How the Sensor Functions
promiscuous mode, however, is the IPS cannot stop malicious traffic from reaching its intended target
for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions
implemented by promiscuous IPS devices are post-event responses and often require assistance from
other networking devices, for example, routers and firewalls, to respond to an attack. While such
response actions can prevent some classes of attacks, for atomic attacks, however, the single packet has
the chance of reaching the target system before the promiscuous-based sensor can apply an ACL
modification on a managed device (such as a firewall, switch, or router).
Inline Mode
Operating in inline mode puts the IPS directly into the traffic flow and affects packet-forwarding rates
making them slower by adding latency. An inline IPS sits in the fast-path, which allows the sensor to
stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a
protective service. Not only is the inline device processing information on layers 3 and 4, but it is also
analyzing the contents and payload of the packets for more sophisticated embedded attacks (layers 3
to 7). This deeper analysis lets the system identify and stop and/or block attacks that would normally
pass through a traditional firewall device.
In inline mode, a packet comes in through the first interface of the pair on the sensor and out the second
interface of the pair. The packet is sent to the second interface of the pair unless that packet is being
denied or modified by a signature.
Note
You can configure AIP-SSM to operate inline even though it has only one sensing interface.
TCP Reset
You need to designate an alternate TCP reset interface in the following situations:
•
•
•
Installing Cisco Intrusion Prevention System Appliances and Modules 5.0
1-4
When a switch is being monitored with either SPAN or VACL capture and the switch does not accept
incoming packets on the SPAN or VACL capture port.
When a switch is being monitored with either SPAN or VACL capture for multiple VLANs, and the
switch does not accept incoming packets with 802.1q headers.
The TCP resets need 802.1q headers to tell which VLAN the resets should be sent on.
Note
When a network tap is used for monitoring a connection.
Note
Taps do not allow incoming traffic from the sensor.
Chapter 1
Introducing the Sensor
78-16124-01