I was just having a conversation about this yesterday. No one wants to use a hub in their network as it introduces latency/collisions/etc, but I've seen and heard of many implementing taps and IDS the way you mentioned. Just remember, that when you do this, every time that collision light blinks on that hub, a packets go into /dev/null never to be retransmitted again (allthough the intended recipient gets the original packet). Lets hope they are not ones your IDS needs to detect an intrusion.
Bammkkkk
On Thu, Oct 02, 2003 at 10:57:54AM -0400, Jeffrey.Stebelton_at_bisys.com wrote:
>
> What we have done is to set a 10 Mb Ethernet hub up near the tap and run
> both tap ports into it. We then plug whatever sniffers you want into the
> hub and you will see both sides of the traffic.
>
> Jeff Stebelton
> Manager, Network Security
> BISYS Network Security Group
> 614-470-8249 direct
> 614-203-2563 cell
---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Received on Oct 06 2003
Intro
