Peter Van Epp | 29 Jul 00:43 1999
Picon
Picon

Ethernet splitters

	Since this is of potential interest to both lists (although possibly
redundant since I expect we are all on bugtraq where it originated) a source
of Ethernet taps (like an optical tap but for 10/100 ethernet) to isolate your
IDS from the sniffed segment. I just ordered a pair, they are a little pricy
around $600 Canadian (for 10baseT could probably use a $2 dual monostable 
to create the 100 nsec pulse every 20 msec to fake link, 100 may be more 
difficult) but this is built in the case and ready to go which means I don't 
have to and I'm not paying ...

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

<snip>
recreates both rx on a full duplex link, and funnels them off to two twisted
pair cables respectively.  PLug these two, or as many as you want really,
into a switch that allows port spanning/mirroring, and voila.  I've done
this in many situations, and it works great.

http://www.shomiti.com

I dont work for them, I just use their stuff.

Blue

Carter Bullard | 29 Jul 02:16 1999

argus-1.8.cmu?

Hey Guys,
   Any ideas on whats going on? I would like to
try to keep a little control over distribution until
we're happy with the results.  I would rather not
have too much competition, at least from our
own efforts  ;o)

Carter

-----Original Message-----
From: Rainer Funke [mailto:funke <at> rz.tu-clausthal.de] 
Sent: Wednesday, July 28, 1999 5:42 PM
To: Carter Bullard
Subject: Re: Patch for racount.c of Argus v1.8

> Hey Rainer,
>    I don't know what version of 1.8 your looking
> at, since my version has these variables defined
> as long long.  I would suspect that you should
> wait to comment before we actually release the
> code.

Sorry Carter,

so I grabbed accidentially a working copy with this md5sum?
01832fa1d985685013b9dae51969d708  argus-1.8-CMU.tar.gz

The "official"

	ftp://ftp.sei.cmu.edu/pub/argus/argus-1.7.beta.1e
(Continue reading)

Mark Poepping | 29 Jul 17:08 1999
Picon

RE: argus-1.8.cmu?


I think we dropped it out for convenience of local testing, but didn't
do a good enough job of hiding it from mirrors and search engines..
We'll pull it back until we converge on the patch set and get the 
'real' 1.8 out.
mark.

> -----Original Message-----
> From: owner-argus <at> lists.andrew.cmu.edu
> [mailto:owner-argus <at> lists.andrew.cmu.edu]On Behalf Of Carter Bullard
> Sent: Wednesday, July 28, 1999 8:17 PM
> To: 'argus <at> lists.andrew.cmu.edu'
> Subject: argus-1.8.cmu?
> 
> 
> Hey Guys,
>    Any ideas on whats going on? I would like to
> try to keep a little control over distribution until
> we're happy with the results.  I would rather not
> have too much competition, at least from our
> own efforts  ;o)
> 
> Carter
> 
> 
> -----Original Message-----
> From: Rainer Funke [mailto:funke <at> rz.tu-clausthal.de] 
> Sent: Wednesday, July 28, 1999 5:42 PM
> To: Carter Bullard
> Subject: Re: Patch for racount.c of Argus v1.8
(Continue reading)

Peter Van Epp | 30 Jul 01:10 1999
Picon
Picon

Re: Ethernet splitters

	Yes this works if you have a switch on the outside of your network.
The outside of my network is an OC3 ATM link with 80/20 optical splitters 
installed inline into a border router which in turn has a single 100BaseT 
interface to our internal ATM network. When coralreef gets a little further 
along (i.e. once it can capture more than the first AAL5 cell as now and 
libpcap support is there) my IDS will move out past the border router. The 
Ethernet splitter, which will go inline with my 100 baseT link out of the 
border router, will do the same job as the opticals on the OC3 i.e. isolate 
the IDS machine from the sniffed network and allow two NIC cards to sniff a 
full duplex network connection (I already have 2 ATM cards on the outside net 
running Coralreef to play with since the optical splitters do the same thing). 
The transmit leads being snipped protects the IDS from being attacked from the 
net. That is the interest in these particular boxes. Like the "stealth ethernet
cable" available for NFR from Anzen, it isolates the IDS which is presumably 
out on the big bad Internet from attack from the outside. In my case, being a 
university, it is unclear which is more dangerous from an attack standpoint, 
the internet or my internal backbone (but in either case the splitter is a good 
idea). The second one is intended for our new sniffer which will hopefully be 
able to sniff full duplex (because the box splits the incoming signal in to 
two output ports with no transmit leads that will allow sniffing full duplex) 
whether there is a switch on a given port or not. I don't see how the current 
monitor port implementation on the switches could do this without a special 
purpose port for monitoring which perhaps the Cisco has but mine don't.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> 
> If you use a Cisco switch and you wish to monitor the link that supplies all
> the traffic (like to/from a router) just set up a spanning port to send
(Continue reading)

Carter Bullard | 30 Jul 01:45 1999

RE: Ethernet splitters

Hey Peter,
So would it be useful to have argus read coralreef packet
capture files?  I've added snoop support for the 1.8 version,
and the coralreef stuff looks pretty trivial.  If this is
interesting, send me a small packet capture file so I can
test the code.

