[Snort-users] To TAP or HUB?
mkettler at ...4108...
Thu Dec 19 13:14:06 EST 2002
Agreed, there are a small handful of differences, but generally speaking
for a low-bandwidth (under 4mbit/sec) network, using a hub to a IP-less
interface on a well secured system should be perfectly adequate. Hubs are
generally well suited to most T1's, cable modems, and DSL connections if
you're capable of correctly securing the computer running snort.
pros - inherently secure against intrusion - the snort box cannot
efficient even in full wire-speed uses - taps don't
highly failure resistant (ie: they rarely contain
electronics which can fail in such a way data stops flowing)
cons - more costly
pros - cheap, widely available
cons - not secure on it's own- another mechanism needs to protect
the snort box from exploitation
introduces collisions which become a severe problem for
high-speed networks (45mbit/sec or faster).
less failure resistant - they require power to operate,
and electronics in them can possibly fail.
Note that the tap method protects the snort box from exploitation on that
interface, i.e.: nobody can hack your snort box and get a root shell via a
interface connected to a tap, but does not protect it from all forms of
denial of service, someone could possibly still crash it by sending it
invalid data. It also can't protect it from exploitation via another
A hacked snort box is a very dangerous thing, since the snort box is in the
perfect position to monitor all traffic going in and out of your network.
It is an ideal location to engage in connection hijacking, DNS spoofing and
other attacks against other machines on the network. Be very mindful of
securing your snort sensors.
At 12:51 PM 12/19/2002 -0600, Madziarczyk, Jonathan wrote:
>Since you're only monitoring between the cable modem and the firewall,
>putting a hub in between the two is almost the exact same thing as
>putting a tap between.
More information about the Snort-users