RE: Use of Taps for IDS

From: Frank Knobbe (FKnobbe@KnobbeITS.com)
Date: 12/20/01 

From: Frank Knobbe <FKnobbe@KnobbeITS.com>
To: "'Scott C. Kennedy'" <sck@s4r.com>
Date: Thu, 20 Dec 2001 00:48:17 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Scott C. Kennedy [mailto:sck@s4r.com]
> Sent: Wednesday, December 19, 2001 11:52 PM
>
> The 2 port ShoMiti Network TAP needs the THG switch
> but the TopLayer AppSwitch is a THG-like device.

Good to know. Thanks.

> As for using Hubs, I agree, except that you can do 100 Mb/s
> full duplex through some hubs, but others you'd have to do half
> duplex.

In that case I'm sure you could configure your device (i.e. firewall)
for half-duplex only.

> Plus.... Some hubs have a uplink filter to prevent some
> bad network issues from propagating. But, it's really annoying
> when you come across them..

Not quite sure what you mean. The only problem I have encountered is
with 10/100 hubs (internal bridge). But on pure 10 or 100 hubs I had
good results.

> Which 100 Mb/s hubs do you like?

A cheap 4 port NetGear hub makes a good tap. For larger settings,
where you'd want to combine several segments, a professional
tap/switch would be better. But for one or two segments (with two
hubs and two NICs in the IDS), a cheap NetGear-hub-ro-cable solution
is pretty effective. I like to keep the bandwidth per sensor
manageable to prevent IDs overload and rather set up multiple IDS's
if bandwidth requires it.

Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.

iQA/AwUBPCGJsZytSsEygtEFEQIZzACg471e0cW3F71sx+kLrKWL4fJPPzEAn04f
mKkCN2cH3JFBuVitJ2WvR5yW
=24/0
-----END PGP SIGNATURE-----