RE: Use of Taps for IDS

From: Chris Mattingly (chris.mattingly@interpath.net)
Date: 12/20/01 

Date: Thu, 20 Dec 2001 13:02:33 -0500
From: "Chris Mattingly" <chris.mattingly@interpath.net>
To: "Clement-Evans, Rhys" <Rhys.Clement-Evans@swisslife.co.uk>

The taps will continue to pass traffic between the switch and the
computer (or other device), even if they lose their external power.
Only the tap ports themselves become dead upon the loss of power. I've
not seen a hub or switch that can do that... Let me know if I've just
not looked in the right place.

-Chris

-----Original Message-----
From: Clement-Evans, Rhys [mailto:Rhys.Clement-Evans@swisslife.co.uk]
Sent: Thursday, December 20, 2001 5:18 AM
Cc: focus-ids@securityfocus.com
Subject: RE: Use of Taps for IDS

When I was investigating securing my IDS system by use of taps, I
considered
making a read-only cable for the simplest solution (well ok, the
simplest
solution would have been to not bind any protocols to the IDS
interface).

Investigation showed that there was the potential for the intermediate
hub/switch to deactivate the port used, as the relevant 'incoming' wires
would be disconnected. I suspect that this is more something to be aware
of
with the higher end hubs and switches, but can anyone advise whether
this is
a real concern or just clever marketing on the part of tap
manufacturers?

Regards,

Rhys

-----Original Message-----
From: Frank Knobbe [mailto:FKnobbe@KnobbeITS.com]
Sent: 20 December 2001 06:48
To: 'Scott C. Kennedy'
Cc: rob@puparoo.org; focus-ids@securityfocus.com
Subject: RE: Use of Taps for IDS

A cheap 4 port NetGear hub makes a good tap. For larger settings,
where you'd want to combine several segments, a professional
tap/switch would be better. But for one or two segments (with two
hubs and two NICs in the IDS), a cheap NetGear-hub-ro-cable solution
is pretty effective. I like to keep the bandwidth per sensor
manageable to prevent IDs overload and rather set up multiple IDS's
if bandwidth requires it.

Swiss Life (UK) plc

Group Risk Provider of the Year 2001 - Professional Pensions Magazine
Best Individual Income Protection Provider 2001 - Health Insurance
Magazine
Best Group Critical Illness Provider 2001 - Health Insurance Magazine
Visit our Website at www.swisslife.co.uk

Swiss Life (UK) plc (Reg No 2529609), Registered Address:- Swiss Life
House, 24 - 26 South Park, Sevenoaks, Kent TN13 1BG England. Swiss Life
(UK) Services Ltd (Reg No 844703) and Interact Health Management Ltd
(Reg No 1009752) also have their registered office at the address above.
All three companies are incorporated in England. Swiss Life (UK) plc for
insurance and pension products and Swiss Life (UK) Services Ltd,
marketing associate, are regulated by the Financial Services Authority
and are members of the Swiss Life (UK) Marketing Group.

Please note: This e-mail and any attachments are confidential. They may
contain privileged information and are intended for the named
addressee(s) only. They must not be distributed without our consent. If
you are not the intended recipient, please notify the sender immediately
and destroy this e-mail. Any unauthorised copying, disclosure or
distribution of the material in this e-mail is strictly forbidden.
Unless expressly stated, opinions in this e-mail are those of the
individual sender, and not of Swiss Life (UK) plc. Swiss Life (UK) plc
intercept and monitor incoming / outgoing e-mail and you should neither
expect or intend any e-mail to be private in nature. Telephone calls may
be monitored and recorded. Any attachments to this message have been
checked for viruses, but please rely on your own virus checker and
procedures as we do not accept responsibility for any loss or damage
caused to your computer systems.

Relevant Pages

  • RE: Network Tappers, IDS, etc.
    ... Subject: Network Tappers, IDS, etc. ... getting a pretty hefty server to use as the database server at the ... I would like any information available on network taps. ...
    (Focus-IDS)
  • RE: Hub vs. Tap vs. SpanPort
    ... JV> is the hub method the only one to send RST packets? ... The paper is targetted at ISS RealSecure as the IDS s/w but the ... It's expensive on TAPs but a neat way to handle the issue. ... IDS is connected to the internet side of the firewall. ...
    (Focus-IDS)
  • Re: Use of Taps for IDS
    ... seriously by the IDS/Switch/Tap vendors. ... an IDS sensor that can accept the dual outputs from existing ethernet ... a switch that can take output from multiple taps (representing multiple ...
    (Focus-IDS)
  • RE: Use of Taps for IDS
    ... where your IDS is. ... But what happens when port 1 launches some sort of attack against port 2? ... perhaps only mirroring server ports that are likely ... Use of Taps for IDS ...
    (Focus-IDS)
  • Re: Categories of IDS
    ... Have you seen Intrusions taps they have a hub inbuilt so you don't ... I feed the output into a dumb hub and then into multiple IDS. ... > Network Node IDS - Non Promiscuous network IDS. ... > Long overdue Host IPS - Has anyone got a list that I can use for starters ...
    (Focus-IDS)