CISSP · Question #540
Which is the RECOMMENDED configuration mode for sensors for an intrusion prevention system (IPS) if the prevention capabilities will be used?
The correct answer is C. Inline. For an IPS to actively block or prevent malicious traffic, sensors must be deployed inline so that all traffic physically passes through the device, enabling real-time prevention actions.
Question
Options
- AActive
- BPassive
- CInline
- DSpan
How the community answered
(34 responses)- B3% (1)
- C91% (31)
- D6% (2)
Why each option
For an IPS to actively block or prevent malicious traffic, sensors must be deployed inline so that all traffic physically passes through the device, enabling real-time prevention actions.
Active is not a standard IPS sensor deployment mode terminology; it does not describe a physical or logical network placement configuration for IPS sensors.
Passive mode means the sensor receives a copy of traffic (typically via a SPAN port or tap) and can only detect and alert on threats without the ability to block or drop packets, making it suitable for IDS but not IPS prevention.
Inline mode places the IPS sensor directly in the path of network traffic, meaning all packets must traverse the sensor before reaching their destination. This deployment model is required for prevention capabilities because the sensor can drop, block, or modify malicious packets in real time before they reach the target, which is the defining characteristic of an IPS versus an IDS.
SPAN (Switched Port Analyzer) is a method of feeding a copy of traffic to a sensor for monitoring purposes, which like passive mode only allows detection and alerting, not active prevention or packet blocking.
Concept tested: IPS sensor inline deployment mode for prevention
Source: https://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/idm/idmguide7/idm_interfaces.html
Topics
Community Discussion
No community discussion yet for this question.