Which actions can a promiscuous IPS take to mitigate an attack?
A. modifying packets
B. requesting connection blocking
C. denying packets
D. resetting the TCP connection
E. requesting host blocking
F. denying frames
Which actions can a promiscuous IPS take to mitigate an attack?
The question seems a little tricky as promiscuous mode is for IDS/
The main difference between an IDS and IPS is the
deployment mode.
IDS usually works on a copy of the packet and is mainly used to
detect an issue or anomaly and alert the security analyst. This is called promiscuous
mode.
An IPS, on the other hand, is deployed inline, which means it has visibility of the
packets or threats as they flow through the device. Because of that, it is able to block a
threat as soon as it is detected
-> Promiscuous mode—When running in promiscuous mode, the IPS cannot implement Deny actions.
Thus, if you want to prevent traffic from a host, you must implement blocking.
-> Inline mode—In inline mode, you can implement Deny actions to immediately drop undesired
traffic. However, you might want to add blocking actions to protect other segments of your network.
There are three types of blocks:
Host block
Connection block
Network block
Do not confuse blocking with the ability of the sensor to drop packets. The sensor can drop packets when
the following actions are configured for a sensor in inline mode: deny packet inline, deny connection
inline, and deny attacker inline.
FROM CISCO: CSMUserGuide_wrapper/ipsblock
The Attack Response Controller (ARC) component of the IPS is responsible for managing network
devices in response to suspicious events by blocking access from attacking hosts and networks
ARC is formerly known as Network Access Controller. Although the name has been changed, the IPS
documentation and configuration interfaces contain references to Network Access Controller, nac, and
network-access.