RE: Use of Taps for IDS
From: Metzger, Michael (mmetzger@intrusion.com)Date: 02/28/02
- Previous message: Reidy, Patrick: "RE: Use of Taps for IDS"
- Maybe in reply to: robert_david_graham: "RE: Use of Taps for IDS"
- Next in thread: Jason Baeder: "RE: Use of Taps for IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Metzger, Michael" <mmetzger@intrusion.com> To: "'Greg Shipley'" <gshipley@neohapsis.com>, "Reidy, Patrick" <Patrick.Reidy@veritect.com> Date: Thu, 28 Feb 2002 11:54:56 -0600
Typically, the wording I've seen (conglomerated from Cisco, Cabletron, ODS,
etc...)
Hubs are multiport repeaters. In other words, this is a layer 1 (physical
layer) access device, that only copies the electrical signals across all
ports. Note that this usually requires all the ports to be of a single
speed (10 or 100). Hubs also have the requirement of being half duplex
because it's simply a different physical topology for the standard Ethernet
CSMA/CD bus network, not a bridged network.
Switches are multiport bridges, meaning a layer 2 (data link layer) access
device. Switches maintain a physical port to MAC address table (Cisco and
the ODS devices use the term CAM, for Content Addressable Memory, I don't
know what other switches use.) This table is updated with the MAC address
of each connected machine whenever a frame is sent. As such, whenever the
switch receives a frame, it looks at the destination MAC and looks it up in
the CAM table. If it's there, it will only copy the frame to the specified
port. If it's not there, the switch typically floods ALL ports with the
frame to determine the MAC. Note that this flooding essentially makes a
switch act like a hub, as all frames are forwarded to all ports. If a
response is seen, the CAM table is updated, and off we go... Different
switches also have different methods of forwarding the frames, such as
store-and-forward, cut-through, etc. I won't go into specifics, but this
usually just refers to how much of the frame the switch looks for before it
forwards the frame.
As a side note regarding flooding and the CAM table, this is a method often
used (by less than honest individuals) on lower end or poorly configured
switches to enable the use of a sniffer. If you can fill the CAM table with
enough false entries, the switch will essentially revert to "hub-mode",
flooding all frames to all ports as mentioned above. This isn't as common
on more intelligent switches with some level of "port security" enabled,
meaning a limit to the number/type of MAC addresses seen per port.
Now there are also "layer 3" switches, "layer 4" switches, or even "layer 7"
switches. This means that the device has some level of intelligence at
determining difference between "instances" of communication at each layer.
At layer 3, it'd be a recognition of IP address. At layer 4, of
"connections". At layer 7, of individual sessions (I believe TopLayer falls
in this category...) These terms can also mean the ability to route between
logical networks on the switch (meaning layer 3, IP, IPX, etc networks.)
This of course varies per switch and how much you spent on the device in the
first place.
In the end, the problem here is looks like marketing terms vs. actual
technology (we've never seen that problem before.....)
Mike Metzger
-----Original Message-----
From: Greg Shipley [mailto:gshipley@neohapsis.com]
Sent: Thursday, February 28, 2002 10:53 AM
To: Reidy, Patrick
Cc: 'robert_david_graham '; ''Scott C. Kennedy' '; 'rob@puparoo.org ';
'focus-ids@securityfocus.com '
Subject: RE: Use of Taps for IDS
On Thu, 28 Feb 2002, Reidy, Patrick wrote:
> A switching hub (short for port-switching hub) is a device that forwards
> packets to a given port based on the packet's address. Unlike normal hubs
> that rebroadcast all packets to all ports. Since switching hubs forward
each
> packet only to the needed port, they are a lot faster. They work on the
> network address (ip) and not the mac address (like a switch).
Uh, yeah, that's just a switch, no?
-Greg
- Previous message: Reidy, Patrick: "RE: Use of Taps for IDS"
- Maybe in reply to: robert_david_graham: "RE: Use of Taps for IDS"
- Next in thread: Jason Baeder: "RE: Use of Taps for IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
