RE: Network Tappers

From: Andy Cuff (
Date: 10/05/04

  • Next message: SecurIT Informatique Inc.: "Update : SIDTk 1.1"
    To: "'Tim Hanekamp'" <>, <>
    Date: Tue, 5 Oct 2004 19:10:27 +0100

    Hi Tim,
    There are many on the list better qualified than I to talk server specs with
    you. But I have been down the same road as you regarding Taps, I have
    compiled a list of every known tap including their capabilities here

    Another option to consider is to use your switches with a span/mirror port,
    I've collated the syntax for configuring this in most of the popular
    switches here

    One very important consideration is what to do with the IDS once it is in,
    how will you monitor it and react to what it throws up, I wrote an article
    for Securityfocus on Deploying IDS, things have moved on since, but much of
    it is still relevant

       -andy cuff
    The Talisker Network Security Portal

    Computer Network Defence Ltd

    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to to learn more.

  • Next message: SecurIT Informatique Inc.: "Update : SIDTk 1.1"

    Relevant Pages

    • RE: Network Tappers, IDS, etc.
      ... Subject: Network Tappers, IDS, etc. ... getting a pretty hefty server to use as the database server at the ... I would like any information available on network taps. ...
    • RE: Hub vs. Tap vs. SpanPort
      ... JV> is the hub method the only one to send RST packets? ... The paper is targetted at ISS RealSecure as the IDS s/w but the ... It's expensive on TAPs but a neat way to handle the issue. ... IDS is connected to the internet side of the firewall. ...
    • Re: Use of Taps for IDS
      ... seriously by the IDS/Switch/Tap vendors. ... an IDS sensor that can accept the dual outputs from existing ethernet ... a switch that can take output from multiple taps (representing multiple ...
    • Re: Categories of IDS
      ... Have you seen Intrusions taps they have a hub inbuilt so you don't ... I feed the output into a dumb hub and then into multiple IDS. ... > Network Node IDS - Non Promiscuous network IDS. ... > Long overdue Host IPS - Has anyone got a list that I can use for starters ...
    • Re: sniffer black box
      ... > But was your Box an IDS or a snffer liker what I must do? ... Snort can EASILY be configured to do what you're describing. ... Most higher end switches support a "span" or ... switch (or at least the firewall interface port) for monitoring. ...