Net Optics PA-CU-AR User Manual

10/100 Port Aggregator Tap

11

Active Response Tap FAQs

Q: What types of active responses are supported?

A:.With.an.Active.Response.Dual.Port.Aggregator.Tap,.an.administrator.can.

transmit.any.type.of.Ethernet.packet.back.into.the.original.link,.supporting.all.

common.types.of.active.responses.generated.by.intrusion.detection.systems,.

and.by.intrusion.prevention.systems.deployed.in.passive.mode ..The.most.

common response types are TCP resets, and firewall rule changes. While the

Tap.can.support.both.types.of.responses,.we.advocate.extreme.caution.in.dy-

namically updating firewall rules due to the risk of disabling network services.

Because most firewalls are managed out-of-band, however, it is unlikely that

the.Regeneration.Tap.will.be.part.of.a.rule.change.scenario ..

Q: How are collisions avoided when active responses are transmitted back

into the original link?

A: On each side of the full-duplex link, there is a small buffer for traffic ar-

riving from the network, and another small buffer for active response traffic

arriving from the monitoring device. Traffic is released from this buffer pair

on a first-in, first-out basis. If both sides of the buffer are empty and a packet

originating.from.the.monitoring.device.and.a.packet.originating.from.the.

network.arrive.at.the.same.time,.priority.is.given.to.the.network.packet .