Bonding Tap Outputs

While perusing the Focus-IDS mailing list I read this great thread on the use of taps for IDS, started in Dec 2001. (Did you know TAP means Test Administrative Port?) The question of how to combine the two output streams from a tap became an issue. "Real" taps like the Finisar UTP IL/1 below or the TopLayer Fast Ethernet Copper Tap have two inputs and two outputs:




With two outputs, how do you recombine the streams? Several posts mentioned the "THG", which refers to Finisar's (formerly Shomiti) Ten Hundred Gigabit system, as a means to combine the two streams sent out from tap ports A and B. Intrusion, Inc., makes a tap with a single output:




There's a problem with this setup. If the sum of the streams collected from the two inputs exceeds the capacity of the single output, packets are dropped. Whoops!


TopLayer's IDS Balancer was also mentioned as a way to aggregate streams, but I'm not convinced it's appropriate for the stream reassembly problem. This post claims:


"the core technology we use on the ASICs firstly track and follow "conversations" (flows, sessions call it what you will) - so in essence we have a "state table" (of sorts) which sees the first packet in a stream and sends it to Monitor Group 1 - any subsequent packet in the conversation (regardless of input port) is then sent to the same port (we do this on a mapping of IP to MAC plus a few other things). The next conversation is then sent to the 2nd Monitor port and so forth. So in terms of re-assembly - are we (at this level) truly re-assembling ??"


Usually the TopLayer product is used to distribute bandwidth amongst multiple intrusion detection systems. For example, one IDS watchs all Web traffic, while another watches everything else.


Robert Graham mentioned software implementations which see two NICs on the monitoring platform as a single virtual NIC. This is the method I documented for FreeBSD in this post, although vendors like Znyx offer some support for combining interfaces on non-Windows operating systems. Calvin Gorriaran told me OpenBSD's pf can be used to bridge the two interfaces listening for tap inputs. His method:


Create "/etc/bridgename.bridge0" with


add fxp0 add fxp1 -learn fxp0 -learn fxp1 -discover fxp0 -discover fxp1 -stp fxp0 -stp fxp1 link0 link1 rulefile /etc/bpf.conf up


Then in /etc/bpf.conf..


# bridge0 ruleset

block in on fxp0

block out on fxp0

block in on fxp1

block out on fxp1


Make sure both interfaces are up and reboot.


Greg Shipley weighed in with some of the nicest ASCII art on taps I've seen. :)

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more