OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Patrick Mueller (pmuellerneohapsis.com)
Date: Thu Feb 28 2002 - 18:02:11 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Man, did this thing get out of control :)

    So, the original question is how do you merge two data streams back into
    one? The way that I've done this is by sending (for example) both outputs
    of a 100Mbit tap into a (real) switch (e.g. Cisco 29xx) which buffers the
    two streams (input and output) when necessary and dumps it to a SPAN port.

    Regarding the definition of a "switching hub". What I consider a switching
    hub is something in between a traditional hub (all frames repeated on all
    ports) and a traditional switch (only broadcast frames are repeated to all
    frames; e.g. Cisco 29xx). For example, the cheap Netgear "switch" that's
    on my desk is what I would call a switching hub. It only forwards frames
    to the MAC address based on the port, however, it has the same
    low-bandwidth backplane as a hub, and therefore won't support the type of
    throughput that you get from a full-fledged switch. I don't believe there
    is any sort of CPU or any real intelligence in the Netgear -- it is simply
    *not* copying frames to the ports for which the MAC address of the
    destination does not match (that's poorly worded, but I think you know
    what I mean...). Switching hubs basically buy you some security
    over hubs, but not much in terms of throughput.

    BTW, how are you folks merging gigabit fiber streams back together when
    they are coming out of a fiber tap (e.g. NetOptics)? Curious.

            -- Patrick, entering the fray..

    On Wed, 27 Feb 2002, robert_david_graham wrote:

    > Some customers have reported successin using a SWITCHING HUB to solve this
    > problem. They turn on store-and-forward, and simply pump multiple streams
    > into the hub, then feed the monitor port to the IDS. Since the switch is
    > store-and-forward, collisions will get resolved gracefully. In comparison
    > with the TopLayer solution, this is a BottomLayer(tm) solution :-).

            -- Patrick

    -------------------------------------------------------------------------
    Patrick Mueller -- Security Analyst -- <pmuellerneohapsis.com>
                      Neohapsis <www.neohapsis.com>