Firewall Wizards mailing list archives
Re: Network "tap" (was Re: Rationale of the great DMZ)
From: "Steven M. Bellovin" <smb () research att com>
Date: Mon, 22 Jul 2002 19:29:03 +0900
In message <20020719043100.40132.qmail () msg net>, "firewalls () msg net" writes:
Steven M. Bellovin writes:
There are actually commercial devices to do that -- the FBI uses one with Carnivore...I've run into problems with just cutting the TX wire. Another issue is the ability to transparently intercept all traffic in both directions on a full-duplex link. Both of these problems are addressed with a 'Network Tap', a hardware device that sits inline between two devices (e.g. between a router and a firewall) and provides _two_ transmit-only interfaces, one copying all traffic sent from the upstream, and the other all traffic from the downstream. These are available for copper and fiber. The sniffer cannot possibly accidentally respond to packets up this connection , the interface from the tap to the sniffer physically does not permit this. The best models will 'fail safe' -- if power is lost, the devices being monitered do not lose link, but traffic is no longer copied to the sniffer. On copper ethernet, a tap is only detectable by careful physical inspection, or a TDR. The passive fiber taps do not require a power supply, and work by actually diverting 20-50% of the light. I've worked with two brands of these- the "Century Tap" from Shomiti (do they still exist?), and most recently, the Netoptics "network tap". I prefer the design of the Shomiti.
If I rcall correctly, the FBI originally used the Shomite tap. I have no idea what they're using today. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Network "tap" (was Re: Rationale of the great DMZ) Steven M. Bellovin (Jul 22)