Re: Ethernet tap vs. spanned port
From: Maria Teigeiro (maria.teigeiro@blade-software.com)Date: 08/07/02
- Previous message: robin: "Re: newbie tcpdump question"
- Maybe in reply to: Kyle Ginney: "Ethernet tap vs. spanned port"
- Next in thread: David W. Goodrum: "Re: Ethernet tap vs. spanned port"
- Next in thread: Jeff Kell: "Re: Ethernet tap vs. spanned port"
- Reply: David W. Goodrum: "Re: Ethernet tap vs. spanned port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 7 Aug 2002 01:37:45 -0000 From: Maria Teigeiro <maria.teigeiro@blade-software.com> To: focus-ids@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <20020806163857.26133.qmail@mail.securityfocus.com>
Kyle,
From your description below, and from my experience, I would say that by
running a sniffer application on the same server on the same port, you
have proven (beyond the shadow of a doubt) that the application in
question is having difficulties, not the tap port or the OS. (Did you
change anything else: cable, reboot, even change the IP address of the
box between the TAP and the mirrored ports?)
In my opinion, the issues you are encountering are probably related to
application configuration more than anything else. The use of TAPs is a
common tecnique in IDS technology (see
http://online.securityfocus.com/infocus/1594 for a good white paper with
explanations of the difference between port mirroring and TAPs). I would
caution working further with techs who are unfamiliar with their use. I
am not suggesting that the solution you are considering be question, but
perhaps the experience level of the techs you are dealing with. Ask for
escalation.
Good luck in your endeavors... your's is not a simple task :-)
Maria
>My company is in the process of evaluating IDS technologies. I have set
up
>a SNORT IDS running on RedHat 7.3 on a Finisar Systems UTP Ethernet tap
as
>a baseline to compare the other IDS vendor offerings we bring in. I
>previously had the SNORT box on a spanned port on a Cisco 3500 switch.
>Doing a comparison before and after the move to the tap, I noticed that
>the SNORT sensor picked up more traffic on the tap, so I concluded that
>the tap was the better method.
>
>My problem arose recently when we were testing the eTrust IDS from CA.
>Their product only runs on Windows, so I installed it on a Win2K server
>and connected a monitoring port to another port on the same Ethernet
tap.
>I then had both IDS running off of the same Ethernet tap with the
>monitoring port on both boxes running in stealth mode. When we looked at
>the data on the eTrust server, it was only capturing the packet headers -
>no data. When their techs called home, they were informed that this was
a
>problem originating at the tap and we should move the monitoring port to
a
>spanned port. When we did this, their sensor picked up the full packet
>payload.
>
>From what I can tell, the SNORT sensor is picking up the full packet. Is
>this problem related to the Windows OS? Why can I capture the entire
>packet from the tap with Sniffer on Win2K and their product cannot? Is
>this problem specific to the eTrust server from CA or has anyone else
>experienced this anomaly with other products?
>
- Previous message: robin: "Re: newbie tcpdump question"
- Maybe in reply to: Kyle Ginney: "Ethernet tap vs. spanned port"
- Next in thread: David W. Goodrum: "Re: Ethernet tap vs. spanned port"
- Next in thread: Jeff Kell: "Re: Ethernet tap vs. spanned port"
- Reply: David W. Goodrum: "Re: Ethernet tap vs. spanned port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
