Thursday, July 10, 2003

Bonding Tap Outputs

While perusing the Focus-IDS mailing list I read this great thread on the use of taps for IDS, started in Dec 2001. (Did you know TAP means Test Administrative Port?) The question of how to combine the two output streams from a tap became an issue. "Real" taps like the Finisar UTP IL/1 below or the TopLayer Fast Ethernet Copper Tap have two inputs and two outputs:




With two outputs, how do you recombine the streams? Several posts mentioned the "THG", which refers to Finisar's (formerly Shomiti) Ten Hundred Gigabit system, as a means to combine the two streams sent out from tap ports A and B. Intrusion, Inc., makes a tap with a single output:




There's a problem with this setup. If the sum of the streams collected from the two inputs exceeds the capacity of the single output, packets are dropped. Whoops!


TopLayer's IDS Balancer was also mentioned as a way to aggregate streams, but I'm not convinced it's appropriate for the stream reassembly problem. This post claims:


"the core technology we use on the ASICs firstly track and follow "conversations" (flows, sessions call it what you will) - so in essence we have a "state table" (of sorts) which sees the first packet in a stream and sends it to Monitor Group 1 - any subsequent packet in the conversation (regardless of input port) is then sent to the same port (we do this on a mapping of IP to MAC plus a few other things). The next conversation is then sent to the 2nd Monitor port and so forth. So in terms of re-assembly - are we (at this level) truly re-assembling ??"


Usually the TopLayer product is used to distribute bandwidth amongst multiple intrusion detection systems. For example, one IDS watchs all Web traffic, while another watches everything else.


Robert Graham mentioned software implementations which see two NICs on the monitoring platform as a single virtual NIC. This is the method I documented for FreeBSD in this post, although vendors like Znyx offer some support for combining interfaces on non-Windows operating systems. Calvin Gorriaran told me OpenBSD's pf can be used to bridge the two interfaces listening for tap inputs. His method:


Create "/etc/bridgename.bridge0" with


add fxp0 add fxp1 -learn fxp0 -learn fxp1 -discover fxp0 -discover fxp1 -stp fxp0 -stp fxp1 link0 link1 rulefile /etc/bpf.conf up


Then in /etc/bpf.conf..


# bridge0 ruleset

block in on fxp0

block out on fxp0

block in on fxp1

block out on fxp1


Make sure both interfaces are up and reboot.


Greg Shipley weighed in with some of the nicest ASCII art on taps I've seen. :)