RE: Taps supporting traffic aggregation ...

["Chris Ralph" <chris.ralph () blade-software com>]

Good idea but if you want to do any forensics on an attack then using a
switch could cause problems based on the switching method used (store and
forward, fragment free etc) and it could drop packets if it becomes
overwhelmed.  

When profiling an attacker it is important to learn as much about their
techniques as possible to ensure maximum security and a successful
prosecution if necessary. If By the time packets reach the IDS some of the
characteristics of the original data stream are lost then it can increase
the difficulty of determining one attacker from another over time.  

If you use a tap that aggregates full-duplex traffic into a single data
stream then connect this directly to the IDS then you will negate the
problem of network convergence.  

Intrusion Inc.  (www.intrusion.com) sell a tap that does this called the
"Intrusion SecureNet IDS Tap".

Of course it does mean you might need more IDS sensors.....

Chris

-----Original Message-----
From: Matthew Jonkman [mailto:matt () infotex com] 
Sent: 28 January 2004 03:40
To: sbernard () gmu edu
Cc: focus-ids () securityfocus com
Subject: Re: Taps supporting traffic aggregation ...

The big issue in taps bringing traffic together is that you have 
different networks that are not aware of each other. If both go down the 
same wire you'll have collisions, and thus lost data. If you're 
aggregating 2 links that are high load you'll lose most of the traffic.

I've successfully had multiple taps feeding into a dedicated switch and 
then did a span of that switch. The switch was able (if you get a good 
quality one) to buffer the packets and thus avoid the collisions. All 
the data still flows if you do an ingress span of the ports from the taps.

The key is a very good quality switch though. The 100 dollar staples 
cheapo won't cut it.

Matt


Steve Bernard wrote:
> I can't say that I've ever seen a tap that aggregates traffic. Products
from
> Top Layer, F5, Alteon, and the like are marketed as "IDS load balancers".
> I've talked to NetOptics before about building a tap that actively
monitors
> multiple links and pushes them all down one monitoring port but, they
didn't
> have anything like that and it didn't seem likely that they ever would.
>
>
> Steve
>
>
> -----Original Message-----
> From: Thierry Bole [mailto:tbole () telsys ch]
> Sent: Monday, January 26, 2004 8:00 AM
> To: focus-ids () securityfocus com
> Subject: Taps supporting traffic aggregation ...
>
>
> Hello,
>
> Has anyone tested taps supporting traffic aggregation (with the
> capability to mirror the traffic only on one link)
>
> I know that we can have some bandwidth limitations: if the 2 network
> ports are operating at 100mbps and the IDS port is operating at 100mbps
> as well, then under sustained aggregate bandwidth of greater than
> 100mbps, packets will get dropped.
>
> Thank you for your feedback.
>
> Thierry
---------------------------------------------------------------------------
>
---------------------------------------------------------------------------
>
---------------------------------------------------------------------------
>
---------------------------------------------------------------------------
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------