RE: Use of Taps for IDS

From: robert_david_graham (
Date: 02/28/02

From: robert_david_graham <>
To: "'Scott C. Kennedy'" <>,
Date: Wed, 27 Feb 2002 19:11:02 -0800

> So, if you're doing any protcal analysis, like with an NFR or
> other IDS that
> need to follow the state of the connection, you'll need to
> buy a THG device
> to take those two ports and merge the traffic back together.
> Otherwise,
> you'd just see this..

FYI: BlackICE Sentry and RealSecure 7 contain a "full-duplex driver" that
merges both streams back into one. Of course, this is really poorly named,
but essentially the systems sees a single 200-mbps adapter rather than two
100-mbps adapters.

There are difficulties in merging streams with stateful systems. You have to
do it as a really low layer, otherwise packets get merged out of order. You
might see REQUEST-REQUEST-response-response on the sensor rather than what
really happened: REQUEST-response-REQUEST-response. BlackICE will actually
merge any two adapters, but false-positives will trigger because of this
problem; use the custom full-duplex driver instead.

Some customers have reported successin using a SWITCHING HUB to solve this
problem. They turn on store-and-forward, and simply pump multiple streams
into the hub, then feed the monitor port to the IDS. Since the switch is
store-and-forward, collisions will get resolved gracefully. In comparison
with the TopLayer solution, this is a BottomLayer(tm) solution :-).