cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
27959
Views
18
Helpful
5
Replies

Difference between inline and passive mode in ips

sebastan_bach
Level 4
Level 4

hi i am new to ips. i got a ips 4215 sensor which says it can set it's monitoring interfaces in passive mode in which it can read the packets directed to it by a switch. now since this is a ips when it reads a packet which triggers a alarm and action set is reset will it require a pix or a router to block the traffic from the attcker or it can block on it's own since it a ips. i am not sure of this. can u pls guide me on this. see ya

regards

sebastan

1 Accepted Solution

Accepted Solutions

Fernando_Meza
Level 7
Level 7

Hi ... the main difference is that promiscuos or passive mode provides a reactive protection. It can be configured to reset the attacker's connection, IP blocking, and Ip logging but it can't stop the initial attack from reaching the targets. The reason is because the packets it inspects have been copied and forwarded to it by SPAN sessions or by promiscuosly listening traffic on a segment.

When the sensor is on inline mode, traffic has to traverse the sensor's interfaces ( pair ).Traffic gets inspected, tested againts the signatures and then if OK then forwarded to the destination. This approach offers preventing protection because the sensor can stop an attack BEFORE it reaches the target which is something than IDS ( passive sensors ) can't do

In summary I suggest you to try using your sensor on inline mode .. it not only offers the same functinality of IDS but extra protection against attacks.

I hope it helps .. please rate it it does !!!

View solution in original post

5 Replies 5

A passive IPS is not capable of blocking any traffic. On its own, it is capable of sending TCP connection resets. If it is paired with a firewall/router, it can send block requests to those devices. There are a few other things, but blocking can not be done.

In order to have the IPS block traffic, you have to put it "inline". Inline means that what ever traffic you wish to inspect and, if necessary, block must go through the sensor.

A pretty good article on Intrusion Detection Terminology has been written by Andy Cuff on the Security Focus web site. It can be found here: http://www.securityfocus.com/infocus/1728

Fernando_Meza
Level 7
Level 7

Hi ... the main difference is that promiscuos or passive mode provides a reactive protection. It can be configured to reset the attacker's connection, IP blocking, and Ip logging but it can't stop the initial attack from reaching the targets. The reason is because the packets it inspects have been copied and forwarded to it by SPAN sessions or by promiscuosly listening traffic on a segment.

When the sensor is on inline mode, traffic has to traverse the sensor's interfaces ( pair ).Traffic gets inspected, tested againts the signatures and then if OK then forwarded to the destination. This approach offers preventing protection because the sensor can stop an attack BEFORE it reaches the target which is something than IDS ( passive sensors ) can't do

In summary I suggest you to try using your sensor on inline mode .. it not only offers the same functinality of IDS but extra protection against attacks.

I hope it helps .. please rate it it does !!!

hi thanks a lot . i have one more query. i hav ips 4215 and it;s has got 5 sniffing interfaes. now to run in inline mode i need to group 2 interfaces in a pair to make it work. so i can have 2 pairs. now the 5th interface cannot be used in a pair right so that interface i can use in in passive mode right. but that interface will need to work with a firewall or router to block traffic. pls correct me if i am wrong. thanks for ur help once again. see ya

regards

sebastan

Yes if you do not need an alternate TCP reset interface. I'd like to stress that a passive interface will not really "block" traffic. As Mr. Meza stated earlier, packets detected by the passive interface will get through before the TCP reset/shun command/ACL change, etc. is sent. I haven't tried the setup you are asking about, but here is a good link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804cf4c2.html#wp1044193

The link above describes setting up interfaces. A couple of things from that document...

You need to designate an alternate TCP reset interface in the following situations:

?When a switch is being monitored with either SPAN or VACL capture and the switch does not accept incoming packets on the SPAN or VACL capture port.

The following interface combinations are not valid:

?The management interface cannot also serve as a sensing interface.

?The management interface cannot serve as the alternate TCP reset interface for a sensing interface.

?The management interface cannot be a member of an inline interface pair.

?You cannot pair a physical interface with itself in an inline interface pair.

?A physical interface can be a member of at most one inline interface pair.

?A sensing interface cannot serve as its own alternate TCP reset interface.

?You can only configure interfaces that are capable of TCP resets as alternate TCP reset interfaces.

--------------------------------------------------------------------------------

Note The exception to this restriction is the IDSM-2. The alternate TCP reset interface assignments for both sensing interfaces is System0/1 (protected).

--------------------------------------------------------------------------------

?You cannot pair a VLAN with itself.

?For a given sensing interface, a VLAN can be a member of at most one inline VLAN pair. However, a given VLAN can be a member of an inline VLAN pair on more than one sensing interface.

?A physical interface cannot be a member of an inline interface pair unless the subinterface mode of the physical interface is none.

?For nonbackplane FastEthernet interfaces the valid speed settings are 10 Mbps, 100 Mbps, and auto. The valid duplex settings are full, half, and auto.

?For gigabit fiber interfaces (1000-SX and XL on the IDS-4250), the only valid speed settings are 1000 Mbps and auto.

?For gigabit copper interfaces (1000-TX on the IDS-4235 and IDS-4250), the valid speed settings are 10 Mbps, 100 Mbps, 1000 Mbps, and auto.

?for gigabit (copper or fiber) interfaces, if the speed is configured for 1000 Mbps, the only valid duplex setting is auto.

I hope this answers your question.

hi buddy thanks a lot for the detailed info. but i didn't one thing clear out here.

You can assign the same physical interface as an alternate TCP reset interface for multiple sensing interfaces.

what does this mean what is difference in alternate tcp reset interface or a sensing interface. does the alternate tcp reset interface refer to a interface in promiscious mode and the sensing interface in inline mode. pls explain i am not sure abt this. thanks a lot once again.waiting for ur reply.

see ya

regards

sebastan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: