Which of the following devices requires that a physical interface be in promiscuous mode in order to monitor
network traffic? (Select the best answer.)
A.
an IPS
B.
a firewall
C.
a router
D.
an IDS
E.
an ASA
Explanation:
An Intrusion Detection System (IDS) requires that a physical interface be in promiscuous mode in order to
monitor network traffic. An IDS is a network monitoring device that does not sit inline with the flow of network
traffic? an IDS passively monitors a copy of network traffic, not the actual packet. Typically, an IDS has one
promiscuous network interface attached to each monitored network. A promiscuous device listens to all data
flowing past it regardless of the destination. Because traffic does not flow through the IDS, the IDS cannot
mitigate singlepacket attacks and is unable to directly block malicious traffic, like a virus, before it passes onto
the network. However, an IDS can actively send alerts to a management station when it detects malicious
traffic.
An Intrusion Prevention System (IPS) sits inline with the flow of traffic, thus actively monitoring network traffic
and blocking malicious traffic, such as an atomic or singlepacket attack, before it passes onto the network.
Blocking an attack inline can prevent the attack from spreading further into the network. An IPS requires at
least two interfaces for each monitored network: one interface listens to traffic entering the IPS, and the other
listens to traffic leaving the IPS. In addition, an IPS acts similarly to a Layer 2 bridge in that it passes traffic
through to destinations on the same subnet? an IPS cannot route to destinations on a different subnet. An
interface of an IPS can be put in promiscuous mode? when this happens, the device operates as an IDS on
that interface. However, an IPS does not require that a physical interface be in promiscuous mode in order to
monitor network traffic.
A firewall is a network security device that protects a trusted network from an untrusted network, such as the
Internet. Firewalls can operate in either routed mode or transparent mode. In routed mode, the firewall acts as
a Layer 3 device that can perform Network Address Translation (NAT) and route traffic between virtual LANs
(VLANs) on different subnets. In transparent mode, the firewall acts as a Layer 2 bridge in that it can pass
traffic through to destinations on the same subnet but cannot route to destinations on a different subnet.
Although a firewall is a security appliance that permits or denies traffic on a network, a firewall does not require
that a physical interface be in promiscuous mode in order to monitor network traffic.
A router is a device that connects multiple subnets of the same or different networks and passes information
between them. The functionality of a router can vary depending on the size of the network on which it is
deployed. For example, a Cisco IPS Advanced Integration Module (AIM) can be installed in a router to integrate
IPS functionality at the hardware level. Alternatively, an IOS feature set with IPS capabilities can be installed to
provide IPS functionality at the software level. A router operating as an IPS or IDS can serve as a part of the
network security structure as well as a bridge between two segments of the network. Although a router can
function as an IPS or IDS, a router does not require that a physical interface be in promiscuous mode in orderto monitor network traffic.
The Cisco Adaptive Security Appliance (ASA) is a multifunction appliance that can provide firewall, virtual
private network (VPN), intrusion prevention, and content security services. The Cisco ASA is based on the
framework of the Private Internet Exchange (PIX) firewall appliance. If used as an IPS device in IDS mode, or
promiscuous mode, the Cisco ASA can have a physical interface in promiscuous mode? however, Cisco ASA
does not require that a physical interface be in promiscuous mode in order to monitor network traffic.CCNA Security 210260 Official Cert Guide, Chapter 17, Difference Between IPS and IDS, pp. 460-462 Cisco:
Cisco IPS Mitigation Capabilities