Ethernet splitters
Peter Van Epp
vanepp at sfu.ca
Thu Jul 29 19:10:31 EDT 1999
Yes this works if you have a switch on the outside of your network.
The outside of my network is an OC3 ATM link with 80/20 optical splitters
installed inline into a border router which in turn has a single 100BaseT
interface to our internal ATM network. When coralreef gets a little further
along (i.e. once it can capture more than the first AAL5 cell as now and
libpcap support is there) my IDS will move out past the border router. The
Ethernet splitter, which will go inline with my 100 baseT link out of the
border router, will do the same job as the opticals on the OC3 i.e. isolate
the IDS machine from the sniffed network and allow two NIC cards to sniff a
full duplex network connection (I already have 2 ATM cards on the outside net
running Coralreef to play with since the optical splitters do the same thing).
The transmit leads being snipped protects the IDS from being attacked from the
net. That is the interest in these particular boxes. Like the "stealth ethernet
cable" available for NFR from Anzen, it isolates the IDS which is presumably
out on the big bad Internet from attack from the outside. In my case, being a
university, it is unclear which is more dangerous from an attack standpoint,
the internet or my internal backbone (but in either case the splitter is a good
idea). The second one is intended for our new sniffer which will hopefully be
able to sniff full duplex (because the box splits the incoming signal in to
two output ports with no transmit leads that will allow sniffing full duplex)
whether there is a switch on a given port or not. I don't see how the current
monitor port implementation on the switches could do this without a special
purpose port for monitoring which perhaps the Cisco has but mine don't.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
>
> If you use a Cisco switch and you wish to monitor the link that supplies all
> the traffic (like to/from a router) just set up a spanning port to send
> all tx/rv traffic from the router port to another port where your Argus host
> resides. We usually use a separate interface for monitoring on the Argus
> host, IP addr 0.0.0.0 to keep in stealth mode. Other switches may work,
> but we're not familiar with them. We've been able to monitor at a sustained
> load of 30 Mb/s for hours with this configuration and Argus 1.8.
>
> If you don't have a Cisco, use a 10 or 100baseT hub just in front the
> router.
> Since your only using two ports, i.e. router and switch, monitoring the
> traffic
> on a 3rd port does the trick without any degradation in traffic due to
> collisions.
>
> ...cd
>
More information about the argus
mailing list