Ethernet splitters

Peter Van Epp vanepp at sfu.ca
Thu Jul 29 19:10:31 EDT 1999


	Yes this works if you have a switch on the outside of your network.
The outside of my network is an OC3 ATM link with 80/20 optical splitters 
installed inline into a border router which in turn has a single 100BaseT 
interface to our internal ATM network. When coralreef gets a little further 
along (i.e. once it can capture more than the first AAL5 cell as now and 
libpcap support is there) my IDS will move out past the border router. The 
Ethernet splitter, which will go inline with my 100 baseT link out of the 
border router, will do the same job as the opticals on the OC3 i.e. isolate 
the IDS machine from the sniffed network and allow two NIC cards to sniff a 
full duplex network connection (I already have 2 ATM cards on the outside net 
running Coralreef to play with since the optical splitters do the same thing). 
The transmit leads being snipped protects the IDS from being attacked from the 
net. That is the interest in these particular boxes. Like the "stealth ethernet
cable" available for NFR from Anzen, it isolates the IDS which is presumably 
out on the big bad Internet from attack from the outside. In my case, being a 
university, it is unclear which is more dangerous from an attack standpoint, 
the internet or my internal backbone (but in either case the splitter is a good 
idea). The second one is intended for our new sniffer which will hopefully be 
able to sniff full duplex (because the box splits the incoming signal in to 
two output ports with no transmit leads that will allow sniffing full duplex) 
whether there is a switch on a given port or not. I don't see how the current 
monitor port implementation on the switches could do this without a special 
purpose port for monitoring which perhaps the Cisco has but mine don't.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> 
> If you use a Cisco switch and you wish to monitor the link that supplies all
> the traffic (like to/from a router) just set up a spanning port to send
> all tx/rv traffic from the router port to another port where your Argus host
> resides.  We usually use a separate interface for monitoring on the Argus
> host, IP addr 0.0.0.0 to keep in stealth mode.  Other switches may work,
> but we're not familiar with them.  We've been able to monitor at a sustained
> load of 30 Mb/s for hours with this configuration and Argus 1.8.
> 
> If you don't have a Cisco, use a 10 or 100baseT hub just in front the
> router.
> Since your only using two ports, i.e. router and switch, monitoring the
> traffic
> on a 3rd port does the trick without any degradation in traffic due to
> collisions.
> 
> 	...cd
> 



More information about the argus mailing list