Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: IDS and Network Taps

  1. #1
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58

    IDS and Network Taps

    I'm looking at network taps to direct traffic to a IDS. Does anyone here have experience working with such a device?

    The plans are to get something like it on a pipe that passes an obscene amount of traffic, and I need assurance that such a device will not cause any noticeable delay.

    So far I've only seen them sold by small time vendors, still googlin' around though..

    Thoughts?

  2. #2
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    I'm not sure this is up your alley or not, but we recently installed some
    Riverbed devices in the three offices I help support. I don't know specifically
    how we're using them, network support is a secondary function for me.
    You might have a look though:

    http://www.riverbed.com/
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Do you have a managed switch? If so, you can plug the IDS into the switch and use a feature called "port spanning".

    Personally, I use a hub. The hub might cause a little bit of delay, but not I don't notice it. If you're monitoring an internet connection, then it should be ok since most internet connections are less than 10mbps. There are only two device on that hub. The IDS (just listening) and the firewall.

    You can make your own if you want.
    http://www.snort.org/docs/tap/

    http://www.securityfocus.com/infocus/1594
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    I guess a hub would work, but I can't have traffic from the IDS reach the other devices. I would need to add a firewall in between IDS and hub.

    From my understanding, network taps only mirror traffic in one direction, so it would be physically impossible for traffic to come in the other direction, offering better assurance of security between the IDS and the devices it is monitoring.

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    If you don't bind any protocol to the interface you're using to sniff, then you don't have to worry about it. You could also create your own cable making it impossible to send data, only receive.

    http://www.snort.org/docs/faq/1Q05/node31.html

    Then you could put a second nic in the IDS on a different subnet/vlan for management if you wanted access. Or, just physically go to the IDS and log in via terminal or console, etc.

    IDS boxes typically only listen. Unless you are logging to a different box, or managing it remotely. Even then, it is good practice to have your management interface on a different subnet/vlan so only certain people (it) can access it and not your users.
    Last edited by phishphreek; March 17th, 2007 at 09:12 PM.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    If you don't bind any protocol to the interface you're using to sniff, then you don't have to worry about it.
    That's assuming the machine will never be compromised. Considering the risk of an IDS, another level of control like the one way Cat5 you mentioned, or more traditionally a firewall, would have to be used.

    In this scenario, homemade devices wouldn't fly, so I still have to evaluate a network tap. Which brings me to the initial question - anyone get the chance to play with one? Opinions or thoughts on network taps?

    I found this: netoptics.com, they seem to specialize in this but I've never heard of them...

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    The best advice you've received here is to use mirror ports (spanning ports) on core routing gear. Why introduce a network tap unless it's a requirement? At least with mirror ports, if your IDS starts dropping packets (because it can't keep up) you're not going to impact business operations and you're not going to impact connection speed.

    I have several IDS devices (yes, all running off mirror ports in promiscuous mode) and each has a management interface on a management rail (ultra secure management network out of band from our production networks). This setup has passed several audits related to regulatory compliance which I assume is what you're out to solve.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    Sup hoss -

    Just noticed your reply. :/

    This setup has passed several audits related to regulatory compliance which I assume is what you're out to solve.
    Very intuitive of you

    What kind of performance hit do you see on your core routers when you turn on mirror ports?

    Also, I think network taps are actually a better choice over this suggestion:
    At least with mirror ports, if your IDS starts dropping packets (because it can't keep up) you're not going to impact business operations and you're not going to impact connection speed.
    But why wouldn't this be the case with a tapped line as well? If we both agree, then the next issue is performance. A tap would perform better than a span port because of the performance hit (I'd like your opinion) which "wouldn't effect operations". Taps being layer 1, no processing is involved.

    Now all that is to question is the physical reliability of network taps, which yes, scares the **** out of me. But the benefits of them seem to outweigh the downsides. And, I will have trouble upgrading core routers.

  9. #9
    Junior Member
    Join Date
    Apr 2005
    Posts
    9

    NetOptics Taps

    We're going through right now and putting NetOptics taps on our critical links. They're passive devices that introduce no delay to the traffic. Supposedly (not tested) the device can lose power and traffic still passes. The benefit of network taps is that usually they pass layer 1 and 2 errors through, whereas a hub would normally drop that as soon as the trasmitter attempts to transmit it. We have a few 1000BaseSX links that we plan on monitoring with these. The tap can handle the load as it's not doing anything. However, you will need to make sure the IDS/IPS solution can handle that load.

  10. #10
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    It's also my understanding that devices on the receiving end of the tap are physically incapable of sending traffic to the tapped link. This would be a physical control as opposed to a software based control in a router, and inherently better.

    However, those taps are so damn tiny and cheap looking!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •