Network Tap Technology (was: RE: Gig TAPs)

Hi

<Discussions about source of Intrusion tap deleted>

I must admit to being surprised at the claim that the intrusion taps were being made by NetOptics. There are some major differences in the Intrusion tap that make them quite a different beast from the Shomiti/Finisar/NetOptics versions. (sorry, Peter, a tap is not a tap is not a tap).

(Info from https://www.intrusion.com/products/downloads/TapPO_1102.pdf)

The Shomiti-style tap is a device that you insert 'into' a network cable, and which produces two half-duplex, uni-directional, feeds which you then need to re-merge for IDS, either in the IDS itself or in a hub/switch arrangement. The differences between the various vendors is the complexity of the box - is it autodetect 10/100, fdx/hdx and which cable (straight or crossover) is required.

The Intrusion tap is, on the other hand, a device that you insert 'into' a network cable (similar so far) but which gives a single output cable which can be used to 'reset malicious connections'.
>From my understanding of networking terminology, this makes the
tap a single-purpose switch with a dedicated span/mirror port.

>From my understanding, this means that you have the same
limitations as putting the output from a 'traditional' tap into a 100Mbps switch and spanning the output (without the risk of collisions). Namely, if the total traffic on the originating cable exceeds 100Mbps (i.e. 60Mbps in one direction and 50Mbps in the other at the same time) then you lose a proportion of the traffic. The fact that the second cable is Full Duplex is irrelevant - it can still only transmit 100Mbps of data in one direction at one time.

I am happy to be proved wrong if this is incorrect!

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Therefore, the Intrusion style tap is perfect for lower to mid bandwidth situations, but I do feel that the only 'real' solution for higher bandwidth is a device that can take two direct feeds from a tap or dual span device, or moving up to a Gbps solution.

Robert
(Wearing my flame-proof suit tonight, so fire away!)

--
Robert Turner GCIA
Security Solutions Designer & Analyst

BT Secure Business Services
T: +44 (0)113 244 5951  F: +44 (0)113 244 5657
Robert.D.Turner@bt.com

== # include std.disclaimer =====================================

British Telecommunications plc

Registered office: 81 Newgate Street London EC1A 7AJ

Registered in England no. 1800000

This electronic message contains information from British
Telecommunications plc which may be privileged or confidential.
The information is intended to be for the use of the individual(s)
or entity named above. If you are not the intended recipient be
aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited. If you have received
this electronic message in error, please notify us by telephone
or email (to the numbers or address above) immediately.

Activity and use of the British Telecommunications plc E-mail
system is monitored to secure its effective operation and for
other lawful business purposes. Communications using this system
will also be monitored and may be recorded to secure effective
operation and for other lawful business purposes.

=================================================================