Which of the following statements is not true regarding an IPS device? (Select the best answer.)
- An IPS requires that at least one interface be in promiscuous mode.
- Singlepacket attacks can be mitigated by an IPS.
- Traffic leaves an IPS on a different interface than it entered.
- An IPS cannot route to destinations on different subnets.
An Intrusion Prevention System (IPS) does not require that at least one interface be in promiscuous mode. An IPS sits inline with the flow of traffic, thus actively monitoring network traffic and blocking malicious traffic, such as an atomic or singlepacket attack, before it spreads onto the network. An IPS requires at least two interfaces for each monitored network: one interface listens to traffic entering the IPS, and the other listens to traffic leaving the IPS. In addition, an IPS acts similarly to a Layer 2 bridge in that it can pass traffic through to destinations on the same subnet? an IPS cannot route to destinations on a different subnet. Because all monitored traffic must pass through the IPS, it can add latency to traffic flows on the network.
By contrast, an Intrusion Detection System (IDS) typically has one promiscuous network interface attached to each monitored network, with no IP address assigned to the monitoring interface. An IDS is a network monitoring device that does not sit inline with the flow of network traffic? an IDS passively monitors a copy of network traffic, not the actual packet. