nerdexam
Cisco

400-007 · Question #354

Company XYZ wants to implement an IPS device to detect and block well-known attacks against their network. They want a design solution where all packets that are forwarded to the network are checked a

The correct answer is B. Deploy an IPS behind the firewall in in-line mode. This question tests knowledge of IPS deployment modes and placement within a network security architecture to enable active traffic blocking with minimal performance overhead.

Designing Security

Question

Company XYZ wants to implement an IPS device to detect and block well-known attacks against their network. They want a design solution where all packets that are forwarded to the network are checked against a signature database before being allowed through. This check must be done with the minimum effect on performance. Which design is recommended?

Options

  • ADeploy an IPS behind the firewall in promiscuous mode
  • BDeploy an IPS behind the firewall in in-line mode
  • CDeploy an IPS in front of the firewall in promiscuous mode
  • DDeploy and IPS in front of the firewall in in-line mode

How the community answered

(45 responses)
  • A
    2% (1)
  • B
    78% (35)
  • C
    7% (3)
  • D
    13% (6)

Why each option

This question tests knowledge of IPS deployment modes and placement within a network security architecture to enable active traffic blocking with minimal performance overhead.

ADeploy an IPS behind the firewall in promiscuous mode

Promiscuous mode receives a copy of traffic rather than being in the traffic path, so it can alert on attacks but cannot actively block packets in real time.

BDeploy an IPS behind the firewall in in-line modeCorrect

Deploying the IPS behind the firewall in inline mode is recommended because inline mode places the IPS directly in the traffic path, enabling it to actively inspect and block malicious packets before they reach the internal network. Placing it behind the firewall means the firewall first filters out obviously invalid traffic, reducing the volume of packets the IPS must inspect and thereby minimizing the performance impact on the IPS device.

CDeploy an IPS in front of the firewall in promiscuous mode

Promiscuous mode in front of the firewall still cannot block traffic inline, and placing it before the firewall means it processes all external traffic including packets the firewall would have discarded anyway, increasing load unnecessarily.

DDeploy and IPS in front of the firewall in in-line mode

Placing the IPS in front of the firewall in inline mode forces it to inspect every packet arriving from the internet before any firewall filtering occurs, significantly increasing processing load and reducing performance.

Concept tested: IPS inline vs promiscuous mode and placement

Source: https://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/idm/idmguide7/idm_interfaces.html

Topics

#IPS#inline mode#firewall placement#intrusion prevention

Community Discussion

No community discussion yet for this question.

Full 400-007 Practice