Re: A question about taps

[Eric Hines <eric.hines () appliedwatch com>]

Hi Gary,

Understand that we are Platinum resellers for Net Optics so any
information I give you will be based on their technology.

Their are several major differences between your $5 tap and the ~$1000
taps you will see out there that do similar "Port Aggregation" or
network tapping.

Their are what I call the first generation taps that don't do port
aggregation and make life hard for your intrusion analyst in that both A
and B traffic flowing through the Tap are outputted to (2) separate
monitoring ports whereas the Net Optics Port Aggregator aggregate both A
and B traffic in to a single sniffing/IDS monitoring port. Because IDSs
for the most part are stateful and require the capability to see both
ingress and egress network traffic, you would need to figure out how to
combine both sides of the A and B traffic on that Tap to the IDS. The
first Tap I mentioned where their are (2) monitoring ports forces
Intrusion Analysts to either do port bonding on their IDS' in Linux or
purchase an IDS appliance that does it for them.

Not really knowing too much about your tap, I'm assuming for $5.00 it
doesn't have the circuit-level zero delay capabilities for network
uptime. Understand that a company putting any device inline that could
take down their network:

a) Probably is unlikely to trust a device they paid $5.00 for and will
probably make sure their resume is updated before doing it as shortly
thereafter they'll probably end up on dice.com looking for a new job

b) is unlikely to have any form of fail-over capabilities should power
get cut to the device. E.g. the Net Optics 10/100 Port Aggregator
(96443) features circuit-level zero delay failover -- meaning, if the
power is cut the tap will continue to pass traffic in/out of the
network.

These are just some of the capabilities of your higher-end taps compared
to what you've got there. Of course their are also your Tap Regens and
Optical Bypass Switches, but those are other discussions :)

Hope this helps. I suppose it boils down to "you pay for what you get"



Best Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 213
Crystal Lake, IL 60014
Tel: (877) 262-7593 ext:327

Virginia Office (Intelligence/Dept. of Defense) 
Cleared Personnel: TS/SCI with Polygraph 
4524 Waverly Crossing Lane 
Chantilly, Va. 20151 
Toll Free: (877) 262-7593 
Fax: (877) 262-7593 
Hours: 9am-5pm EST





On Fri, 2005-09-16 at 14:45 +0100, Brett, Gary wrote:
> Hi there
>
> Just a quick question, I have in my possession a simple little plastic tap
> (basically a little adapter type thing that has 3 RJ48 ports on it, it is
> not a powered device just a little internally wired adapter). After testing
> it, it does exactly what a tap should do and outputs all traffic it receives
> on any of the 3 ports to all the other ports.
>
> My question is this, from reading snort mailing list archives and FAQ's,
> people are suggesting that one should invest in a more complex, powered unit
> e.g. Shomiti, Finisar and Netoptics etc costing many hundreds of dollars in
> some cases. I would just like to know why my little plastic $5 gizmo is not
> on that list of recommended items ? Is there something my gizmo does or does
> not do that makes it a bad choice for a SNORT NIDS (even in my small test
> environment). I would really like to know
>
>
> Any help on this would be greatly appreciated
> Gary 
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users