nerdexam
Cisco

352-001 · Question #321

Which three reasons to deploy an IDS sensor in promiscuous mode when you design a security solution are true? (Choose three.)

The correct answer is A. Solution should be resistant to sensor failure. C. Solution should not impact jitter and latency for voice traffic. D. Solution should allow for signature-based pattern matching.. An IDS sensor in promiscuous mode receives out-of-band copies of traffic via SPAN or TAP, making it ideal when the design requires no traffic path impact, fault tolerance, and passive signature-based detection.

Designing Security

Question

Which three reasons to deploy an IDS sensor in promiscuous mode when you design a security solution are true? (Choose three.)

Options

  • ASolution should be resistant to sensor failure.
  • BSolution should allow for stream normalization.
  • CSolution should not impact jitter and latency for voice traffic.
  • DSolution should allow for signature-based pattern matching.
  • ESolution should allow to deny packets inline.

How the community answered

(25 responses)
  • A
    72% (18)
  • B
    12% (3)
  • E
    16% (4)

Why each option

An IDS sensor in promiscuous mode receives out-of-band copies of traffic via SPAN or TAP, making it ideal when the design requires no traffic path impact, fault tolerance, and passive signature-based detection.

ASolution should be resistant to sensor failure.Correct

Because the promiscuous sensor is not inline and only receives mirrored copies of traffic, a sensor failure does not disrupt network connectivity - the network continues to forward traffic unaffected by sensor outages.

BSolution should allow for stream normalization.

Stream normalization requires the sensor to hold, reorder, and reassemble actual packets before forwarding them to defeat evasion techniques, which is only possible when the sensor operates inline in IPS mode with access to the live packet stream.

CSolution should not impact jitter and latency for voice traffic.Correct

Promiscuous mode places the sensor entirely outside the forwarding path so it adds zero latency or jitter to live traffic, which is critical for real-time voice applications that are sensitive to any forwarding delay.

DSolution should allow for signature-based pattern matching.Correct

An IDS in promiscuous mode can inspect full packet copies and apply deep signature-based pattern matching against known attack patterns, fulfilling the core IDS detection function without affecting original traffic flow.

ESolution should allow to deny packets inline.

Blocking or denying packets requires the sensor to be inline in the traffic path where it can intercept and drop packets before delivery; a promiscuous sensor only receives copies and has no ability to prevent the original packet from reaching its destination.

Concept tested: IDS promiscuous mode deployment benefits and limitations

Source: https://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/idm/idmguide7/idm_interfaces.html

Topics

#IDS#promiscuous mode#signature-based detection#sensor failure resilience

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice