Network Integration Guide › About Network Integration › Choosing a Deployment Architecture › Connected to Network Tap/SPAN Port: Passive Mode Only

Connected to Network Tap/SPAN Port: Passive Mode Only

The diagram below summarizes the NBA deployment architecture when the NBA is connected to a network tap or SPAN port, and also when data is output to the local hard disk.

In this configuration, the NBA can only run in passive mode. In passive mode:

• The NBA cannot actively block data because the data has already been sent to the applications either side of the Internet boundary by the time the NBA sees a copy of the data.
• The NBA cannot decode SSL sessions.

Note: The passive-only configuration helps ensure that the NBA has no impact on network performance. However if the data rate is higher than the NBA can accept, the NBA is not able to analyze all traffic. If the NBA output mode is set to 'Disk' or 'Socket and Disk', the NBA is limited to a capture rate of 8 Mbyte/sec. You can connect the NBA to a network segment with traffic rates higher than this, but the sustained rate of data capture is limited to the speed that captured data files can be written to hard disk. Other data is ignored by the NBA and passes through the appliance without being analyzed or captured.

Example Architecture: Passive Mode

In this example, data packets destined for the Internet pass through switch 1. From here, copies of these packets are replicated to the NBA, reassembled into files and emails, and stored in the NBA FTP folder. They can then be imported onto the CMS, either directly or as part of an Import Policy job.

Example architecture: Output to disk, Passive mode

1. Switch: Data packets passing through the switch from your corporate network to the Internet are replicated to a Data Inspection port on the NBA.
2. Network traffic: Replicated data packets containing emails, Webmails, files and IM conversations are passed to a receiving data port on the back of the appliance (typically port s0.e0 on a Bivio appliance and port 1 on a Linux server).
3. NBA: This hosts the Web console (3a) as well as the nbapolicy.xml policy file and nbaconfig.xml configuration file (3b).

   The NBA reassembles the incoming data packets into emails and files and stores them in \files and \mails subfolders (3c and 3d) of the NBA FTP folder.

   You connect to the NBA via the management port (3e) to manage NBA operations and subsequently when importing captured data.

4. Import Policy: We recommend you run two Import Policy operations to separately import and apply policy to files and emails (imported from 3c and 3d respectively). In this example, both Import Policy servers are running in direct mode using local policy engines.
5. CMS: The resulting events are replicated up to the CMS and stored for subsequent retrieval and reviewing.

More information:

Passive Mode

Connecting the NBA Ports