destined for a particular server. In such a case, a monitor may alert a firewall or other network device to mitigate or terminate traffic to or from a particular computer or server. Conventional monitors send instructions to network devices via a separate independent network. While this may be the only way to communicate in total fault conditions, it's burdensome in most situations.
The invention provides that the monitor can communicate back into the network traffic by full-duplex communication. In one aspect of the invention, the tap structure 122 is configured to communicate full-duplex traffic between a first device coupled to the first interface terminal and a second device coupled to the second interface terminal. The tap structure is configured to insert data from a monitor coupled to the first monitor interface into the traffic between the first device and the second device.
The present invention advantageously provides a passive active response dual port aggregator tap aggregates traffic from both sides of a full-duplex link and simultaneously sends the stream to two separate network interface cards (NIC). The Active Response feature enables the ability to inject responses to any network event. An exemplary embodiment operates at 10 Mega bits per second (Mbps) or 100 Mbps, often denoted as 10/100, but can also operate at higher frequencies, e.g. 1 Gig, 1000 Mbps.
The invention seamlessly combines these two streams using a first-in first-out technique, enabling full-duplex monitoring with one NIC. The dual-port aggregator tap structure 122 regenerates and sends the combined stream to two separate NICs, enabling simultaneous monitoring of the same full-duplex link with two devices. The Port Aggregator in tap 122 takes two streams and aggregates them into one stream. In one aspect, the invention provides that Monitor A can inject data into the network traffic while Monitor B is a passive monitor and the Monitor Port B is not configured to permit Monitor B to inject data into the network traffic. In another aspect, the invention provides that Monitor Port A and Monitor Port B can inject data into the network traffic. The most current Port Aggregator has two output ports so that two monitoring devices can be attached. Only one of the output ports can inject traffic back to the main network.
The invention supports different types of active responses. With an active response dual port aggregator tap, an administrator can transmit any type of Ethernet packet back into the original link, supporting all common types of active responses generated by intrusion detection systems, and by intrusion prevention systems deployed in passive mode. The most common response types are Transmission Control Protocol (TCP) resets, and firewall rule changes. While the tap can support both types of responses, caution is recommended in dynamically updating firewall rules due to the risk of disabling network services. Because most firewalls are managed out-of-band, however, it is unlikely that the regeneration tap will be part of a rule change scenario.
The invention is designed to avoid collisions when active responses are transmitted back into the original link. On each side of the full-duplex link, there is a small buffer for traffic arriving from the network 126A, 126B, and another small buffer for active response traffic arriving from the monitoring device 128A, 128B. Traffic is released from this buffer pair on a first-in, first-out basis, which is part of the reconcile traffic step (
The invention is designed to support high bandwidth on an active response port: The average amount of bandwidth for active responses is determined by the average available capacity on the link. For example, on a 100 Mbps full-duplex link, if transmission from device A to device B averages 30 Mbps, and transmission from device B to device A averages at 50 Mbps, then there is an average capacity on the first side for 70 Mbps, and on the second side for up to 50 Mbps of active response traffic. At any particular point in time, actual capacity is determined by the size of the packets being transmitted and the gap between these packets. On a standard link with 64-byte network and active response traffic, the capacity at any point in time will be very close to the average capacity. As the most common use for the tap will be to inject TCP resets, which are standard 64-byte packets, it is unlikely that the transmissions from either side of the active response port will exceed 10 Mbps, even if many sessions are terminated in a short time frame. In our internal testing, we have therefore focused on active response port performance at up to 10 Mbps.
The connected monitor should have a MAC and IP address to function properly when the active response port is operating in active mode. These are not needed when this port is set to passive mode. The tap itself does not typically include a MAC or IP address, regardless of how the active response port is set. However, a MAC or IP address can be incorporated into the invention to facilitate communications for the monitor to provide active response.
The invention is designed for 10/100 networks where the “receive” capacity of the network interface card (NIC) is greater than the average capacity required to monitor both sides of the full-duplex link. For example, on a 100 Mbps link with 30 percent utilization on each side, a 100 Mbps NIC can easily handle the 60 Mbps traffic from the tap.
For cases where the NIC's capacity is exceeded—for instance, if there is a traffic burst, and the 100 Mbps NIC is now receiving 140 Mbps of traffic-port buffering is provided as an additional innovative feature to help prevent data overload. Memory 124 provides a buffered memory that handles an overflow, for example, up to 0.5 megabytes per side of the full-duplex connection. This memory clears automatically once the NIC's utilization is again below 100 percent.
