back to article Plumspace's Smart SFP TAP can monitor, capture or relay gigabit-speed comms – for legitimate business reasons

Hardware hacker Ben Cox has spotted an interesting bit of kit that we're sure has entirely reasonable uses other than network intrusion: Plumspace's Smart SFP TAP. You can't trust cables. We're not just talking about the well-established quantum nature of USB Type A connectors, where despite the fact that it occupies three …

  1. Down not across

    Throughput not great

    I read an article by someone who played with that and using it inline might not be so great since throughput was about 125mbit/s, so big hit if you're expecting gigabit link. Far short from "wirespeed" as the company advertises. Perhaps it could tap in to traffic rather than be "in-line" and the chap writing the article missed that.

    1. Anonymous Coward
      Anonymous Coward

      Re: Throughput not great

      That's indeed more "wet string" speed :)

      1. Paul Kinsler

        Re: Throughput not great

        Indeed. It's about 8 seconds since I last got a bit through at that speed :-)

        1. Down not across

          Re: Throughput not great

          Ahem yes. my shift key is bit temperamental, but at least in the less annoying way.

          Obviously I did mean to write 125 Mbps, still rather lot less than 1Gbps "wirespeed" and their specs and datasheets even mention 10Gbps links.

  2. Anonymous Coward
    Anonymous Coward

    There ARE legitimate reasons out there, though

    The first sign you usually get that something has gone rogue is through unusual network traffic, so having something that can sit on top and keep an eye on it via Bayesian or AI functionality isn't a bad idea - provided it can keep up. The problem with a SPAN port is that all the traffic that a switch normally segregates exactly for performance reasons now suddenly has to pass through one point so if that can't keep up you have a problem (which is why I assume you'd implement a non-benign tap in a lossy manner so nobody notices a performance hit).

    The idea strikes me as interesting for interim analytical use - I can't see this survive long as part of a fixed installation because I fear heat will reduce the life of this quite substantially.

    To detect this in a DC would indeed need a sharp eye. I would say keep your cages closed, but the locks on most of these are pathetic and can probably be picked with a bent paperclip and some applied swearing..

    1. Down not across

      Re: There ARE legitimate reasons out there, though

      The idea strikes me as interesting for interim analytical use - I can't see this survive long as part of a fixed installation because I fear heat will reduce the life of this quite substantially.

      I agree. The fairly low power ARM has limited grunt for anything serious, but I could see some use as something like a temporary ntp server or ERSPAN (or netflow) collector.

      You're not wrong about the heat, i seem to recall that the article I read elsewhere said it got rather hot after a while.

  3. Anonymous Coward
    Anonymous Coward

    ......but it's not clear whether the monitored traffic....

    1. .....is being routed OVER the wired network (using a separate IP)....

    2. .....or whether it's being sent wirelessly to some remote listener.

    The USB cable with the built in phone is obviously doing #2. Not so obvious for the Plumspace device(s)....even after reading the documentation!

    Now....if BOTH devices were to snoop via wireless.........

    1. doublelayer Silver badge

      Re: ......but it's not clear whether the monitored traffic....

      Depending on the use case, there's another option:

      3. It's not sending the data, but it is manipulating it to modify the traffic sent through it.

      Even if it is one of the others, it could be either depending on what the attacker (or normal business user) wants. If they can get away with using the network it's already on, they can upload captured data that way. If they're afraid that will be spotted, they could add a different channel for getting the data out.

  4. Anonymous Coward
    Anonymous Coward

    nice idea but

    SFP is pretty much obsolete these days, as is 1 Gbit and increasingly 10 Gbit optical networking. Enterprise networking deployments moved on to QSFP several years ago and the minimum speed one typically sees in optical networks is now 4x10; most newer trunks are 4x25 or better. A device that can intercept traffic at 125 Mbit/s or even 1 Gbit/s is more a curiosity than a genuine piece of enterprise networking technology. I'd be surprised if this is being used anywhere other than maybe an outdated branch office setup or monitoring a link to a very old server (the one that was installed with the very hottest technology in 2004 and never touched since because it's "too important to risk it"). While there are some security and reliability advantages over switches' built-in monitoring functionality, the limitations seem too severe for this to be of much real use.

  5. Cuddles
    Windows

    When is a wire not a wire?

    "COTTONMOUTH, a bargain-priced $20,000 USB 2 cable that could wirelessly intercept or modify communications between a PC and USB peripherals."

    Interesting philosphical question - is it possible to perform a wireless intercept when the device performing the intercept is itself a wire?

    Icon: A philosopher.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like