Re: Shomiti Taps, Cisco Port Mirroring and IDS

[Ryan Russell <ryan () securityfocus com>]

On Fri, 4 Jan 2002, Paul Cardon wrote:

> No, using a hub could lead to collisions and loss of packets when
> combining the two directions.  Use a switch that can queue the packets.

I would tend to disagree with that.  If a collision occurs, then no one
gets the frame, neither the IDS nor the intended recipient.  Any lost
frames by the IDS in that situation are the fault of the IDS.  On the
other hand, because of the fact that switches do buffering and selective
forwarding, there IS an opportunity for a frame to not get copied to the
IDS.

Note: Performance WILL suffer when going to a hub vs. a switch, but that's
performance, which is seperate from whether you're getting all the
traffic.

Or, as the subject line suggests, use a tap.  This is supposed to allow
you to maintain full-duplex, and still have a direct monitor.  (I say
"supposed to" because I haven't used them myself.)  This situation is
pretty much why taps exist.

                                Ryan

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards