TaoSecurity Blog

Earlier this year my lab suffered a near lightning strike. A tree right outside the lab was struck by lightning, causing damage to multiple electronic and electrical devices outside and inside the building. Outside, the lightning disabled an exterior lighting system and my phone lines. Inside, the lightning took a severe toll on the lab. The cable modem to the outside world was destroyed. The NIC on the lab firewall facing the cable modem was fried, along with a second NIC in the firewall. The NIC on a sensor watching a tap between the cable modem and firewall was also destroyed. So far, this is a grim story. I have one good piece of news to report, and it involves the tap I mentioned sitting between the cable modem and firewall. The tap survived the lightning strike. More precisely, the tap continued to pass traffic even when its monitoring interface was damaged. Had the tap been receiving traffic from the modem or firewall, it would have continued to pass it. This truly ama...

Last week I attended and spoke at the latest Net Optics Think Tank . I've presented for Net Optics twice before , but this was the first event held in northern Virginia. The first half of the event consisted of two briefings. The first discussed tap technology. This was supposed to be a basic introduction but I learned quite a bit, especially with regards to fiber optics. Specifically, I learned of some cases where customers reverse cables when plugging in their taps, thereby causing lots of tough-to-troubleshoot problems. Furthermore, as customers move from Gigabit over fiber to 10 Gigabit over fiber, they are encountering cabling issues. Gigabit is much more forgiving than 10 Gig. At 10 Gig, you apparently have to pay close attention to the specifications, such as core size. I learned that Net Optics is considering ways to "tag" or "label" packets collected by their link aggregator taps. When discussing matrix switches , it occurred to me that tho...

Don't forget to attend the free Net Optics Think Tank on Tuesday, 26 September 2006 in Fairfax, VA. It looks like I will be speaking during lunch from 1215 to 1315. Please register . I expect to see a lot of cool Net Optics gear on display, along with insights from those who make products for enterprise network instrumentation.

In about three weeks I will be speaking at the next Net Optics Think Tank on 26 September 2006 in Fairfax, VA. It looks like I will be speaking during lunch from 1215 to 1315. Please register . Speaking of Net Optics, I see they've announced a GigaBit Port Aggregator with SFP Monitor Ports and a New iBypass™ Switch with Heartbeat, Unique Utilization Display, and Remote Management . I expect those will be on display in Fairfax.

Almost exactly one year after my last appearance , I will be speaking at the next Net Optics Think Tank on 26 September 2006 in Fairfax, VA. I haven't figured out exactly what I will be covering yet. I might talk about some material from my TCP/IP Weapons School class and how it relates to recent incidents like the Freenode event. It looks like I will be speaking during lunch from 1215 to 1315.

You know I am always on the prowl for new networking gear to perform network security monitoring. In fact, I may write a whole new book about the subject, pulling enterprise network instrumentation coverage from future editions of The Tao and other books and concentrating it in a single volume. In the spirit of sharing information on new gear, I am happy to let you know about two cool new products from Net Optics . The first is the 10/100 Teeny Tap , pictured above. This is a fully-functional, dual-power, dual output traditional 10/100 Mbps tap. It's functionally equivalent to the 10/100 Ethernet Tap . The second neat product is the iTap Gigabit Dual Port Aggregator . This is a Gigabit tap that provides two outputs where each are combinations of the two TX input streams. This tap is similar to the Gigabit Dual Port Aggregator with several major differences, which I noted last month. I ran some traffic through this tap today and I really liked seeing the traffic load o...

This morning I found I was quoted in a press release for the new Net Optics iTap GigaBit Port Aggregator tap. This is a cool device that I expect to test soon. I participated in a Think Tank where the concept of an "intelligent tap" was first introduced. From the installation guide (.pdf): The iTap Port Aggregator displays the link utilization level, last peak with time right on the front panel so you can see real-time utilization on both directions of the network link. The iTap Port Aggregator is accessible from remote interfaces that provide information and control from anywhere in the network. If you're scared by the thought of a tap offering network statistics via a front panel display, SNMP, and a Web interface, you can disable all of them and deploy the tap in "dumb" mode. It would be cheaper to buy a dumb tap, though! It makes a lot of sense to introduce this device on a port aggregator model. Port aggregators are vulnerable to dropping traffic w...

