Snort mailing list archives

RE: To TAP or HUB?

From: "Madziarczyk, Jonathan" <than () cityofevanston org>
Date: Thu, 19 Dec 2002 12:51:40 -0600

From my understanding....


Since you're only monitoring between the cable modem and the firewall,
putting a hub in between the two is almost the exact same thing as
putting a tap between. As for the hacker...the only way that I can think
of for him to be able to access your IDS box would be to come through
your firewall and access the internal nic.  No one should be able to
even detect that you have the unassigned nic sitting outside the
firewall listening.  If you were doing flexresp or something like that I
guess its conceivable that someone could figure out that you have an
IDS.

Hope that helps, I'm sure someone will correct me if I missed/messed
something.

JonM

-----Original Message-----
From: Carleton, Sam (SCI TW) [mailto:Sam_Carleton_TW () stercomm com] 
Sent: Thursday, December 19, 2002 12:21 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] To TAP or HUB?

Folks,

I understand the point of using a TAP with an IDS, but is it a must?
What
is the drawback to simply using a HUB?  I ask because a TAP is a bit
much
for the house, or at least right now.  My thought is this:  I put a HUB
between the cable modem and firewall.  Then I plug in the second NIC of
my
IDS Server, but never assign an IP address.  Then turn on snort to
listen to
that NIC.  Would that work?  Would a hacker be able to get into the IDS
Server?  It is my understanding that the presents of the IDS would be
known,
but I can live with that right now.  Are there any other drawbacks?

Sam


-------------------------------------------------------
This SF.NET email is sponsored by: Geek Gift Procrastinating?
Get the perfect geek gift now!  Before the Holidays pass you by.
T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.NET email is sponsored by: Geek Gift Procrastinating?
Get the perfect geek gift now!  Before the Holidays pass you by.
T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

To TAP or HUB? Carleton, Sam (SCI TW) (Dec 19)
- <Possible follow-ups>
- RE: To TAP or HUB? Henning, David (Dec 19)
  - RE: To TAP or HUB? Frank Knobbe (Dec 19)
- RE: To TAP or HUB? Madziarczyk, Jonathan (Dec 19)
  - RE: To TAP or HUB? Shane Hickey (Dec 19)
- RE: To TAP or HUB? Eric Joe (Dec 19)
  - RE: To TAP or HUB? Shane Hickey (Dec 19)
- RE: To TAP or HUB? Matt Kettler (Dec 19)