Some Tap Terminology
Fail-closed: the IDS Taps have proprietary circuitry pre-process that closes the circuit when power fails, maintaining the network link.
Fail-open: where it is essential that all traffic is monitored some organisations prefer the Taps to fail-open, this is more usual for Intrusion Prevention Systems than Intrusion Detection Systems. MORE
Traffic Aggregation: the IDS Taps aggregate full-duplex traffic into a single stream so that a stateful intrusion detection system, can see both sides of the conversation and therefore provide the lowest incidence of false positives. Some Taps present dual outputs to combine the traffic externally, others combine the traffic internally presenting a single full duplex output.
Reset Injection: some IDS Taps allow the IDS to transparently inject TCP Resets into the stream, terminating offending sessions. MORE
Passive vs. Active: MORE
Detailed Tap Information
Courtesy Ryon Packer
Reset Injection: some IDS Taps allow the IDS to transparently inject TCP crafted Resets or ICMP not available countermeasures into the stream, terminating offending sessions or providing flak against probes and attacks. These responsive countermeasures can be injected via the monitoring interface or on a separate interface. As long as the IDS and Tap allow the injection interface to be transparent (no IP stack) then the primary difference between these models is how many ports on the switch or Tap the countermeasures require. Typically, countermeasures via the monitoring port are always transparent and are most simple to deploy as the single network connection is all that is required. In most cases the IDS will spoof the victim's IP address, remaining invisible to the network. When using a discreet port for countermeasure injection, the level of transparency needs to be understood to ensure that the IDS remains invisible and therefore protected. If the Tap or IDS requires an IP address for the out of band countermeasure injection interface, careful consideration should be made to responding to threats using these tools.
Active Taps vs Passive Taps: physically you can tell the difference between active and passive taps by the number of interfaces presented. If there is parity between the tap (those used to connect to the LAN-WAN sides of the network) and monitoring (those used to connect to the IDS) interfaces, the tap is passive. If there are fewer monitoring interfaces, the tap is active. What is occurring on the inside of the tap is what makes the difference. With a passive tap, the tap is splitting the signal from each of the LAN and the WAN sides, so you will have two tap ports each splitting to their own monitoring port. To be able to monitor a complete segment or both sides of a full duplex stream using a passive tap requires that the IDS use two NICs connected to the two monitoring ports. Beyond the requirement of two NICs, because passive taps are simply copying traffic to the monitoring ports, they cannot receive traffic from those ports -- blocking the IDSes ability to respond to threats with countermeasures such as TCP reset and ICMP not available messages. The advantage of the passive tap is that because they are simply copying the stream to two locations (one on the network and the other to the monitoring port) the passive taps act as a "bump in the wire" passing traffic but not present a point of failure in the network. Active taps actively manage the traffic to reduce the complexity of deployments. Using switch-like technology, active taps aggregate the traffic from each of the LAN-WAN links allowing the IDS to monitor both sides of a full duplex conversation using a single NIC. An additional benefit of active taps is that they allow bi-directional traffic from the IDS, enabling the IDS to respond to attacks with countermeasures such as TCP reset and ICMP not available messages. While easier to deploy and manage, because they are inline devices active taps require technology to ensure that if power is lost that the network remains intact. Fail-closed technology is employed where electricity keeps a set of relays "open" or pushing traffic to the switch mechanism within the tap. If power is removed, these relays "close" creating a straight circuit through the tap so that network traffic passes unhindered. Active taps without fail-closed capabilities are a point of failure for the network and should be carefully reviewed for acceptability in network uptime requirements.