Unidirectional, or one-way data flows, are often required in OT networks. These safeguard the network from external threats while also providing the out-of-band data necessary to monitor the network for cybersecurity purposes.

Garland’s Network TAPs have built-in Data Diode functionality. This sends unidirectional copies of the traffic to out-of-band tools for monitoring purposes, without any effect on the link between the two network elements. Since there is no physical connection between a Data Diode TAP’s monitoring and network ports, there’s no possibility of intrusion from the destination. These TAPs physically do not send traffic back onto the network, providing “no injection” TAP visibility for 10/100/1000M networks.

Many industrial environments are outdated in terms of IT infrastructure. If a company is looking to deploy cybersecurity tools to prevent threats, ransomware attacks, and breaches, there is often a struggle to gain access to the network traffic. Legacy switching fabrics often lack the ability to configure SPAN ports. Rather than upgrading the entire switching fabric and enduring the business cost of interrupting operations, organizations can add a TAP fabric with passive network TAPs at each location. It is a much more cost-effective solution. A TAP fabric allows you to deploy cybersecurity tools today, while also providing permanent access for more tools in the future.

One benefit of using a TAP fabric is the lack of impact on production. Since Network TAPs are typically passive and deployed out-of-band, they don’t have to be certified by whoever runs the plant, approved by whoever makes the control system decisions or endorsed by whoever certifies the changes to new hardware put in place. Customers are simply putting in a TAP, which is passive and out-of-band. It doesn’t have any impact on the live production network!

IDS is a listen-only monitoring solution, it is placed out-of-band on the network infrastructure, it is not analyzing real-time traffic but is receiving a copy of the data. The two ways an IDS tool access this data is through SPAN / mirror ports on the switch or through the industry best practice network TAPs. SPAN is generally used for low utilization applications and are known to drop or alter packets, possibly masking threats. The network TAP creates full duplex traffic copies that pass physical errors and provide the flexibility to send this data to multiple destinations. If the IDS is processing many network segments, a network TAP and network packet broker are used to streamline the data to optimize security detection.

Modern IPS tools may have add-on options for internal or built-in bypass, which may be useful in some failure use cases but leaves open additional vulnerabilities like software failures and doesn’t provide the flexibility to sandbox, troubleshoot and optimize and the cost tends to outweigh the industry best practice of utilizing an external bypass. Bypass TAPs reduce network downtime with which allows you to easily take tools out-of-band for updates, installing patches, maintenance or troubleshooting to optimize and validate before pushing back inline. Designed to eliminate single points of failure within your network.