Suggested Answer:DE🗳️
Section: Considerations for Expanding an Existing Network Explanation
Cisco Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) devices are similar in that they both provide real-time monitoring of malicious traffic and they can both use signatures to detect malicious traffic. Signature-based detection methods use specific strings of text to detect malicious traffic. Protocols and port numbers can be checked to further specify malicious traffic patterns that match a signature. The benefit of signature-based detection methods is that the number of false positives generated is typically low. Other detection methods employed by IPS and IDS devices include policy-based detection and anomaly-based detection. Policy-based detection methods use algorithms to detect patterns in network traffic. Anomaly-based detection methods are used to detect abnormal behavior on a network based on traffic that is classified as normal or abnormal. IPS devices sit in the path of network traffic; however, IDS devices do not. Because traffic flows through an IPS, an IPS can detect malicious traffic as it enters the IPS device and can prevent the malicious traffic from infiltrating the network. An IPS is typically installed inline on the inside interface of a firewall. Placing the IPS behind the firewall ensures that the IPS does not waste its resources processing traffic that will ultimately be discarded by the firewall; however, this placement will prevent the IPS from having visibility into traffic that is not destined to pass through the firewall. The following diagram illustrates an IPS operating in inline mode: By contrast, an IDS device merely sniffs the network traffic by using a promiscuous network interface, which is typically connected to a Remote Switched Port Analyzer (RSPAN) port on a switch. Because network traffic does not flow through an IDS device, the IDS device functions as a passive sensor and cannot directly prevent malicious traffic from infiltrating the network. However, when an IDS detects malicious traffic, it can alert other network devices in the traffic path so that further traffic can be blocked. In addition, an IDS can be configured to send a Transmission Control Protocol (TCP) reset notification to the source and destination addresses. The following diagram illustrates an IDS operating in promiscuous mode: An IPS can be configured to operate in monitor-only mode, which effectively makes the IPS function as an IDS. When operating in monitor-only mode, an IPS does not sit in line with the flow of traffic and must rely on a passive connection to an RSPAN port in order to have the most visibility into the internal network. Reference: Cisco: Managed Security Services Partnering for Network Security: Managed Intrusion Detection and Prevention Systems
Currently there are no comments in this discussion, be the first to comment!
This section is not available anymore. Please use the main Exam Page.200-310 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Comments