RE: A question about taps

[Eric Hines <eric.hines () appliedwatch com>]

Gary, some Taps exist, such as the "Active Response" taps offered from
Net Optics that allow you to send traffic back out through the
monitoring ports to the network. The Active Response capabilities of
their taps allow you to hang an IDS or IPS off the monitoring port that
allow ICMP unreachable and TCP shuns to be sent through the tap to
src/dst.

Just to name a few:

Active Response Port Aggregator Tap
http://www.netoptics.com/products/product_family_details.asp?cid=4&pid=115&Section=products&menuitem=4&tag=NetOptics

Active Response Dual Port Aggregator Tap
http://www.netoptics.com/products/product_family_details.asp?cid=4&pid=104&Section=products&menuitem=4&tag=NetOptics




Best Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 213
Crystal Lake, IL 60014
Tel: (877) 262-7593 ext:327

Virginia Office (Intelligence/Dept. of Defense) 
Cleared Personnel: TS/SCI with Polygraph 
4524 Waverly Crossing Lane 
Chantilly, Va. 20151 
Toll Free: (877) 262-7593 
Fax: (877) 262-7593 
Hours: 9am-5pm EST


On Fri, 2005-09-16 at 15:51 +0100, Brett, Gary wrote:
> Thanks guys , I have a far better understanding of this now....it is indeed
> a splitter that I have but it was sold to me as a tap, however from my
> understanding proper taps don't allow transmitted packets from the monitor
> port (which makes sense to keep your sensor "invisible" on the wire) but
> this splitter sends and receives everything..
>
> Might be ok for my test environment though
>
> Thanks again
>
> -----Original Message-----
> From: Richard Bejtlich [mailto:taosecurity () gmail com] 
> Sent: 16 September 2005 15:36
> To: snort-users () lists sourceforge net
> Cc: gary.brett () cetelem co uk
> Subject: Re: [Snort-users] A question about taps
>
> Gary Brett wrote:
>
> > Just a quick question, I have in my possession a simple little plastic tap
> > (basically a little adapter type thing that has 3 RJ48 ports on it, it is
> > not a powered device just a little internally wired adapter). After
> testing
> > it, it does exactly what a tap should do and outputs all traffic it
> receives
> > on any of the 3 ports to all the other ports.
>
> Hi Gary,
>
> I bet I have a device similar to that in front of me now.  I bought it
> at Radio Shack to see how it worked.  I still have the device in the
> box because it is worthless for most situations. (I should have
> returned it!)  It's item 278-785, "Ethernet 10 Base-T Computer Network
> Cable Splitter."  Radio Shack provides the wiring diagram. [0]  A
> search for the part number reveals other people found it to be
> worthless too.
>
> Alternative solutions are listed here. [1]   
>
> The problem with these systems is the lack of signal regeneration. 
> Without power you will have a weaker signal.  Over distance you will
> lose frames.
>
> I would not use anything like this in production.  Even a powered hub
> is a better solution than this device.  This unpowered splitter is
> essentially the same as the do-it-yourself "taps" that are
> unfortunately documented elsewhere. [2]
>
> Sincerely,
>
> Richard
> http://www.taosecurity.com
>
> [0] http://support.radioshack.com/support_supplies/doc66/66324.pdf
> [1] http://www.duxcw.com/digest/Reviews/Network/ats/index.html
> [2] http://www.snort.org/docs/tap/
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users