Oh yeah, and Nortel has a lot of switches that do
conversation steering in many flexible and convenient
ways (had to get the corporate marketing in there ;o)

Hope all is well,

Carter

Carter Bullard
Principal Consultant
Nortel Networks
320 Park Avenue  16th Floor
New York, New York 10022
Email  cbullard <at> nortelnetworks.com
Phone +1 212 317 4230
Fax   +1 212 317 4324
Pager +1 800 217-7496 

-----Original Message-----
From: Peter Van Epp [mailto:vanepp <at> sfu.ca]
Sent: Thursday, July 29, 1999 7:11 PM
To: nfr-users <at> nfr.net; argus <at> lists.andrew.cmu.edu
Subject: Re: Ethernet splitters
(Continue reading)

Peter Van Epp | 30 Jul 01:58 1999
Picon
Picon

Re: Ethernet splitters

	I don't think so yet. I haven't got the latest release in yet, but there
was a comment on the coralreef list that the fore firmware currently only 
captures the first aal5 cell (i.e. only about 44 bytes of header) no matter
what you tell the API to do. More cells is a future enhancement. They also
intend to provide libpcap output which I figure I should be able to just
feed to argus with no argus changes. If I get some time I'll put in the new
release and do a capture and forward it in case I'm mistaken in how much is
really there.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> 
> Hey Peter,
> So would it be useful to have argus read coralreef packet
> capture files?  I've added snoop support for the 1.8 version,
> and the coralreef stuff looks pretty trivial.  If this is
> interesting, send me a small packet capture file so I can
> test the code.
> 
> Oh yeah, and Nortel has a lot of switches that do
> conversation steering in many flexible and convenient
> ways (had to get the corporate marketing in there ;o)
> 
> Hope all is well,
> 
> Carter
> 
> Carter Bullard
> Principal Consultant
(Continue reading)

Peter Van Epp | 30 Jul 23:58 1999
Picon
Picon

Re: Ethernet splitters

> 
> Greetings,
> 
> I use both the passive hub and mirrored port solutions in my current network
> monitoring.  Unfortunately, solutions that work for low speed half duplex
> links 
> have problems at higher speeds with full duplex.
> 

	Which (although I obviously didn't explain it very clearly since I 
got a query via private email too) is why the Shomiti box is so attractive.
It connects inline to the link but provides a probably buffered (because there
is a power supply involved which presumably there wouldn't be if it was
completely passive) receive data port for each of the transmit and receive
pairs on the passthrough port pair so that full duplex works (i.e. the full 
doubled bandwith can be accomadated if your sniffer can handle it or you have
two NIC cards in your IDS). It is rated 10/100 and I intend on using it on a 
100 link so I can report how it really works when I get it if desired. 
	A desirable side benefit is that no matter what the IDS or monitor 
host transmits, because there are no transmit wires on the monitor port, no 
one hears anything the monitor host says. That precludes a breakin from the 
Internet side from letting your IDS be used against you (of course a breakin 
from the control connection to your presumably secured inside network is 
still a serious problem).

Jerry Lundy | 30 Jul 22:58 1999

Re: Ethernet splitters

Greetings,

I use both the passive hub and mirrored port solutions in my current network
monitoring.  Unfortunately, solutions that work for low speed half duplex
links 
have problems at higher speeds with full duplex.

Chas DiFatta wrote:
> 
> If you use a Cisco switch and you wish to monitor the link that supplies all
> the traffic (like to/from a router) just set up a spanning port to send
> all tx/rv traffic from the router port to another port where your Argus host
> resides.  We usually use a separate interface for monitoring on the Argus
> host, IP addr 0.0.0.0 to keep in stealth mode.  Other switches may work,
> but we're not familiar with them.  We've been able to monitor at a sustained
> load of 30 Mb/s for hours with this configuration and Argus 1.8.

Not quite.  Full duplex traffic is potentially twice the bandwidth of the receive
lines on a given port, possibly dropping packets.  Spanning multiple switch
ports 
to a single port increases the probability of dropped packets. Spanning and
port 
mirroring become less useful as utilization levels increase.

> If you don't have a Cisco, use a 10 or 100baseT hub just in front the
> router.
> Since your only using two ports, i.e. router and switch, monitoring the
> traffic
> on a 3rd port does the trick without any degradation in traffic due to
> collisions.
(Continue reading)

Carter Bullard | 30 Jul 23:11 1999

RE: Ethernet splitters

Hey Jerry,
   Still I can mirror 5 full duplex 10Mbps links onto
a single 100Mbps output link, no problem.  One of the
nice things about 10/100 ethernet switches/hubs ;o)

Carter

Carter Bullard
Principal Consultant
Nortel Networks
320 Park Avenue  16th Floor
New York, New York 10022
Email  cbullard <at> nortelnetworks.com
Phone +1 212 317 4230
Fax   +1 212 317 4324
Pager +1 800 217-7496 

-----Original Message-----
From: jwlundy <at> aafes.com [mailto:jwlundy <at> aafes.com]
Sent: Friday, July 30, 1999 4:58 PM
To: nfr-users <at> nfr.net
Cc: argus <at> lists.andrew.cmu.edu
Subject: Re: Ethernet splitters

Greetings,

I use both the passive hub and mirrored port solutions in my current network
monitoring.  Unfortunately, solutions that work for low speed half duplex
links 
have problems at higher speeds with full duplex.
(Continue reading)


Gmane