Firewall Wizards: Re: Shomiti Taps, Cisco Port Mirroring and IDS

[Paul Cardon <paul () moquijo com>]

Don Ng wrote:

>  Hello all, just need some assistance on the issue of
> Shomiti taps. I have spoken to the vendors but they
> had to check ...
>  
>  I am looking at their Century taps that comes with 4
> ports.
>  Two ports are used to place the device inline with
> the segment to be monitored.
>
> Original
>   Router-----Firewall
> After
>   Router----<P 1> Century TAP <Port 2>---Firewall
>                   |         |
>                  <P 3>    <P 4>
> The vendors advised me that for the other 2 ports, I
> was told that each port mirrored out one direction
> flow. Eg. Router --->Firewall for Port 3 and 
> Firewall---> Router for Port 4.
>  From the looks of things I would have to connect both
>
> Port 3 and 4 to another Hub and plugging an network
> IDS into that hub.
>
>  Router----<P 1> Century TAP <Port 2>---Firewall
>                   |         |
>                  <P 3>    <P 4>
>                     |      |
>                      HUB
>                       |----NID-200
>
> Is this the optimal way to put an inline tap.
> Cisco port mirroring seems to work fine mirroing
> multiple ports to a single port connected to an IDS.

No, using a hub could lead to collisions and loss of packets when 
combining the two directions.  Use a switch that can queue the packets.
-paul


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards