Finisar Tap Advice Strains the Brain
At left is an image of the Finisar Ethernet tap I use in my basement to monitor traffic. I wrote about it last July when I explained the bad design of Intrusion Inc's tap. Today I was trying to find the UTP IL/1 at Finisar's site. I didn't find it, but I did find a document which shocked me. It's titled "Using Single Port Taps with IDS Systems" (.pdf). (Note to self: Intrusion Detection System Systems?)
This document mentions the IL/1 and advocates plugging the tap outputs into a hub. The problem with this is simple: a tap preserves the full-duplex nature of a link between switches. Full-duplex means both ends can transmit simultaneously. What happens to packets transmitted simultaneously when they enter a hub? BANG -- collision. That's no problem on a half-duplex medium like unswitched Ethernet, since the transmitters will sense the collision (hence Carrier Sense Multiple Access Collision Detection). The parties will back off and retransmit, hoping for better luck next time.
With a full-duplex tap, there is no retransmission. The two simultanous packets collide and the original transmitters never hear the packets' silent death scream. I see many posts to IDS newsgroups advocating this horrible design strategy, with posters cheerfully claiming their IDS handles Fast Ethernet speeds with no packet loss. The problem is their IDS never sees the majority of the traffic, as it dies in a collision-ridden blaze of misfortune.
Below is a capture of the document in question:
Note there is no problem with the Finisar tap itself, only with this poor design advice. This is in contrast with the Intrusion SecureNet IDS Tap 10/100. It sports a single transmit output, meaning it combines two transmission streams, potentially operating at over 50 Mbps, into a single output. When the total of the two TX inputs exceeds 100 Mbps, we have another traffic issue -- dropped packets.
Someone please email me at blogspot at taosecurity dot com to tell me I'm misinterpreting this Finisar document. I don't see how this is a good idea. The document even shows two cables going straight into a hub. Unbelievable.
This document mentions the IL/1 and advocates plugging the tap outputs into a hub. The problem with this is simple: a tap preserves the full-duplex nature of a link between switches. Full-duplex means both ends can transmit simultaneously. What happens to packets transmitted simultaneously when they enter a hub? BANG -- collision. That's no problem on a half-duplex medium like unswitched Ethernet, since the transmitters will sense the collision (hence Carrier Sense Multiple Access Collision Detection). The parties will back off and retransmit, hoping for better luck next time.
With a full-duplex tap, there is no retransmission. The two simultanous packets collide and the original transmitters never hear the packets' silent death scream. I see many posts to IDS newsgroups advocating this horrible design strategy, with posters cheerfully claiming their IDS handles Fast Ethernet speeds with no packet loss. The problem is their IDS never sees the majority of the traffic, as it dies in a collision-ridden blaze of misfortune.
Below is a capture of the document in question:
Note there is no problem with the Finisar tap itself, only with this poor design advice. This is in contrast with the Intrusion SecureNet IDS Tap 10/100. It sports a single transmit output, meaning it combines two transmission streams, potentially operating at over 50 Mbps, into a single output. When the total of the two TX inputs exceeds 100 Mbps, we have another traffic issue -- dropped packets.
Someone please email me at blogspot at taosecurity dot com to tell me I'm misinterpreting this Finisar document. I don't see how this is a good idea. The document even shows two cables going straight into a hub. Unbelievable.