Frequently Asked Questions Q: What types of active responses are supported? A: With an Active Response Regeneration Tap, an administrator can transmit any type of Ethernet packet back into the original link, supporting all common types of active responses generated by intrusion detection systems, and by intrusion prevention systems deployed in passive mode. The most common response types are TCP resets, and firewall rule changes. While the Tap can support both types of responses, we advocate extreme caution in dynamically updating firewall rules, due to the risk of disabling network services. Because most firewalls are managed out-of-band, however, it is unlikely that the Regeneration Tap would be part of a rule change scenario. Q: How are collisions avoided when active responses are transmitted back into the original link? On each side of the full-duplex link, there is a small buffer for traffic arriving from the network, and another small buffer for active response traffic arriving from the monitoring device. Traffic is released from this buffer pair on a first-in, first-out basis. If both sides of the buffer are empty and a packet originating from the monitoring device and a packet originating from the network arrive at the same time, priority is given to the network packet. Q: How much bandwidth is available on the Active Response Port? A: The average amount of bandwidth for active responses is determined by the average available capacity on the link. For example, on a 100 Mbps full-duplex link, if transmission from device A to device B averages 30 Mbps, and transmission from device B to device A averages 50 Mbps, then there is average capacity on the first side for 70 Mbps, and on the second side for up to 50 Mbps of active response traffic. At any particular point in time, actual capacity is determined by the size of the packets being transmitted, and the gap between these packets. On a standard link with 64-byte network and active response traffic, the capacity at any point in time will be very close to the average capacity. (We do not recommend using the Tap on links with jumbo packets as these large – up to 9K – packets can fill the buffer and impact performance.)
As the most common use for the Tap will be to inject TCP resets, which are standard 64-byte packets, it is unlikely that the transmissions from either side of the Active Response Port will exceed 10 Mbps, even if many sessions are terminated in a short time frame. Pending available capacity, we recommend the use of the Active Response Port at speeds up to 10 percent of link bandwidth, which is 10 Mbps on a 100 Mbps link.
Q: Does the Active Response Port require the connected monitoring device to have an IP address?
A: Yes, the connected monitoring device is required to have a MAC and IP address when the Active Response Port is operating in active mode. These are not required when this Port is set to passive mode. The Tap itself never has a MAC or IP address, regardless of how the Active Response Port is set. Operating Specifications:
Operating Temperature: 0°C to 55°C
Storage Temperature: -10°C to 70°C
Relative Humidity: 10% min, 95% max, non-condensing Mechanical Specifications:
Redundant Power Supply: 100-240VAC, 0.5A ~ 47-63Hz
Dimensions: 1.75" high x 10.5” deep x 17” wide
Connectors:
(6) RJ45 Connectors (Passive Monitor Ports)
(2) RJ45 Connectors (Passive Monitor/Active Response Ports)
(2) RJ45 Connectors (Network Ports)
Cable Interface:
Copper Cable Type: 22-24 AWG unshielded twisted pair cable, CAT5/CAT5E
Link Distance Supported: 100 meters Certifications:
Fully RoHS compliant
Part Number: RGN-CU-AR-IL4 |
