IDS mailing list archives

Re: serial-line protocols

From: "Andy Cuff" <lists () securitywizardry com>
Date: Sat, 4 Sep 2004 08:44:47 +0100

Hi Raj,

From what you've said an optical tap is the way forward.  The taps you

mention that only give you a portion of the light are probably entirely
passive "vampire taps" that remove some of the fiber cladding and use
refraction for their light source.  The commercial active taps give a far
more reliable output.  I have salient details on every tap on the market
here http://securitywizardry.com/taps.htm

Alternatively can you put one of your switches in span or mirror port mode
and see the data that way?  Again I have listed the syntax for performing
this function  for many of the common switches out there here
http://securitywizardry.com/switch.htm

Hope this helps

-andy cuff
Talisker's Computer Security Portal
Computer Network Defence Ltd
http://www.securitywizardry.com
----- Original Message ----- 
From: "Raj Malhotra" <ral.mal () gmail com>
To: "Vijayakumar.S" <vijay () nsecure net>
Cc: "Rob Shein" <shoten () starpower net>; <focus-ids () securityfocus com>;
<mmcguirl () lucidsecurity com>
Sent: Wednesday, September 01, 2004 3:35 PM
Subject: Re: serial-line protocols

Hi,


----------------------------------
----------------------------------
|       ROUTER             | -------PPP fiber link---|     ROUTER

---------------------------------- 

----------------------------------
       |                      |
------------------           ------------------ 
| switch       |          | switch       |
------------------           ------------------

We are not allowed to touch the left part of the diagram for any type
of deployment
due to policies. We can deploy only on the outgoing link which is PPP.
If we deploy any of the optical taps, the tap only splits the light
wave to give us a portion
of the raw data going on the link. Our NIDS has an ethernet interface
and hence we need
a protocol converter to convert from PPP to ethernet frames.
How does the protocol converter detect the IP frames before it can
encapsulate it into
an ethernet frame and send out.

Raj



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

Re: serial-line protocols Raj Malhotra (Aug 31)
- Message not available
  - Re: serial-line protocols Raj Malhotra (Sep 01)
    - Re: serial-line protocols Michael McDonough (Sep 03)
    - Re: serial-line protocols Andy Cuff (Sep 05)