Ids Taps

[ss2chef]

Anyone using IDS TAPS?

If so, what brands do you use?

Any I should stay away from?

[Tiger Shark]

Well.... I don't use them and I didn't spend a lot of time looking at their web site for the simple reason that they imply an inline device that fails closed..... Maybe I'm missing something but that isn't right..... It needs to fail open otherwise the network is closed down..... If this were your only IDS solution then you aren't layering the technology....

Just some scattered thoughts..... Though I have to admit to having single points of failure for connectivity.... but in my defense, the ability of my users to shop on the internet isn't mission critical in my mind.....

[ss2chef]

Originally posted here by Tiger Shark
Well.... I don't use them and I didn't spend a lot of time looking at their web site for the simple reason that they imply an inline device that fails closed..... Maybe I'm missing something but that isn't right..... It needs to fail open otherwise the network is closed down..... If this were your only IDS solution then you aren't layering the technology....

Just some scattered thoughts..... Though I have to admit to having single points of failure for connectivity.... but in my defense, the ability of my users to shop on the internet isn't mission critical in my mind.....

From the sound of it you have keyed on intrusion.com's products.

Careful now, you may just get tripped up in your own sarcasm again..

Not sure about their choice of words either. Marketing bullshit no doubt.

The devices look cool tho and I have always wanted to play with one.
Just to include IDS quickly to segments, seems as good a way as any.

Was hoping someone might know them or other similar products.

[jonathans_daddy]

Well.... I don't use them and I didn't spend a lot of time looking at their web site for the simple reason that they imply an inline device that fails closed..... Maybe I'm missing something but that isn't right..... It needs to fail open otherwise the network is closed down.....

I use the taps from http://www.netoptics.com . They fail open which is the way it should be. Firewalls should fail closed. IDS should fail open.

[ss2chef]

Originally posted here by jonathans_daddy
I use the taps from http://www.netoptics.com . They fail open which is the way it should be. Firewalls should fail closed. IDS should fail open.

Thanks for the info.
What do the taps mount to?
Is there a seperate chassis?

Yea, it's funny their fancy docs say fail closed but it does in fact fail open as the connect
stays alive sans the IDS port if power fails.

[RoadClosed]

an inline device that fails closed....

Closed/Open? In electronics terms failing closed is failing in an operational state. Meaning the circuit is closed, like a light switch turned on – the contacts are closed and the light bulb gets electricity. When it's open, the circuits are not connected and there is an open gap between them. The term among companies selling data products is not used in the same context all the time, so it is better to actually ask a sales engineer.

The way these things work though, I can't see how they wouldn't fail into an operational state. Unless the power is OFF but then the router is OFF as well so who cares?

You can build your own tap with some parts from radio shack or old modem housing, hub or something currently useless setting on the shelf for portability and/or a patch panel for permanency.

The advantage to a basic tap is no physical way to access the IDS box through the tap. I have built this one from snort.org. It's not pretty but it's functional and cheap. My taps cost $25.00 not including my time but I made them over beer and steaks (Mcaffrey Ale and Rib eye). A tap is necessary to establish a LINK so the hosts can connect and then funnel off the data while keeping and Ethernet LINK intact.


[Just buy a panel and wire it up. In this panel example you could get 4 taps out of it. Now these do nothing fancy like manipulating packets but hey that would require imbedded software. Oh and you will need 2 interface cards to retrieve ALL segments of full duplex traffic on a link running FULL, as noted on snort.org.

[ss2chef]

I like the roll your own idea...
Thanks!!