RE: Use of Taps for IDS

From: Frank Knobbe (FKnobbe@KnobbeITS.com)
Date: 12/20/01 

From: Frank Knobbe <FKnobbe@KnobbeITS.com>
To: "'Scott C. Kennedy'" <sck@s4r.com>, rob@puparoo.org
Date: Wed, 19 Dec 2001 21:01:42 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Scott C. Kennedy [mailto:sck@s4r.com]
> Sent: Wednesday, December 19, 2001 1:22 PM
>
> Just an obvious note... Most (if not all) taps, will split off the
> transmit lines of the two machines. So, for a standard two port
> tap, you'll have port A, port B, tap A, tap B. The traffic going
> from A to B shows up on tap A, and the traffic going from B to A
> shows up on tap B.

Scott,

does that include Shomiti and TopLayer taps?

> So, if you're doing any protcal analysis, like with an NFR or
> other IDS that
> need to follow the state of the connection, you'll need to
> buy a THG device
> to take those two ports and merge the traffic back together.
> Otherwise,
> you'd just see this..
>
> Attacker - SYN -> Target port 80
> Attacker - ACK -> Target port 80
> Attacker - HTTP 1.0 GET /etc/passwd -> Target Port 80

One tap I know of does not use only one direction of traffic :) My
favorite tap is a $30 4 port hub and a specially crimped Ethernet
cable that only 'reads' data. Since the hub will pass all traffic on
to the other ports, both directions are received by the IDS.

For example, to tap a connection between a router and a firewall,
plug the router into port 1 of the small hub. Port 2 goes to the
firewall. Port 3 connects with following cable to the IDS:

    Hub IDS
    1 -----\ /-- 1
    2 ---\ | \-- 2
    3 ---+-*------ 3
    4 - | - 4
    5 - | - 5
    6 ---*-------- 6
    7 - - 7
    8 - - 8
    
   Basically, 1 and 2 on the IDS side are connected, 3 and 6
   straight through to the Hub. 1 and 2 on the Hub side connect to 3
and
   6 respectively. This fakes a link on both ends but only allows
   traffic from the Hub to the IDS. It also causes the 'incoming'
   traffic to be sent back to the Hub, so this cable only works well
on
   a real hub. You can use it on a switch but you will get ...err...
   interesting results. Since the switch receives the packets back in
on
   the port it sent them out, the MAC table gets confused and after a
   short while devices start to drop off the switch. Works like a
charm
   on a hub though.

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBPCFUlpytSsEygtEFEQJ+mQCeP7nXbLmHd48Q2HlaREuDdq9Q6I8AoKWD
5aNstw/JA0m+dtOId883Ycy0
=4FEU
-----END PGP SIGNATURE-----

Relevant Pages

  • RE: Hub vs. Tap vs. SpanPort
    ... Hub vs. Tap vs. SpanPort ... JV> is the hub method the only one to send RST packets? ... The paper is targetted at ISS RealSecure as the IDS s/w but the ... IDS is connected to the internet side of the firewall. ...
    (Focus-IDS)
  • RE: Hub vs. Tap vs. SpanPort
    ... When you span TX and RX to a port you cause a coalition on the mirroring. ... Hub vs. Tap vs. SpanPort ... with a tap any less than it would with a switch... ...
    (Focus-IDS)
  • Antwort: TAP location
    ... Subject: Antwort: TAP location ... >that in no condition can the IDS be compromise from the network segment ... >port to a consolidated switch to witch I will attach the sniffing port of ... >to monitor, can I connect port A of the TAP to a hub port, attach the IDS ...
    (Focus-IDS)
  • Re: Use of Taps for IDS
    ... The 2 port ShoMiti Network TAP needs the THG switch ... Since the hub will pass all traffic on ... You can use it on a switch but you will get ...err... ...
    (Focus-IDS)
  • TAP location
    ... papers from ISS about using the Shomity tap. ... I am working on a new hotel/congress setup and I need to install 3 IDS ... port to a consolidated switch to witch I will attach the sniffing port of ... Do the switch need to have a spanning port for the IDS to work or, ...
    (Focus-IDS)