ips proactive

cfajardo1_2 · ‎07-22-2006

am quite confuse on the way IPS does the proactive measures....

i understood that ips uses 2 monitoring interfaces to do the inline mode..

questions;

1. could the ips do blocking by itself alone? i ask this becoz in some articles it says that it has to modify some acl either on firewalls or routers to do the blocking thing.

2. if its true that it has to do blocking with the aid of other cisco devices, then am i right in saying that cisco ips is not suited in an environment where cisco routers or firewalls are not present.

3. is it right to say that if an IPS monitoring interface is in promiscous mode,then it is only acting as an IDS(not IPS)? and if it is in this mode, can it still do blocking?

thanks a lot.

Fernando_Meza · ‎07-23-2006

Hi .. answer to your questions !!!

1.- It can do both. It can block traffic as it traverses the sensing interfaces. And it can also modify access-list on routers, firewalls ( known as managed devices ) .. to mitigate attacks on the enterprise.

2.- That is correct .. you can only use Cisco swtiches, routers and firewalls as managed devices using the sensor

3.- Correct Promiscous mode is IDS. You can reset connections using the reset interface. You can do blocking but you need the assistance of other devices such as routers and firewall.. again Cisco based.

I hope it helps .. please rate it if it does !!

cfajardo1_2 · ‎07-23-2006

in no. 1, you said it can block traffic as it traverses the sensing interface...but in no. 3, you sait it need the assistance of other devices such as routers etc.