[TABS_R id=8782]
Which of following capabilities do an IDS and IPS have in common? (Select the best answer.)
- blocking a particular connection
- blocking traffic from a particular host
- modifying traffic
- resetting TCP connections
Explanation:
An Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) can both reset Transmission Control Protocol (TCP) connections. An IDS is a network monitoring device that passively monitors network traffic and actively sends alerts to a management station when it detects malicious traffic. An IDS typically has one promiscuous network interface attached to each monitored network. Because traffic does not flow through the IDS, the IDS is unable to directly block malicious traffic? however, an IDS can do any of the following:
– Request that another device block a connection
– Request that another device block a particular host
– Reset TCP connections
An IDS can prevent further instances of previously detected malicious traffic from passing onto the network by creating access control lists (ACLs) on routers in the traffic path or by configuring other security devices that reside in the flow of traffic.
By contrast, an IPS typically sits inline with the flow of traffic and can therefore block malicious traffic before it passes onto the network. An inline IPS can perform the following actions:
– Block traffic from a particular host
– Block a particular connection
– Modify traffic
– Reset TCP connections
However, if an IPS sits inline with traffic, a failed IPS device can cause all traffic to be dropped. Analyzing all of the traffic that passes through the IPS can cause latency and jitter. Alternatively, an IPS can be configured to operate in promiscuous mode, which would make it functionally similar to an IDS.
[TABS_R id=8782]