Re: serial-line protocols

From: Andy Cuff (lists_at_securitywizardry.com)
Date: 09/04/04

  • Next message: Shashank Rai: "Re: Antigen forwarded attachment" 
    To: "Raj Malhotra" <ral.mal@gmail.com>, "Vijayakumar.S" <vijay@nsecure.net>
Date: Sat, 4 Sep 2004 08:44:47 +0100

    Hi Raj,
    From what you've said an optical tap is the way forward. The taps you
    mention that only give you a portion of the light are probably entirely
    passive "vampire taps" that remove some of the fiber cladding and use
    refraction for their light source. The commercial active taps give a far
    more reliable output. I have salient details on every tap on the market
    here http://securitywizardry.com/taps.htm

    Alternatively can you put one of your switches in span or mirror port mode
    and see the data that way? Again I have listed the syntax for performing
    this function for many of the common switches out there here
    http://securitywizardry.com/switch.htm

    Hope this helps

    -andy cuff
    Talisker's Computer Security Portal
    Computer Network Defence Ltd
    http://www.securitywizardry.com
    ----- Original Message -----
    From: "Raj Malhotra" <ral.mal@gmail.com>
    To: "Vijayakumar.S" <vijay@nsecure.net>
    Cc: "Rob Shein" <shoten@starpower.net>; <focus-ids@securityfocus.com>;
    <mmcguirl@lucidsecurity.com>
    Sent: Wednesday, September 01, 2004 3:35 PM
    Subject: Re: serial-line protocols

    > Hi,
    >
    >
    > ----------------------------------
    > ----------------------------------
    > | ROUTER | -------PPP fiber link---| ROUTER
    |
    > ----------------------------------
    >
    > ----------------------------------
    > | |
    > ------------------ ------------------
    > | switch | | switch |
    > ------------------ ------------------
    >
    > We are not allowed to touch the left part of the diagram for any type
    > of deployment
    > due to policies. We can deploy only on the outgoing link which is PPP.
    > If we deploy any of the optical taps, the tap only splits the light
    > wave to give us a portion
    > of the raw data going on the link. Our NIDS has an ethernet interface
    > and hence we need
    > a protocol converter to convert from PPP to ethernet frames.
    > How does the protocol converter detect the IP frames before it can
    > encapsulate it into
    > an ethernet frame and send out.
    >
    > Raj

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------

  • Next message: Shashank Rai: "Re: Antigen forwarded attachment"