Re: Use of Taps for IDS
From: Scott C. Kennedy (sck@s4r.com)Date: 12/20/01
- Previous message: Oliver Petruzel: "RE: Looking for Host Based IDS (In a nutshell !)"
- Maybe in reply to: rob@puparoo.org: "Use of Taps for IDS"
- Next in thread: Frank Knobbe: "RE: Use of Taps for IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Dec 2001 21:52:18 -0800 From: "Scott C. Kennedy" <sck@s4r.com> To: Frank Knobbe <FKnobbe@KnobbeITS.com>
The 2 port ShoMiti Network TAP needs the THG switch
but the TopLayer AppSwitch is a THG-like device.
THG is the Shomiti product name for the re-assembler.
As for using Hubs, I agree, except that you can do 100 Mb/s
full duplex through some hubs, but others you'd have to do half
duplex. Plus.... Some hubs have a uplink filter to prevent some
bad network issues from propagating. But, it's really annoying
when you come across them..
Which 100 Mb/s hubs do you like?
Scott
Frank Knobbe wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > -----Original Message-----
> > From: Scott C. Kennedy [mailto:sck@s4r.com]
> > Sent: Wednesday, December 19, 2001 1:22 PM
> >
> > Just an obvious note... Most (if not all) taps, will split off the
> > transmit lines of the two machines. So, for a standard two port
> > tap, you'll have port A, port B, tap A, tap B. The traffic going
> > from A to B shows up on tap A, and the traffic going from B to A
> > shows up on tap B.
>
> Scott,
>
> does that include Shomiti and TopLayer taps?
>
> > So, if you're doing any protcal analysis, like with an NFR or
> > other IDS that
> > need to follow the state of the connection, you'll need to
> > buy a THG device
> > to take those two ports and merge the traffic back together.
> > Otherwise,
> > you'd just see this..
> >
> > Attacker - SYN -> Target port 80
> > Attacker - ACK -> Target port 80
> > Attacker - HTTP 1.0 GET /etc/passwd -> Target Port 80
>
> One tap I know of does not use only one direction of traffic :) My
> favorite tap is a $30 4 port hub and a specially crimped Ethernet
> cable that only 'reads' data. Since the hub will pass all traffic on
> to the other ports, both directions are received by the IDS.
>
> For example, to tap a connection between a router and a firewall,
> plug the router into port 1 of the small hub. Port 2 goes to the
> firewall. Port 3 connects with following cable to the IDS:
>
> Hub IDS
> 1 -----\ /-- 1
> 2 ---\ | \-- 2
> 3 ---+-*------ 3
> 4 - | - 4
> 5 - | - 5
> 6 ---*-------- 6
> 7 - - 7
> 8 - - 8
>
> Basically, 1 and 2 on the IDS side are connected, 3 and 6
> straight through to the Hub. 1 and 2 on the Hub side connect to 3
> and
> 6 respectively. This fakes a link on both ends but only allows
> traffic from the Hub to the IDS. It also causes the 'incoming'
> traffic to be sent back to the Hub, so this cable only works well
> on
> a real hub. You can use it on a switch but you will get ...err...
> interesting results. Since the switch receives the packets back in
> on
> the port it sent them out, the MAC table gets confused and after a
> short while devices start to drop off the switch. Works like a
> charm
> on a hub though.
>
> Regards,
> Frank
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.8
> Comment: PGP or S/MIME (X.509) encrypted email preferred.
>
> iQA/AwUBPCFUlpytSsEygtEFEQJ+mQCeP7nXbLmHd48Q2HlaREuDdq9Q6I8AoKWD
> 5aNstw/JA0m+dtOId883Ycy0
> =4FEU
> -----END PGP SIGNATURE-----
-- Scott C. Kennedy Chief Technical Officer S4R | The Managed Services Company 5135 Avenida Encinas Carlsbad, CA 92008 Office: (760) 804-8004 ext.105 Cell: (619) 318-4402 Pager: (760) 720-8853 E-mail: sck@s4r.com Web: http://www.s4r.com PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE27C1102
- Previous message: Oliver Petruzel: "RE: Looking for Host Based IDS (In a nutshell !)"
- Maybe in reply to: rob@puparoo.org: "Use of Taps for IDS"
- Next in thread: Frank Knobbe: "RE: Use of Taps for IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
