In-line TAP question

[sfear...@gmail.com]

I am a little concerned that I made a mistake on a TAP purchase. Essentially I have an inline tap that you plug the link to internal network into, and then plug the link that goes to firewall in other port (for both directions). I planned on placing it between a switch and primary firewall.

This tap can regenerate the traffic up to 4 devices, however to see both directions I must use 2 NICs.

So the million dollar question is am I in trouble here? Can I utilize 2 NICS in monitor mode with SO and still have the same ability to monitor that I do currently with a single NIC and a switch doing SPAN? I simply have no experience with anything outside of using a simple SPAN port to send all traffic from primary internet path to SO.

Thanks,
Scott F.

[sfear...@gmail.com]

Mike Reeves might have answered my question. In this post he suggests bridging the 2 NICS on the SO box to a virtual bridge NIC. Does that sound reasonable?

https://groups.google.com/forum/#!searchin/security-onion/tap/security-onion/pVm2cKePkNM/PifD3uhHZEEJ

I just need to be reaffirmed that this will work before my TAP goes out of return windows.

Thanks again
Scott F.

[Kevin Branch]

Scott,

Yes this is quite plausible. You would actually bridge two physical
NICs onto one non-physical bridging interface (probably br0). Then you
just tell SO to monitor br0. I take it the tap you purchased was not an
aggregating one (the kind that sends the copied TX and copied RX traffic
to the same port).

Kevin


On 5/20/2014 4:27 PM, sfear...@gmail.com wrote:
> Mike Reeves might have answered my question. In this post he suggests bridging the 2 NICS on the SO box to 1 NIC. Does that sound reasonable? I've got 4 NICS to work with, so that will use all of them unfortunately (2 for TAP, 1 for bridge from TAP, 1 for management).

[sfear...@gmail.com]

Kevin

That is correct. I thought I was getting an aggregating TAP but there was a mix up after months of back and forth. I've decided that the bridge option is simply not optimal. I am working with the tap vendor to find another solution and hope that it fits our budget.

Thanks for the input.

[bolts]

This might work for you...

SharkTap Network Sniffer

From the description:
The SharkTap is a special purpose 10/100Base-T ethernet switch that allows you to 'tap into' an ethernet connection.
The SharkTap routes all packets to or from the 'device' and 'network' packets to a third 'tap' port.

http://www.amazon.com/midBit-Technologies-LLC-10-100/dp/B00DY77HHK/ref=sr_1_1?ie=UTF8&qid=1400693651&sr=8-1&keywords=shark+tap

[Neil C.]

That looks cool and very low-cost but, if I'm not mistaken, it could be a single point of failure. i.e. it is not a 'failover' tap - if it loses power then it will stop passing traffic.

NetOptics used to have a good 1-port aggregation tap with dual power supplies but also "fail open" if both power inputs were lost. They have good bypass taps but I haven't used them and am not sure if this would be a viable SO setup to put it into IPS mode. Gigamon makes great taps but they are $$$.

[sfear...@gmail.com]

Actually NetOptics is the maker of the regen taps I had ordered. I am replacing them with one of their other models that do aggregate traffic to single monitor ports.

Scott F.