Snort mailing list archives

RE: To TAP or HUB?

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 19 Dec 2002 15:52:50 -0500

Agreed, there are a small handful of differences, but generally speakingfor a low-bandwidth (under 4mbit/sec) network, using a hub to a IP-lessinterface on a well secured system should be perfectly adequate. Hubs aregenerally well suited to most T1's, cable modems, and DSL connections ifyou're capable of correctly securing the computer running snort.


Taps:

pros - inherently secure against intrusion - the snort box cannotsend dataefficient even in full wire-speed uses - taps don'tintroduce collisionshighly failure resistant (ie: they rarely containelectronics which can fail in such a way data stops flowing)

        cons - more costly

Hubs:
        pros - cheap, widely available

cons - not secure on it's own- another mechanism needs to protectthe snort box from exploitationintroduces collisions which become a severe problem forhigh-speed networks (45mbit/sec or faster).less failure resistant - they require power to operate,and electronics in them can possibly fail.

Note that the tap method protects the snort box from exploitation on thatinterface, i.e.: nobody can hack your snort box and get a root shell via ainterface connected to a tap, but does not protect it from all forms ofdenial of service, someone could possibly still crash it by sending itinvalid data. It also can't protect it from exploitation via anotherinterface :)

A hacked snort box is a very dangerous thing, since the snort box is in theperfect position to monitor all traffic going in and out of your network.It is an ideal location to engage in connection hijacking, DNS spoofing andother attacks against other machines on the network. Be very mindful ofsecuring your snort sensors.



At 12:51 PM 12/19/2002 -0600, Madziarczyk, Jonathan wrote:

Since you're only monitoring between the cable modem and the firewall,
putting a hub in between the two is almost the exact same thing as
putting a tap between.




-------------------------------------------------------
This SF.NET email is sponsored by: Geek Gift Procrastinating?
Get the perfect geek gift now!  Before the Holidays pass you by.
T H I N K G E E K . C O M      http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

To TAP or HUB? Carleton, Sam (SCI TW) (Dec 19)
- <Possible follow-ups>
- RE: To TAP or HUB? Henning, David (Dec 19)
  - RE: To TAP or HUB? Frank Knobbe (Dec 19)
- RE: To TAP or HUB? Madziarczyk, Jonathan (Dec 19)
  - RE: To TAP or HUB? Shane Hickey (Dec 19)
- RE: To TAP or HUB? Eric Joe (Dec 19)
  - RE: To TAP or HUB? Shane Hickey (Dec 19)
- RE: To TAP or HUB? Matt Kettler (Dec 19)