Shared media hub
Adding a shared media hub to the line you wish to monitor between the switch and the station/server is the simplest and most cost-effective method. However, this solution also has the greatest effect on the connection to be monitored. For example, full duplex mode is one of the features lost. A 'mini' shared segment is formed, with all the disadvantages of a shared media segment. Obviously, only communications can be monitored which pass through this hub.

Ethernet tap
Integrating an Ethernet tap avoids the downside inherent in a shared media hub of loss of full duplex mode. The tap is a passively functioning component whose task it is to provide useful signals 1:1 at the monitor port. This occurs in full duplex mode, providing the Ethernet tap and the measuring device are designed for full duplex operation. The IDS is not able to transmit data across this connection (i.e. it cannot send reset packets either). Even when there is a power failure at the tap, the active connection channel remains fully functional. We distinguish between Single port taps and
Multi-port taps

Single port taps
It is also obvious with Ethernet taps that only communications can be monitored that pass through it. If you wish to monitor several connections, a corresponding number of single Ethernet taps - and hence PacketAlarm sensors - are required, or you must use:

Multi port taps
These have several port inlets, so PacketAlarm is able to monitor several switch connections at once.

Port mirroring
Port mirroring makes use of a switch's ability to provide traffic flows additionally at a measurement port. With this solution, PacketAlarm can be connected and traffic flow monitored. Not every switch provides the option of defining this type of mirror port; this method is reserved for switch environments where mirror ports are available. However, there is another problem: the primary task of a switch is to transfer all the data 'correctly' and as fast as possible. If more than one connection needs to be controlled by the switch at the same time, auxiliary tasks may lose out in rare cases. So if there is any doubt, mirror function is given a backseat, and it can happen that not all the data reaches the mirror port. Now there are various ways of configuring switch mirroring:

· First, all the data from a station is sent to the mirror port. You therefore need to define the port whose data you wish to mirror. This procedure analyses the data at one station only, regardless of the target address.

· In the second case, the data from a connection is sent to the mirror port. In this procedure, data is filtered according to the source and the target addresses. You see, for instance, all the data packets exchanged between Station A and the server.

· In the third case, all the data for a switch is sent to the mirror port at every port. In certain cases, this can mean a considerable volume of traffic.

Overloading can occur at the mirror port on a standard 10/100Mbps switch, as the total data volume at all the ports is so great that it exceeds the capacity limit of 100 Mbps. There is a risk of some of the useful data at the mirror port not being seen - or of being overlooked. The last variant can result in impaired switch performance as far as data traffic is concerned. Nevertheless, this method approaches monitoring in the shared media segment most closely, as all the traffic in a segment is monitored.
 
« back