nerdexam
Cisco

352-001 · Question #695

For which two reasons would you deploy an IDS sensor in promiscuous mode when designing a security solution? (Choose two.)

The correct answer is C. The solution is resistant to sensor failure E. The solution allows for signature-based pattern matching. An IDS deployed in promiscuous mode operates out-of-band on traffic copies, making it resilient to sensor failure and capable of signature-based detection without disrupting network flow.

Designing Security

Question

For which two reasons would you deploy an IDS sensor in promiscuous mode when designing a security solution? (Choose two.)

Options

  • AThe solution stops malicious traffic from reaching its intended target
  • BThe solution allows denying packets inline
  • CThe solution is resistant to sensor failure
  • DThe solution allows for stream normalization
  • EThe solution allows for signature-based pattern matching

How the community answered

(38 responses)
  • A
    11% (4)
  • B
    3% (1)
  • C
    82% (31)
  • D
    5% (2)

Why each option

An IDS deployed in promiscuous mode operates out-of-band on traffic copies, making it resilient to sensor failure and capable of signature-based detection without disrupting network flow.

AThe solution stops malicious traffic from reaching its intended target

Promiscuous mode IDS cannot stop malicious traffic from reaching its destination because it only inspects copies of packets after they have already been forwarded - it has no ability to intercept or drop live traffic.

BThe solution allows denying packets inline

Denying or dropping packets inline requires the device to be deployed as an IPS in inline mode, where it physically sits in the traffic path; promiscuous mode has no mechanism to block packets.

CThe solution is resistant to sensor failureCorrect

Because promiscuous mode places the IDS sensor out-of-band to receive only copies of traffic rather than sitting inline in the data path, a sensor failure or reboot does not interrupt network connectivity, making the solution resistant to sensor failure.

DThe solution allows for stream normalization

Stream normalization requires the sensor to intercept, reassemble, and rewrite TCP streams before forwarding them, which is only possible in inline mode where the sensor controls the actual packet flow.

EThe solution allows for signature-based pattern matchingCorrect

Promiscuous mode sensors receive full packet copies from a SPAN port or tap, providing all the data needed to compare traffic against known attack signatures, making signature-based pattern matching fully supported in this deployment mode.

Concept tested: IDS promiscuous mode capabilities and deployment constraints

Source: https://www.cisco.com/c/en/us/td/docs/security/ips/6-1/configuration/guide/cli/cliguide/cli_ids_ips.html

Topics

#IDS#promiscuous mode#signature-based detection#sensor failure

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice