IDS/IPS sensors operate in promiscuous mode by default. This means that a device (often a switch) captures traffic for the sensor and forwards a copy for analysis to the sensor. Because the device is working with a copy of the traffic, the device is performing intrusion detection. It can detect an attack and send an alert (and take other actions), but it does not prevent the attack from entering the network or a network segment.
It cannot prevent the attack, because it is not operating on traffic “inline” in the forwarding path. If a IPS device is operating in inline mode, it can do prevention as opposed to mere detection. This is because the IPS device is in the actual traffic path. This makes the device more effective against worms and atomic attacks (attacks that are carried out by a single packet).
To configure inline mode, you require two monitoring interfaces that are defined in the sensor as an inline pair. This pair of interfaces acts as a transparent Layer 2 structure that can to drop an attack that fires a signature.
Keep in mind that a sensor could be configured inline but could be set up so that it only alerts and doesn’t drop packets.
This diagram presents you an example of both modes using Cisco's ASA FirePower module.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM