|
Some Tap Terminology
Fail-closed: the IDS Taps have proprietary circuitry
pre-process that closes the circuit when power fails, maintaining
the network link, Fail-open: where it is essential that all
traffic is monitored some organisations prefer the Taps to
fail-open, this is more usual for Intrusion Prevention Systems
than Intrusion Detection Systems. MORE
Traffic Aggregation: the IDS Taps aggregate full-duplex
traffic into a single stream so that a stateful intrusion
detection system, can see both sides of the conversation and
therefore provide the lowest incidence of false positives. Some Taps present dual outputs to combine the
traffic externally, others combine the traffic internally
presenting a single full duplex output.
Reset Injection: some IDS Taps allow the IDS to
transparently inject TCP Resets into the stream, terminating
offending sessions. MORE
Passive vs. Active: MORE
|
VSS
monitoring, Inc. |
|
Information Updated: 31 Jan 2005 |
VSS monitoring, Inc. |
http://www.vssmonitoring.com/h/ |
|
VSS monitoring’s Taps cover
both copper and fiber media from T1 to 10Gig. The Taps include the 1X1
series (1 network X 1 monitoring device), 1XN series and also the NX1
series (Tap Switches). The aggregation taps have up to 64MB of memory to
buffer traffic bursts and enable maximum monitoring-throughput,
necessary in security applications. The Tap switches and injection Taps
have on-board web servers (kept separate from the network and monitoring
ports) so as to enable an enterprise infrastructure of taps be managed
from a central console, Analyzer, IDS or IPS. The management interfaces
include serial, telnet, web browser and SNMP.
|
|
10 |
100 |
1000 |
|
Inbuilt
Traffic Agg |
 |
Multi Device O/P |
|
|
Copper |
|
|
|
Reset
Injection inband |
|
Fail Open/Closed |
|
|
Fiber |
|
|
|
Reset Injection outband |
|
IPS Taps |
|
|
|
Intrusion |
|
Information Updated:16 Jan 2004 |
Intrusion Inc |
http://www.intrusion.com/products/securenet/tap/specifications.aspx |
|
Starting a network IDS project
means trying to convince the network group to let you use a scarce
spanning port or place an expensive switch somewhere inline creating
another potential point of failure. Not with the Intrusion SecureNet
System!
Connecting Intrusion SecureNet Sensors to any network is now just a few
seconds work and totally transparent to the network, thanks to the
Intrusion SecureNet IDS Tap family of transparent IDS taps.
The Intrusion SecureNet IDS Tap family create a simple, secure and
resilient connection into the network for your Intrusion SecureNet Sensor.
All of the SecureNet IDS Tap family fail-closed and do not create a
potential point of failure in the network. There is no chance that the
intrusion detection system can cause a network going down.
One of the tremendous benefits of using the Intrusion SecureNet IDS Tap
with the SecureNet Series of network IDSes is that the SecureNet IDS Tap
allows the Sensor to stop offending traffic. Other taps and switches can
block the IDS' ability to reset malicious connections, but the SecureNet
System with SecureNet IDS Tap does everything you bought your IDS to do.
|
|
10 |
100 |
1000 |
|
Inbuilt
Traffic Agg |
|
Multi Device
O/P |
|
|
Copper |
|
|
|
Reset
Injection inband |
|
Fail
Open/Closed |
|
|
Fiber |
|
|
|
Reset
Injection outband |
|
IPS Taps |
|
|
|
Network Critical |
|
Information Updated: 16 Jan 2004 |
Network Critical Ltd |
http://www.criticaltap.com/tapmodels.asp |
|
Critical TAPs are a range of fault-tolerant ethernet
splitters designed for use with Intrusion Detection Systems. Widely
deployed across the UK and Europe, Critical TAPs are leveraging deployment
of thousands of network security sensors by providing secure, permanent
access points into critical network links.
|
|
10 |
100 |
1000 |
|
Inbuilt
Traffic Agg |
|
Multi Device
O/P |
|
|
Copper |
|
|
|
Reset
Injection inband |
|
Fail
Open/Closed |
|
|
Fiber |
|
|
|
Reset
Injection outband |
|
IPS Taps |
|
|
|
 |
|
Finisar
formerly Shomiti |
|
Information Updated:16 Jan 2004 |
Finisar Corporation |
http://www.finisar.com/product/product.php?product_id=110 |
|
Finisar Taps can be used with Finisar’s GTX , THG
, SAN QoS analysis probes or third party LAN analyzers. Finisar Taps
provide a cost effective and unique way for analyzers or probes to see all
of the traffic on one or more previously "blind" full-duplex links. Taps
allow for monitoring, capture and analysis of physical errors and enable
full-duplex, full-line rate performance, even at gigabit rates, whereas
span ports do not.
|
|
10 |
100 |
1000 |
|
Inbuilt
Traffic Agg |
|
Multi Device
O/P |
|
|
Copper |
|
|
|
Reset
Injection inband |
|
Fail
Open/Closed |
X |
|
Fiber |
|
|
|
Reset
Injection outband |
|
IPS Taps |
|
|
|
Net Optics |
|
Information Updated:16 Jan 2004 |
Net Optics, Inc |
http://www.netoptics.com/home/default.asp?Section=home |
|
Network
Taps create permanent access ports for passive monitoring with devices
such as protocol analyzers and IDS. Regeneration Taps offer
all the benefits of Taps, plus they enable multiple devices to monitor a
single link, simultaneously in real time. Analyzer switches
offer all tap benefits plus they enable a single protocol analyzer to view
traffic across multiple links. In-Line, span and ComboModels are
available.
|
|
10 |
100 |
1000 |
|
Inbuilt
Traffic Agg |
|
Multi Device
O/P |
|
|
Copper |
|
|
|
Reset
Injection inband |
|
Fail
Open/Closed |
|
|
Fiber |
|
|
|
Reset
Injection outband |
|
IPS Taps |
|
|
|
DataCom Systems |
|
Information Updated:16 Jan 2004 |
Datacom Systems |
http://www.datacomsystems.com/product-list.asp |
|
The 10/100-AT+2C Full Duplex Tap provides
easy 24 x 7 access to your 10/100 Ethernet segments. Two IDS devices,
analyzers, or probes can access the same segment at a single point,
eliminating contention for network links. The 10/100-AT+2C Full Duplex
Tap's fault tolerant design will ensure that network performance and
integrity will not be affected by power loss.
|
|
10 |
100 |
1000 |
|
Inbuilt
Traffic Agg |
|
Multi Device O/P |
|
|
Copper |
|
|
|
Reset
Injection inband |
|
Fail Open/Closed |
|
|
Fiber |
|
|
|
Reset Injection outband |
|
IPS Taps |
|
|
|
|
Network Tap
Detection / Prevention Systems
It can be shown that an intruder can easily
tap a fiber without being detected. Readily available network Taps
enable the non-invasive tapping and monitoring of copper and
fiber optic data streams. There are various ways to detect such
intrusions, namely transmission power threshold detectors though
these are prone to false positives especially as the transmission
media degrades over time. Time domain reflectometers both
copper and optical will identify anomalies over distance but need
an original graph to identify problems, especially as a properly
tapped fibre leaves minimal evidence. They also do not
identify intrusions in real time. Tap detection systems
identify Taps and allow for degradation over time, furthermore the
prevention systems will switch off the circuit preventing
disclosure of information some will also switch the circuit to a
good fiber.
|
Opterna FiberSentinelTM System |
|
Information Updated:20 Jan 2004 |
NeSTRONIX,
Inc |
http://www.fibersentinel.com/ |
|
It can be shown that an intruder can easily tap a fiber without being
detected. Low cost, commercially available clip-on couplers enable the
non-invasive tapping and monitoring of fiber optic data streams.
NeSTRONIX' breakthrough Opterna FiberSentinel System, with its exclusive
WaveSense intrusion prevention technology, provides continuous, real-time
monitoring of a fiber connection, detects any physical intrusions, and
instantly eliminates the intrusion by shutting down the transmission.
Automatic optical bypass switching simultaneously diverts to an alternate
fiber path. |
More Detailed Tap Information
Courtesy Ryon Packer
Reset Injection: some IDS Taps allow the IDS to transparently
inject TCP crafted Resets or ICMP not available countermeasures
into the stream, terminating offending sessions or providing flak
against probes and attacks. These responsive countermeasures can
be injected via the monitoring interface or on a separate
interface. As long as the IDS and Tap allow the injection
interface to be transparent (no IP stack) then the primary
difference between these models is how many ports on the switch or
Tap the countermeasures require. Typically, countermeasures via
the monitoring port are always transparent and are most simple to
deploy as the single network connection is all that is required.
In most cases the IDS will spoof the victim's IP address,
remaining invisible to the network. When using a discreet port for
countermeasure injection, the level of transparency needs to be
understood to ensure that the IDS remains invisible and therefore
protected. If the Tap or IDS requires an IP address for the out of
band countermeasure injection interface, careful consideration
should be made to responding to threats using these tools.
Active Taps vs Passive Taps:
physically you can tell the difference between active and passive
taps by the number of interfaces presented. If there is parity
between the tap (those used to connect to the LAN-WAN sides of the
network) and monitoring (those used to connect to the IDS)
interfaces, the tap is passive. If there are fewer monitoring
interfaces, the tap is active. What is occurring on the inside of
the tap is what makes the difference. With a passive tap, the tap
is splitting the signal from each of the LAN and the WAN sides, so
you will have two tap ports each splitting to their own monitoring
port. To be able to monitor a complete segment or both sides of a
full duplex stream using a passive tap requires that the IDS use
two NICs connected to the two monitoring ports. Beyond the
requirement of two NICs, because passive taps are simply copying
traffic to the monitoring ports, they cannot receive traffic from
those ports -- blocking the IDSes ability to respond to threats
with countermeasures such as TCP reset and ICMP not available
messages. The advantage of the passive tap is that because they
are simply copying the stream to two locations (one on the network
and the other to the monitoring port) the passive taps act as a
"bump in the wire" passing traffic but not present a point of
failure in the network. Active taps actively manage the traffic to
reduce the complexity of deployments. Using switch-like
technology, active taps aggregate the traffic from each of the
LAN-WAN links allowing the IDS to monitor both sides of a full
duplex conversation using a single NIC. An additional benefit of
active taps is that they allow bi-directional traffic from the
IDS, enabling the IDS to respond to attacks with countermeasures
such as TCP reset and ICMP not available messages. While easier to
deploy and manage, because they are inline devices active taps
require technology to ensure that if power is lost that the
network remains intact. Fail-closed technology is employed where
electricity keeps a set of relays "open" or pushing traffic to the
switch mechanism within the tap. If power is removed, these relays
"close" creating a straight circuit through the tap so that
network traffic passes unhindered. Active taps without fail-closed
capabilities are a point of failure for the network and should be
carefully reviewed for acceptability in network uptime
requirements.
|
|
|
