Re: Network "tap" (was Re: Rationale of the great DMZ)

["Steven M. Bellovin" <smb () research att com>]

In message <20020719043100.40132.qmail () msg net>, "firewalls () msg net" writes:
> Steven M. Bellovin writes:

> > There are actually commercial devices to do that -- the FBI uses one 
> > with Carnivore...
>
> I've run into problems with just cutting the TX wire. Another issue is
> the ability to transparently intercept all traffic in both directions
> on a full-duplex link. 
>
> Both of these problems are addressed with a 'Network Tap', a hardware device
> that sits inline between two devices (e.g. between a router and a firewall)
> and provides _two_ transmit-only interfaces, one copying all traffic sent
> from the upstream, and the other all traffic from the downstream. These are
> available for copper and fiber.
>
> The sniffer cannot possibly accidentally respond to packets up this connection
> ,
> the interface from the tap to the sniffer physically does not permit this.
>
> The best models will 'fail safe' -- if power is lost, the devices being
> monitered do not lose link, but traffic is no longer copied to the sniffer.
>
> On copper ethernet, a tap is only detectable by careful physical inspection,
> or a TDR. The passive fiber taps do not require a power supply, and work
> by actually diverting 20-50% of the light.
>
>
> I've worked with two brands of these- the "Century Tap" from Shomiti (do
> they still exist?), and most recently, the Netoptics "network tap".  I prefer
> the design of the Shomiti.

If I rcall correctly, the FBI originally used the Shomite tap.  I have no
idea what they're using today.

                --Steve Bellovin, http://www.research.att.com/~smb (me)
                http://www.wilyhacker.com ("Firewalls" book)


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards