Snort mailing list archives
RE: To TAP or HUB?
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 19 Dec 2002 15:52:50 -0500
Agreed, there are a small handful of differences, but generally speaking for a low-bandwidth (under 4mbit/sec) network, using a hub to a IP-less interface on a well secured system should be perfectly adequate. Hubs are generally well suited to most T1's, cable modems, and DSL connections if you're capable of correctly securing the computer running snort.
Taps:pros - inherently secure against intrusion - the snort box cannot send data efficient even in full wire-speed uses - taps don't introduce collisions highly failure resistant (ie: they rarely contain electronics which can fail in such a way data stops flowing)
cons - more costly Hubs: pros - cheap, widely availablecons - not secure on it's own- another mechanism needs to protect the snort box from exploitation introduces collisions which become a severe problem for high-speed networks (45mbit/sec or faster). less failure resistant - they require power to operate, and electronics in them can possibly fail.
Note that the tap method protects the snort box from exploitation on that interface, i.e.: nobody can hack your snort box and get a root shell via a interface connected to a tap, but does not protect it from all forms of denial of service, someone could possibly still crash it by sending it invalid data. It also can't protect it from exploitation via another interface :)
A hacked snort box is a very dangerous thing, since the snort box is in the perfect position to monitor all traffic going in and out of your network. It is an ideal location to engage in connection hijacking, DNS spoofing and other attacks against other machines on the network. Be very mindful of securing your snort sensors.
At 12:51 PM 12/19/2002 -0600, Madziarczyk, Jonathan wrote:
Since you're only monitoring between the cable modem and the firewall, putting a hub in between the two is almost the exact same thing as putting a tap between.
------------------------------------------------------- This SF.NET email is sponsored by: Geek Gift Procrastinating? Get the perfect geek gift now! Before the Holidays pass you by. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- To TAP or HUB? Carleton, Sam (SCI TW) (Dec 19)
- <Possible follow-ups>
- RE: To TAP or HUB? Henning, David (Dec 19)
- RE: To TAP or HUB? Frank Knobbe (Dec 19)
- RE: To TAP or HUB? Madziarczyk, Jonathan (Dec 19)
- RE: To TAP or HUB? Shane Hickey (Dec 19)
- RE: To TAP or HUB? Eric Joe (Dec 19)
- RE: To TAP or HUB? Shane Hickey (Dec 19)
- RE: To TAP or HUB? Matt Kettler (Dec 19)