RE: Use of Taps for IDS

From: Chris Grout (CGrout@chrisgrout.com)
Date: 12/20/01 

Date: Thu, 20 Dec 2001 10:50:05 -0800
From: "Chris Grout" <CGrout@chrisgrout.com>
To: "Whitt,Laura A." <Laura.Whitt@cna.com>, "'Scott C. Kennedy'" <sck@s4r.com>, "Frank Knobbe" <FKnobbe@KnobbeITS.com>, rob@puparoo.org, focus-ids@securityfocus.com

Depends. The 3550's do support SPAN ports (Cisco's term for mirrored
port) but there are limitations with regards to the way you VLAN out the
network and which interfaces are SPAN-able, so definitely look into
those.
http://www.cisco.com/warp/customer/473/41.html#xl1

Assuming the SPAN ports work, you'll have no need for the Shomiti's or
hubs.

But if that doesn't work, the Shomiti taps are no doubt higher quality
devices than most hubs out there. They have built in fault tolerances so
even in the event they fail, traffic could still pass. They also would
allow you to maintain your full duplex.

As for the hub, unless you use an IDA that truly is read only (whether
that be a jacked up read-only cable, or a system such as an NFR IDA), you
probably will want to use half duplex otherwise you may run into
problems. And if this "tapped" interface is a major up/down link, you
may not want a hub being a single point of failure, nor the half duplex
issue.

Also finding a "good & dumb" hub lately has actually become quite a
challenge. Keep in mind any 10/100 hub actually switches between the 10
mbit devices and the 100 mbit devices. And as Scott mentioned, some hubs
also try to intelligently drop munged packets on certain uplink ports
(similar to 3COM NICs) and can cause you confusion when troubleshooting
layer1/2 issues.

So basically, if this tap is for an IDS system, bandwidth-wise you don't
need to load balance across multiple IDAs, and you don't mind relying on
a hub to maintain your connectivity, then a hub solution probably will
work fine.

If the tap is going to used for low level troubleshooting (like with a
Fluke), or you require higher reliability, then the taps are a good
solution. But as Scott mentioned, you'll need 2 and a THG to track state.

If you ever expect to need to load balance IDS system, definitely look at
the TopLayer as its *extremely* cool and works beautifully.

Chris

-----Original Message-----
From: "Whitt,Laura A." <Laura.Whitt@cna.com>
To: "'Scott C. Kennedy'" <sck@s4r.com>, Frank Knobbe
<FKnobbe@KnobbeITS.com>
Date: Thu, 20 Dec 2001 08:58:46 -0600
Subject: RE: Use of Taps for IDS

> We are purchasing Shomiti Century Taps and Cisco Catalyst 3550's......
> are
> we just going overboard or is the "hub" solution a viable one for a
> larger
> network?
>
> Thanks!
>
> Lorie
>
>
>
>
> -----Original Message-----
> From: Scott C. Kennedy [mailto:sck@s4r.com]
> Sent: Wednesday, December 19, 2001 11:52 PM
> To: Frank Knobbe
> Cc: rob@puparoo.org; focus-ids@securityfocus.com
> Subject: Re: Use of Taps for IDS
>
> The 2 port ShoMiti Network TAP needs the THG switch
> but the TopLayer AppSwitch is a THG-like device.
>
> THG is the Shomiti product name for the re-assembler.
>
> As for using Hubs, I agree, except that you can do 100 Mb/s
> full duplex through some hubs, but others you'd have to do half
> duplex. Plus.... Some hubs have a uplink filter to prevent some
> bad network issues from propagating. But, it's really annoying
> when you come across them..
>
> Which 100 Mb/s hubs do you like?
>
> Scott
>
> Frank Knobbe wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > > -----Original Message-----
> > > From: Scott C. Kennedy [mailto:sck@s4r.com]
> > > Sent: Wednesday, December 19, 2001 1:22 PM
> > >
> > > Just an obvious note... Most (if not all) taps, will split off the
> > > transmit lines of the two machines. So, for a standard two port
> > > tap, you'll have port A, port B, tap A, tap B. The traffic going
> > > from A to B shows up on tap A, and the traffic going from B to A
> > > shows up on tap B.
> >
> > Scott,
> >
> > does that include Shomiti and TopLayer taps?
> >
> > > So, if you're doing any protcal analysis, like with an NFR or
> > > other IDS that
> > > need to follow the state of the connection, you'll need to
> > > buy a THG device
> > > to take those two ports and merge the traffic back together.
> > > Otherwise,
> > > you'd just see this..
> > >
> > > Attacker - SYN -> Target port 80
> > > Attacker - ACK -> Target port 80
> > > Attacker - HTTP 1.0 GET /etc/passwd -> Target Port 80
> >
> > One tap I know of does not use only one direction of traffic :) My
> > favorite tap is a $30 4 port hub and a specially crimped Ethernet
> > cable that only 'reads' data. Since the hub will pass all traffic on
> > to the other ports, both directions are received by the IDS.
> >
> > For example, to tap a connection between a router and a firewall,
> > plug the router into port 1 of the small hub. Port 2 goes to the
> > firewall. Port 3 connects with following cable to the IDS:
> >
> > Hub IDS
> > 1 -----\ /-- 1
> > 2 ---\ | \-- 2
> > 3 ---+-*------ 3
> > 4 - | - 4
> > 5 - | - 5
> > 6 ---*-------- 6
> > 7 - - 7
> > 8 - - 8
> >
> > Basically, 1 and 2 on the IDS side are connected, 3 and 6
> > straight through to the Hub. 1 and 2 on the Hub side connect to 3
> > and
> > 6 respectively. This fakes a link on both ends but only allows
> > traffic from the Hub to the IDS. It also causes the 'incoming'
> > traffic to be sent back to the Hub, so this cable only works well
> > on
> > a real hub. You can use it on a switch but you will get ...err...
> > interesting results. Since the switch receives the packets back in
> > on
> > the port it sent them out, the MAC table gets confused and after a
> > short while devices start to drop off the switch. Works like a
> > charm
> > on a hub though.
> >
> > Regards,
> > Frank
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP Personal Privacy 6.5.8
> > Comment: PGP or S/MIME (X.509) encrypted email preferred.
> >
> > iQA/AwUBPCFUlpytSsEygtEFEQJ+mQCeP7nXbLmHd48Q2HlaREuDdq9Q6I8AoKWD
> > 5aNstw/JA0m+dtOId883Ycy0
> > =4FEU
> > -----END PGP SIGNATURE-----
>
> --
> Scott C. Kennedy
> Chief Technical Officer
> S4R | The Managed Services Company
> 5135 Avenida Encinas
> Carlsbad, CA 92008
> Office: (760) 804-8004 ext.105
> Cell: (619) 318-4402
> Pager: (760) 720-8853
> E-mail: sck@s4r.com
> Web: http://www.s4r.com
> PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE27C1102
>

Relevant Pages

  • Re: TAP location
    ... progressing onto the ISS document. ... If you have any further questions concerning tap implementation, ... > I am working on a new hotel/congress setup and I need to install 3 IDS ... > port to a consolidated switch to witch I will attach the sniffing port of ...
    (Focus-IDS)
  • RE: Hub vs. Tap vs. SpanPort
    ... Hub vs. Tap vs. SpanPort ... JV> is the hub method the only one to send RST packets? ... The paper is targetted at ISS RealSecure as the IDS s/w but the ... IDS is connected to the internet side of the firewall. ...
    (Focus-IDS)
  • RE: Hub vs. Tap vs. SpanPort
    ... When you span TX and RX to a port you cause a coalition on the mirroring. ... Hub vs. Tap vs. SpanPort ... with a tap any less than it would with a switch... ...
    (Focus-IDS)
  • Antwort: TAP location
    ... Subject: Antwort: TAP location ... >that in no condition can the IDS be compromise from the network segment ... >port to a consolidated switch to witch I will attach the sniffing port of ... >to monitor, can I connect port A of the TAP to a hub port, attach the IDS ...
    (Focus-IDS)
  • Re: Use of Taps for IDS
    ... The 2 port ShoMiti Network TAP needs the THG switch ... Since the hub will pass all traffic on ... You can use it on a switch but you will get ...err... ...
    (Focus-IDS)
Loading