Re: port bonding and taps

From: Bamm Visscher (bamm_at_satx.rr.com)
Date: 10/02/03

  • Next message: Gary Flynn: "Re: Network hardware IPS" 
    Date: Thu, 2 Oct 2003 11:16:40 -0500
To: focus-ids@securityfocus.com

    I was just having a conversation about this yesterday. No one wants to use a hub in their network as it introduces latency/collisions/etc, but I've seen and heard of many implementing taps and IDS the way you mentioned. Just remember, that when you do this, every time that collision light blinks on that hub, a packets go into /dev/null never to be retransmitted again (allthough the intended recipient gets the original packet). Lets hope they are not ones your IDS needs to detect an intrusion.

    Bammkkkk

    On Thu, Oct 02, 2003 at 10:57:54AM -0400, Jeffrey.Stebelton@bisys.com wrote:
    >
    > What we have done is to set a 10 Mb Ethernet hub up near the tap and run
    > both tap ports into it. We then plug whatever sniffers you want into the
    > hub and you will see both sides of the traffic.
    >
    > Jeff Stebelton
    > Manager, Network Security
    > BISYS Network Security Group
    > 614-470-8249 direct
    > 614-203-2563 cell

    ---------------------------------------------------------------------------
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to:
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ---------------------------------------------------------------------------

  • Next message: Gary Flynn: "Re: Network hardware IPS"