Which of the following statements are true regarding IDS devices? (Select 2 choices.)
A.
They can send alerts.
B.
They do not sit inline with the flow of network traffic.
C.
They can directly block a virus before it infiltrates the network.
D.
They can detect malicious traffic only by signature matching.
E.
They function identically to IPS devices.
Explanation:
Intrusion Detection System (IDS) devices can send alerts and do not sit inline with the flow of network traffic. An
IDS is a network monitoring device that passively monitors network traffic and actively sends alerts to a
management station when it detects malicious traffic. An IDS typically has one promiscuous network interface
attached to each monitored network. Because traffic does not flow through the IDS, the IDS is unable to directly
block malicious traffic? however, an IDS can do any of the following:
– Request that another device block a connection
– Request that another device block a particular host
– Reset TCP connections
An IDS can prevent further instances of previously detected malicious traffic from passing onto the network by
creating access control lists (ACLs) on routers in the traffic path or by configuring other security devices that
reside in the flow of traffic. Although signaturebased pattern matching is the primary method used by an IDS to
detect malicious traffic, an IDS can also consider policy definitions and historical traffic behavior when analyzing
network packets.
By contrast, an Intrusion Prevention System (IPS) typically sits inline with the flow of traffic and can therefore
block malicious traffic before it passes onto the network. An inline IPS can perform the following actions:
– Block traffic from a particular host
– Block a particular connection
– Modify traffic
– Reset TCP connections
However, if an IPS sits inline with traffic, a failed IPS device can cause all traffic to be dropped. Analyzing all of
the traffic that passes through the IPS can cause latency and jitter. Alternatively, an IPS can be configured to
operate in promiscuous mode, which would make it functionally similar to an IDS. Typically, an IPS is
configured to use signaturebased pattern matching to block traffic that has been definitively marked as
malicious. Traffic that is suspect but has not been confirmed as malicious is referred to as gray area traffic and
is not discarded by an IPS. If an IDS is used in conjunction with an IPS, the IDS can be configured to monitor
the gray area traffic in greater detail without affecting the flow of traffic through the IPS.Cisco: Managed Security Services Partnering for Network Security: Managed Intrusion Detection and
Prevention Systems