Snort mailing list archives
Re: A question about taps
From: Eric Hines <eric.hines () appliedwatch com>
Date: Fri, 16 Sep 2005 10:16:39 -0500
Hi Gary, Understand that we are Platinum resellers for Net Optics so any information I give you will be based on their technology. Their are several major differences between your $5 tap and the ~$1000 taps you will see out there that do similar "Port Aggregation" or network tapping. Their are what I call the first generation taps that don't do port aggregation and make life hard for your intrusion analyst in that both A and B traffic flowing through the Tap are outputted to (2) separate monitoring ports whereas the Net Optics Port Aggregator aggregate both A and B traffic in to a single sniffing/IDS monitoring port. Because IDSs for the most part are stateful and require the capability to see both ingress and egress network traffic, you would need to figure out how to combine both sides of the A and B traffic on that Tap to the IDS. The first Tap I mentioned where their are (2) monitoring ports forces Intrusion Analysts to either do port bonding on their IDS' in Linux or purchase an IDS appliance that does it for them. Not really knowing too much about your tap, I'm assuming for $5.00 it doesn't have the circuit-level zero delay capabilities for network uptime. Understand that a company putting any device inline that could take down their network: a) Probably is unlikely to trust a device they paid $5.00 for and will probably make sure their resume is updated before doing it as shortly thereafter they'll probably end up on dice.com looking for a new job b) is unlikely to have any form of fail-over capabilities should power get cut to the device. E.g. the Net Optics 10/100 Port Aggregator (96443) features circuit-level zero delay failover -- meaning, if the power is cut the tap will continue to pass traffic in/out of the network. These are just some of the capabilities of your higher-end taps compared to what you've got there. Of course their are also your Tap Regens and Optical Bypass Switches, but those are other discussions :) Hope this helps. I suppose it boils down to "you pay for what you get" Best Regards, Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC 1095 Pingree Road Suite 213 Crystal Lake, IL 60014 Tel: (877) 262-7593 ext:327 Virginia Office (Intelligence/Dept. of Defense) Cleared Personnel: TS/SCI with Polygraph 4524 Waverly Crossing Lane Chantilly, Va. 20151 Toll Free: (877) 262-7593 Fax: (877) 262-7593 Hours: 9am-5pm EST On Fri, 2005-09-16 at 14:45 +0100, Brett, Gary wrote:
Hi there Just a quick question, I have in my possession a simple little plastic tap (basically a little adapter type thing that has 3 RJ48 ports on it, it is not a powered device just a little internally wired adapter). After testing it, it does exactly what a tap should do and outputs all traffic it receives on any of the 3 ports to all the other ports. My question is this, from reading snort mailing list archives and FAQ's, people are suggesting that one should invest in a more complex, powered unit e.g. Shomiti, Finisar and Netoptics etc costing many hundreds of dollars in some cases. I would just like to know why my little plastic $5 gizmo is not on that list of recommended items ? Is there something my gizmo does or does not do that makes it a bad choice for a SNORT NIDS (even in my small test environment). I would really like to know Any help on this would be greatly appreciated Gary ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A question about taps Brett, Gary (Sep 16)
- Re: A question about taps Ted Kaczmarek (Sep 16)
- Re: A question about taps Joel Esler (Sep 16)
- Re: A question about taps Eric Hines (Sep 16)
- Re: A question about taps Eric Hines (Sep 16)
- <Possible follow-ups>
- Re: A question about taps Richard Bejtlich (Sep 16)
- RE: A question about taps Brett, Gary (Sep 16)
- RE: A question about taps Eric Hines (Sep 16)