You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web application in a
single VPC. You are considering the options for implementing IOS IPS protection for traffic coming from the
Internet.
Which of the following options would you consider? (Choose 2 answers)
A.
Implement IDS/IPS agents on each Instance running In VPC
B.
Configure an instance in each subnet to switch its network interface card to promiscuous mode and analyze
network traffic.
C.
Implement Elastic Load Balancing with SSL listeners In front of the web applications
D.
Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse
proxy server.
A D
A and D
B, D
Route all incoming traffics to a single/central point for intrution detection; Choice B and D match with the condition, promiscuous mode on a NIC.
Packet Sniffing
It is not possible for a virtual instance running in promiscuous mode to receive or sniff traffic that is intended for a different virtual instance. While customers can elect to place their interfaces into promiscuous mode, the hypervisor will not deliver any traffic to an instance that is not addressed to it. Even two virtual instances that are owned by the same customer located on the same physical host cannot listen to each other’s traffic. Additionally, attacks such as ARP cache poisoning do not work within Amazon EC2 and Amazon VPC. While Amazon EC2 does provide ample data protection between customers by default, as a standard practice it is best to always encrypt sensitive traffic.