RE: undetectable NIC in promiscuous mode

[Simon Thornton <simon.thornton () swift com>]

Hi Jose,

I prefer the use of hardware TAPs on links, these isolate the IDS
completely from the link and make the system undetectable. As the TAP
prevents any device on the monitor ports from injecting data into the
link, it doesn't matter if the IDS interface is configured with an IP or
not.  Of course there is a cost to this, they aren't cheap. I found it
easier to convince the network guys that inserting the TAP is a lower
risk than relying on special cables. Once installed the TAP is invisible
to the link being monitored.

There are quite a few vendors, have a look at networkcritical.co.uk -
their TAP range covers Copper and Fibre along with a variety of
packaging options. One point to remember with TAP vendors (finisar comes
to mind), most sell the TAP as part of a monitoring solution and usually
do not support other uses (though they work just fine).

Rgds,

Simon

-----Original Message-----
From: Jose_Maria_Gonzalez () dell com [mailto:Jose_Maria_Gonzalez () dell com]
Sent: Friday, March 05, 2004 10:41
To: honeypots () securityfocus com
Subject: undetectable NIC in promiscuous mode


Hi There,
 
Correct me if I am wrong but would a host with a NIC in promiscuous mode
with no IP set-up be detectable?
 
Thanking you in advance,
 
Rgds,
Jose Gonzalez

Attachment: smime.p7s
Description: