Positioning Taps (for Ethernet)

Info

This guide is still a work in progress and currently focuses on the most critical aspects of Ethernet monitoring with nzyme.

You can deploy multiple taps to collect Ethernet data, even within the same network. The number of taps and their placement should be determined based on your monitoring objectives.

The nzyme web interface, along with its tap selector, allows you to choose which data to include in your analysis and alerting setup.

Internet Egress/Ingress Monitoring

In most cases, monitoring the traffic that enters (ingresses) and exits (egresses) your network to and from the internet is essential. Therefore, it is advisable to place a tap at every internet egress/ingress point, typically at all your internet gateway routers.

Consider adding a tap both in front of and behind your internet gateway routers to capture traffic before and after NAT and packet filtering.

Local Network Monitoring

For traffic that exclusively flows within your network (without reaching the internet), it is advisable to place taps at every network boundary. This typically involves placing a tap at every internal firewall, switch, or gateway that sits between network segmentation boundaries. For example, you could monitor traffic attempting to flow from a less privileged internal office network to a production environment or from a guest network to an internal corporate network.

VPN Monitoring

Another strategic location for a tap is at any VPN egress/ingress point. This enables you to monitor and alert on any unusual VPN traffic or connection attempts.