Deploying The Sensors With Fe Ports In Internal Tap Mode - McAfee M-1250 - Network Security Platform Deployment Manual

McAfee® Network Security Platform 6.0
Tap monitoring (Figure Tap mode) can work in one of two ways for the 10/100 Monitoring
ports on the I-1200 and I-2700 Sensors: the internal tap can be enabled, or the interface
can be connected to an external tap. Sensor GBIC ports must use an external tap.
The benefits to using Sensors in tap mode are:



The downside of tapped mode is that, unlike in-line mode, you cannot prevent attacks. Tap
mode is passive; the Sensor essentially sees malicious traffic as it passes, so sensing an
attack in tap mode triggers a response post-attack. You also cannot inject response
packets back through a tap; the Sensor provides Response ports to inject response
packets.
Figure 7: Tap mode

Deploying the Sensors with FE ports in internal tap mode

The 10/100 (FE) monitoring ports can process network traffic in full-duplex stealth mode by
enabling internal taps. in this mode, network segments are connected as in in-line mode,
but the Sensor handles the traffic differently. The enabled internal tap receives the traffic,
makes a copy of the incoming packets, and sends the copy to the Sensor's detection
processor as it forwards the packets.
By Sensor default, the ports (xA and xB, illustrated with 1A and 1B in the following
illustration) are matched for full-duplex tap mode monitoring. Data is looped back within
the tap and a copy is forwarded to the rest of the Sensor per port. Responses are sent
through a Response port to a switch or router.
Monitor uplinks passively.
Taps cause no latency in your network traffic. You essentially
sniff traffic as it passes.
No need for SPAN ports.
On most switches, the SPAN port operates in half-duplex mode,
so the maximum bandwidth a Fast Ethernet port can handle is 100 Mbps before it
begins dropping packets. If the uplink is running at more than 100Mbps aggregate, a
Fast Ethernet SPAN port can't handle it; a full-duplex tap can. Another issue is that
there are a limited number of SPAN ports supported on most switches, and there is
typically a lot of competition for them (for example, for RMON probes, sniffers, etc.).
Traffic continues to flow if the tap fails.
fail-safe operation with no impact on network connectivity or performance. Taps fail
open, meaning that a failed Sensor permits traffic to continue to flow unimpeded.
Completely passive and fault tolerant, taps provide
19
Sensor Deployment Modes