Re: [PEN-TEST] IDS identification and a personal cry for help :)

[Dragos Ruiu <dr () DURSEC COM>]

On Thu, 17 Aug 2000, Michael Schubert wrote:
> >  The correctly paranoid install Ethernet or optical (depending on
> > flavor of sniffed connection) condoms aka the Shomiti Century tap for
> > 10/100/1000 Ethernet utp or optical from  www.shomiti.com or the netoptics
> > %80/%20 optical splitters from www.netoptics.com. With them in place
> > and either no management connection or a properly isolated management
> > connection (i.e. no connection to the Internet) it really doesn't matter
> > what ports are or are not open on your IDS because the tap is one way, it
> > doesn't have a connection to the transmit side of your IDS (except to
>
> Along this same line the poor-man's solution to this, I believe would be
> to simply use a hub between box A and box B with box C on the hub with
> the transmit pair of the rj45 disconnected (cut-out), I'm thinking this
> would achieve the same effect of a completely muted promisc box,
> although this wouldn't be possible with fiber. Anyone ever tried this?


That wont work above 10Mbps.

For 100Mbps, the MII link negotiation needs the transmit
to activate the link.  You'll find like my dissapointment the first
time I tried it that it will not be functional. The Shomiti tap is a
good solution.  My old group at HP, has a semi-new(1y)
product in this area, that can best be described as a bunch
of shomiti taps in one box for monitoring a whole switch.
I no longer work there, and had nothing to do with it, so
I'm allowed to say it looks cool. :-)  Don't remember the
Exxxx part number, sorry. Talk to your friendly neighborhood
Agilent dude.

cheers,
--dr

--
dursec.com ltd. / kyx.net - we're from the future
pgp fingerprint: 18C7 E37C 2F94 E251 F18E  B7DC 2B71 A73E D2E8 A56D
pgp key: http://www.dursec.com/drkey.asc