How do you use taps? Specifically, do any of you use Net Optics taps? If yes, I would like to speak with you through email. I'm interested in your thoughts on any of these subjects: How did you justify buying these products? Did you encounter any installation issues? How are you using taps? What alternatives did you consider? Did taps help you learn more about any intrusions, or help you prevent or mitigate intrusions? I appreciate any feedback you might have. Please email richard at taosecurity dot com. Thank you.

I will be speaking at the next Net Optics Think Tank at the Hilton Santa Clara in Santa Clara, CA on 21 September 2005. I will discuss network forensics, with a preview of material in my next two books , Real Digital Forensics and Extrusion Detection: Security Monitoring for Internal Intrusions . I had a good time speaking at the last Think Tank , where I met several blog readers.

I just received word that Net Optics will be hosting a free seminar titled Fundamentals of Passive Monitoring Access . It will start at 0830 on Wednesday 3 August 2005 at the Hilton Santa Clara in Santa Clara, CA. You will notice the seminar description uses terms like pervasive network awareness and defensible network , which I described when I spoke at Net Optics in May . I am scheduled to speak again at a Net Optics event in September in California. I will post details when available.

I recently acquired several more specialized taps from Net Optics . I thought you might like to hear a few words about them. I plan to feature these and a few other devices in my new book Extrusion Detection , but why wait until then? I specifically requested evaluation units to meet monitoring and network access problems my clients brought to me. Perhaps you will find one or more of these products answer a monitoring question you've also been pondering. Keep in mind that I show Ethernet versions here, but a variety of optical products are offered. Also, I mention these products as they might be deployed at the perimeter, between a border router and firewall. They can certainly be used elsewhere, but for consistency here I stay with that deployment scenario. The first product I tried was the 10/100 Active Response Dual Port Aggregator Tap . The purpose of this device is to provide full duplex access to a network link to two sensor platforms. The two outputs on the left ...

Last week I had the good fortune to be invited to speak at a Net Optics Think Tank event. Net Optics is a California-based maker of products which help analysts access traffic for monitoring the security and performance of the network. I recently wrote about the Net Optics tap built in a PCI card form factor. I also use their gear to conduct network security monitoring, as profiled in my first book. The meeting offered attendees three sessions: the first two were conducted by Net Optics personnel, and I presented the third. The purpose of the sessions were not to sell products, but to solicit feedback from attendees. In fact, in some cases the "products" in question didn't exist yet. Rather than implement products customers might not want, or lacking desired features, Net Optics polls its clients and prospective customers and builds the gear those customers need. The first presentation described the Bypass Switch . This is a really interesting product which...

Those of you who've read my first book know I like to use taps built by Net Optics to access wired traffic. The device pictured at left is a port aggregator tap . It combines the TX side of whatever's plugged into port A with the TX side of port B into a single output on port C, using buffering if the aggregrate throughput exceeds 100 Mbps. Today I got a chance to test the device pictured at left. It's a Net Optics PCI Port Aggregator tap. You plug this device into a 32 bit PCI slot on your monitoring station, and you effectively have the normal port aggregator tap I showed earlier sitting within your sensor. Let me show you what I mean in pictures. This is the inside of my preferred monitoring platform, a Dell Poweredge 750 . I've removed the dual Gigabit Ethernet NIC I usually order with these systems. That NIC is a PCI-X device recognized as em under FreeBSD. In this next picture you see the Net Optics PCI tap at the top, and the dual Gigabit Ethernet N...

I will be presenting my thoughts on pervasive network awareness as facilitated by taps at the next Net Optics Think Tank . The event will take place on 18 May 2005 in their Sunnyvale, CA headquarters. I use Net Optics taps to gain access to traffic when performing network security monitoring.