At left is an image of the Finisar Ethernet tap I use in my basement to monitor traffic. I wrote about it last July when I explained the bad design of Intrusion Inc's tap. Today I was trying to find the UTP IL/1 at Finisar's site. I didn't find it, but I did find a document which shocked me. It's titled "Using Single Port Taps with IDS Systems" (.pdf). (Note to self: Intrusion Detection System Systems?)
This document mentions the IL/1 and advocates plugging the tap outputs into a hub. The problem with this is simple: a tap preserves the full-duplex nature of a link between switches. Full-duplex means both ends can transmit simultaneously. What happens to packets transmitted simultaneously when they enter a hub? BANG -- collision. That's no problem on a half-duplex medium like unswitched Ethernet, since the transmitters will sense the collision (hence Carrier Sense Multiple Access Collision Detection). The parties will back off and retransmit, hoping for better luck next time.
With a full-duplex tap, there is no retransmission. The two simultanous packets collide and the original transmitters never hear the packets' silent death scream. I see many posts to IDS newsgroups advocating this horrible design strategy, with posters cheerfully claiming their IDS handles Fast Ethernet speeds with no packet loss. The problem is their IDS never sees the majority of the traffic, as it dies in a collision-ridden blaze of misfortune.
Below is a capture of the document in question:
Someone please email me at blogspot at taosecurity dot com to tell me I'm misinterpreting this Finisar document. I don't see how this is a good idea. The document even shows two cables going straight into a hub. Unbelievable.
0 komentar:
Posting Komentar