Pages

Tuesday 8 May 2012

Promiscuous Versus Inline Mode


Promiscuous Versus Inline Mode

Cisco IPS sensors can operate in either promiscuous or inline modes. The decision on what mode to use depends on many considerations and the location in the network. When deployed in promiscuous mode, this means that a device (often a switch) captures traffic for the sensor and forwards a copy for analysis to the sensor. Because the device works with a copy of the traffic, the device performs IDS. It can detect an attack and send an alert (and take other actions), but it does not prevent the attack from entering the network or a network segment. It cannot prevent the attack because it does not operate on traffic inline in the forwarding path.

Promiscuous Mode (IDS) :-

If a Cisco IPS device operates in inline mode , it can perform prevention as opposed to simple detection. This is because the IPS device is in the actual traffic path. This makes the device more effective against worms and atomic attacks (attacks that are carried out by a single packet).

Inline Mode :-

To deploy in inline mode, you need to configure the sensor as a transparent Layer 2 device that passes traffic between two physical or virtual interfaces. The sensor then functions as a Layer 2 bridge between the network segments, and can block malicious traffic that tries to pass.


Keep in mind that a sensor could be configured inline and set up so that it only alerts and does not drop packets. This is an example of an inline configuration where only IDS is performed.


IPS Version 7.0 software permits a device to do promiscuous mode and inline mode simultaneously, which allows some segments to be monitored for IDS only while other segments use IPS protection.

No comments:

Post a Comment