Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Network "tap" (was Re: Rationale of the great DMZ)
From: firewalls () msg net <firewalls () msg net>
Date: Thu, 18 Jul 2002 23:31:00 -0500 (CDT)
Steven M. Bellovin writes:

Paul Robertson writes:

I've always been of the opinion that stats should be gathered off the 
network by a machine that doesn't have transmit capability (either the 
cable doesn't have a TX wire, or the Ethernet driver for the listening NIC 
doesn't have that code.)


There are actually commercial devices to do that -- the FBI uses one 
with Carnivore...


I've run into problems with just cutting the TX wire. Another issue is
the ability to transparently intercept all traffic in both directions
on a full-duplex link. 

Both of these problems are addressed with a 'Network Tap', a hardware device
that sits inline between two devices (e.g. between a router and a firewall)
and provides _two_ transmit-only interfaces, one copying all traffic sent
from the upstream, and the other all traffic from the downstream. These are
available for copper and fiber.

The sniffer cannot possibly accidentally respond to packets up this connection,
the interface from the tap to the sniffer physically does not permit this.

The best models will 'fail safe' -- if power is lost, the devices being
monitered do not lose link, but traffic is no longer copied to the sniffer.

On copper ethernet, a tap is only detectable by careful physical inspection,
or a TDR. The passive fiber taps do not require a power supply, and work
by actually diverting 20-50% of the light.


I've worked with two brands of these- the "Century Tap" from Shomiti (do
they still exist?), and most recently, the Netoptics "network tap".  I prefer
the design of the Shomiti.

I just had a really bad experience with a Netoptics tap, where it failed
in such a way that the monitored segment DID lose link... when power was
applied to the tap!

        Shomiti         http://www.magellan-net.de/shomiti/century-tap.html
        Netoptics       http://www.netoptics.com/11.html


Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]