Using buffering, the invention can transmit any type of Ethernet packet, from a simple Transmission Control Protocol (TCP) reset to complex Internet Control Message Protocol (ICMP) messages, back into the original network link. This technique is described with reference to
Traffic that passes through the tap 100 is sent to the monitoring device NIC on a first-in, first-out basis, including traffic that is temporarily stored in memory. If two packets enter at the same time then one packet is processed while the other is stored briefly in memory, preventing collisions. When there is a burst of data, traffic in excess of the NIC's capacity is sent to the tap's memory 124. In one aspect, up to one megabyte of data per side of the full-duplex stream can be stored in memory. Memory continues to fill until its capacity is reached, or the burst ends—whichever comes first. In both cases, the tap applies a first-in, first-out procedure, processing stored data before new data from the link. If memory fills before the burst ends, the memory stays filled as the stored data is processed—data that leaves the buffer is immediately replaced. If the burst ends before the memory fills, the memory clears until the full megabyte of capacity is available, or another until another burst in excess of the NIC's capacity requires additional memory.
Advantages of the invention include the ability to provide full-duplex monitor access to a network in order that the network can be monitored and also that the monitor can communicate with other devices on the network.
Having disclosed exemplary embodiments and the best mode, modifications and variations may be made to the disclosed embodiments while remaining within the subject and spirit of the invention as defined by the following claims.
This application claims priority to U.S. Provisional No. 60/639,004 filed Dec. 24, 2004, incorporated herein by reference.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4802161 | Byars et al. | Jan 1989 | A |
| 5173794 | Cheung et al. | Dec 1992 | A |
| 5539727 | Kramarczyk et al. | Jul 1996 | A |
| 5550802 | Worsley et al. | Aug 1996 | A |
| 5648965 | Thadani et al. | Jul 1997 | A |
| 5696859 | Onaka et al. | Dec 1997 | A |
| 5710846 | Wayman et al. | Jan 1998 | A |
| 5781318 | Tremblay | Jul 1998 | A |
| 5825775 | Chin et al. | Oct 1998 | A |
| 5983308 | Kerstein | Nov 1999 | A |
| 6041037 | Nishio et al. | Mar 2000 | A |
| 6047321 | Raab et al. | Apr 2000 | A |
| 6108310 | Wilkinson et al. | Aug 2000 | A |
| 6167025 | Hsing et al. | Dec 2000 | A |
| 6272136 | Lin et al. | Aug 2001 | B1 |
| 6366557 | Hunter | Apr 2002 | B1 |
| 6424627 | S.o slashed.rhaug et al. | Jul 2002 | B1 |
| 6449247 | Manzardo et al. | Sep 2002 | B1 |
| 6542145 | Reisinger et al. | Apr 2003 | B1 |
| 6650803 | Ramaswami et al. | Nov 2003 | B1 |
| 6658565 | Gupta et al. | Dec 2003 | B1 |
| 6687009 | Hui et al. | Feb 2004 | B2 |
| 6687847 | Aguilera et al. | Feb 2004 | B1 |
| 6714976 | Wilson et al. | Mar 2004 | B1 |
| 6798740 | Senevirathne et al. | Sep 2004 | B1 |
| 6801940 | Moran et al. | Oct 2004 | B1 |
| 6823383 | MacBride | Nov 2004 | B2 |
| 6836540 | Falcone et al. | Dec 2004 | B2 |
| 6841985 | Fetzer | Jan 2005 | B1 |
| 6850706 | Jager et al. | Feb 2005 | B2 |
| 6882654 | Nelson | Apr 2005 | B1 |
| 6898630 | Ueno et al. | May 2005 | B2 |
| 6898632 | Gordy et al. | May 2005 | B2 |
| 6925052 | Reynolds et al. | Aug 2005 | B1 |
| 6944437 | Yang et al. | Sep 2005 | B2 |
| 6975209 | Gromov | Dec 2005 | B2 |
| 7027437 | Merchant et al. | Apr 2006 | B1 |
| 7171504 | Ishii | Jan 2007 | B2 |
| 7277957 | Rowley et al. | Oct 2007 | B2 |
| 7308705 | Gordy et al. | Dec 2007 | B2 |
| 7321565 | Todd et al. | Jan 2008 | B2 |
| 7324553 | Varier et al. | Jan 2008 | B1 |
| 7415013 | Lo | Aug 2008 | B1 |
| 7430354 | Williams | Sep 2008 | B2 |
| 7477611 | Huff | Jan 2009 | B2 |
| 7486624 | Shaw et al. | Feb 2009 | B2 |
| 7486625 | Matityahu et al. | Feb 2009 | B2 |
| 7505416 | Gordy et al. | Mar 2009 | B2 |
| 7616587 | Lo et al. | Nov 2009 | B1 |
| 7627029 | Ho et al. | Dec 2009 | B2 |
| 7760859 | Matityahu et al. | Jul 2010 | B2 |
| 7788365 | Foster et al. | Aug 2010 | B1 |
| 20010040870 | Ohmori et al. | Nov 2001 | A1 |
| 20020003592 | Hett et al. | Jan 2002 | A1 |
| 20020026374 | Moneymaker et al. | Feb 2002 | A1 |
| 20020032880 | Poletto et al. | Mar 2002 | A1 |
| 20020061027 | Abiru et al. | May 2002 | A1 |
| 20020073199 | Levine et al. | Jun 2002 | A1 |
| 20020087710 | Aiken et al. | Jul 2002 | A1 |
| 20020146016 | Liu et al. | Oct 2002 | A1 |
| 20020176355 | Mimms et al. | Nov 2002 | A1 |
| 20020180592 | Gromov | Dec 2002 | A1 |
| 20030112760 | Puppa et al. | Jun 2003 | A1 |
| 20030142666 | Bonney et al. | Jul 2003 | A1 |
| 20030145039 | Bonney et al. | Jul 2003 | A1 |
| 20030184386 | Varner et al. | Oct 2003 | A1 |
| 20030215236 | Manifold | Nov 2003 | A1 |
| 20040008675 | Basso et al. | Jan 2004 | A1 |
| 20040023651 | Gollnick et al. | Feb 2004 | A1 |
| 20040062556 | Kubo et al. | Apr 2004 | A1 |
| 20040096227 | Bulow | May 2004 | A1 |
| 20040109411 | Martin | Jun 2004 | A1 |
| 20040120259 | Jones et al. | Jun 2004 | A1 |
| 20040128380 | Chen et al. | Jul 2004 | A1 |
| 20040190547 | Gordy et al. | Sep 2004 | A1 |
| 20040202164 | Hooper et al. | Oct 2004 | A1 |
| 20040215832 | Gordy et al. | Oct 2004 | A1 |
| 20040264494 | Kim | Dec 2004 | A1 |
| 20050005031 | Gordy et al. | Jan 2005 | A1 |
| 20050060535 | Bartas | Mar 2005 | A1 |
| 20050071711 | Shaw | Mar 2005 | A1 |
| 20050108444 | Flauaus et al. | May 2005 | A1 |
| 20050122910 | Parupudi et al. | Jun 2005 | A1 |
| 20050129033 | Gordy et al. | Jun 2005 | A1 |
| 20050132051 | Hill et al. | Jun 2005 | A1 |
| 20050231367 | Bellantoni | Oct 2005 | A1 |
| 20050257262 | Matityahu et al. | Nov 2005 | A1 |
| 20050271065 | Gallatin et al. | Dec 2005 | A1 |
| 20060083268 | Holaday et al. | Apr 2006 | A1 |
| 20060083511 | Edmunds et al. | Apr 2006 | A1 |
| 20060200711 | Schondelmayer et al. | Sep 2006 | A1 |
| 20060215566 | Walsh | Sep 2006 | A1 |
| 20060233115 | Matityahu et al. | Oct 2006 | A1 |
| 20060282529 | Nordin | Dec 2006 | A1 |
| 20070002754 | Matityahu et al. | Jan 2007 | A1 |
| 20070002755 | Matityahu et al. | Jan 2007 | A1 |
| 20070002769 | Matityahu et al. | Jan 2007 | A1 |
| 20070064917 | Matityahu et al. | Mar 2007 | A1 |
| 20070081549 | Cicchetti et al. | Apr 2007 | A1 |
| 20070081553 | Cicchetti et al. | Apr 2007 | A1 |
| 20070171966 | Light et al. | Jul 2007 | A1 |
| 20070174492 | Light et al. | Jul 2007 | A1 |
| 20070211682 | Kim et al. | Sep 2007 | A1 |
| 20070213862 | Chang et al. | Sep 2007 | A1 |
| 20080014879 | Light et al. | Jan 2008 | A1 |
| 20080049627 | Nordin | Feb 2008 | A1 |
| 20080214108 | Beigne et al. | Sep 2008 | A1 |
| 20090040932 | Matityahu et al. | Feb 2009 | A1 |
| 20090041051 | Matityahu et al. | Feb 2009 | A1 |
| 20090168659 | Matityahu et al. | Jul 2009 | A1 |
| 20090279541 | Wong et al. | Nov 2009 | A1 |
| 20100146113 | Matityahu et al. | Jun 2010 | A1 |
| Number | Date | Country |
|---|---|---|
| 2001-197066 | Jul 2001 | JP |
| 2006148686 | Jun 2006 | JP |
| 10-2004-0058415 | Jul 2004 | KR |
| WO-0219642 | Mar 2002 | WO |
| WO-2004012163 | Feb 2004 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20060153092 A1 | Jul 2006 | US |
| Number | Date | Country | |
|---|---|---|---|
| 60639004 | Dec 2004 | US |
