352-001 · Question #695
For which two reasons would you deploy an IDS sensor in promiscuous mode when designing a security solution? (Choose two.)
The correct answer is C. The solution is resistant to sensor failure E. The solution allows for signature-based pattern matching. An IDS deployed in promiscuous mode operates out-of-band on traffic copies, making it resilient to sensor failure and capable of signature-based detection without disrupting network flow.
Question
For which two reasons would you deploy an IDS sensor in promiscuous mode when designing a security solution? (Choose two.)
Options
- AThe solution stops malicious traffic from reaching its intended target
- BThe solution allows denying packets inline
- CThe solution is resistant to sensor failure
- DThe solution allows for stream normalization
- EThe solution allows for signature-based pattern matching
How the community answered
(38 responses)- A11% (4)
- B3% (1)
- C82% (31)
- D5% (2)
Why each option
An IDS deployed in promiscuous mode operates out-of-band on traffic copies, making it resilient to sensor failure and capable of signature-based detection without disrupting network flow.
Promiscuous mode IDS cannot stop malicious traffic from reaching its destination because it only inspects copies of packets after they have already been forwarded - it has no ability to intercept or drop live traffic.
Denying or dropping packets inline requires the device to be deployed as an IPS in inline mode, where it physically sits in the traffic path; promiscuous mode has no mechanism to block packets.
Because promiscuous mode places the IDS sensor out-of-band to receive only copies of traffic rather than sitting inline in the data path, a sensor failure or reboot does not interrupt network connectivity, making the solution resistant to sensor failure.
Stream normalization requires the sensor to intercept, reassemble, and rewrite TCP streams before forwarding them, which is only possible in inline mode where the sensor controls the actual packet flow.
Promiscuous mode sensors receive full packet copies from a SPAN port or tap, providing all the data needed to compare traffic against known attack signatures, making signature-based pattern matching fully supported in this deployment mode.
Concept tested: IDS promiscuous mode capabilities and deployment constraints
Source: https://www.cisco.com/c/en/us/td/docs/security/ips/6-1/configuration/guide/cli/cliguide/cli_ids_ips.html
Topics
Community Discussion
No community discussion yet for this question.