Intrusion Detection Systems mailing list archives

RE: IDS taps in a switched network

From: dnewman () networktest com (David Newman)
Date: Thu, 28 Oct 1999 11:59:16 -0400

Hi...can anyone recommend a network tap device for listening to a switch
interface?  I have recently heard these devices would allow me to monitor
inbound/outbound traffic for a switch.


Yes -- any hub. ;-)

The mismatch between switched devices and shared-access monitoring tools has
been a problem for some time. None of the available tools are altogether
satisfactory:

--Ethernet hubs are cheap but introduce collisions and degrade
performance--exactly what switches are intend to prevent. And Enet hubs are
not applicable for WAN interfaces

--Y-cables work OK, though there may be some signal attenuation. I've used
an HP (now Agilent) Y-cable a few times to monitor traffic on a T1
interface, and it's always worked OK. But since they attach only ONE device
on ONE port, Y-cables are not appropriate for monitoring all traffic through
a switch.

--Some makers of protocol analyzers make multiport "tap" modules
specifically for switches. The one I'm familiar with is the Century 12-Tap
from Shomiti Systems. It works OK in that it does not degrade performance
(even at 100-Mbit/s Ethernet line rate) and it does allow monitor(s) to
collect traffic simultaneously from multiple ports. I have never tried using
a 12-Tap with anything other than a Shomiti analyzer, though. Another vendor
in this area is LANhopper (and possible Agilent), but I have not used their
tap products.

--Some switches have a "spy port" that allows traffic to be redirected. This
is really no better than a monitor hanging off a single port, since only one
port at a time can be monitored.

--Many switch makers embed RMON agents on every switch port; if RMON's
capture group is supported, it should theoretically be possible to redirect
traffic simultaneously from multiple ports. Lannet (formerly Madge and now
part of Lucent) developed a switch-specific monitoring MIB called SMON a few
years back; I believe the IETF just published a new RFC on SMON, but I
haven't read it yet. The drawbacks with embedded RMON/SMON agents is that
they add cost and, since many run on a software on a CPU-based management
card, they can severely degrade performance.

None of these approaches are IDS-specific. What we *really* need is for some
big switch maker to run IDS code on an ASIC inside their switch. Any switch
makers listening?

David Newman

Current thread:

Re: Comparison of several IDS Vin McLellan (Oct 26)
- Re: Comparison of several IDS Herve DEBAR (Oct 27)
- IDS taps in a switched network mark.gandy () dowcorning com (Oct 27)
  - Re: IDS taps in a switched network Jackie Chan (Oct 27)
  - RE: IDS taps in a switched network David Newman (Oct 28)
    - Re: RE: IDS taps in a switched network R. Brockway (Oct 29)
    - RE: RE: IDS taps in a switched network David Newman (Oct 29)
    - RE: RE: IDS taps in a switched network Jackie Chan (Oct 30)
    - RE: RE: IDS taps in a switched network David Newman (Oct 30)
    - RE: RE: IDS taps in a switched network (The right tools for the job) Ron Gula (Oct 31)
- <Possible follow-ups>
- RE: Comparison of several IDS pcafarchio () icsa net (Oct 26)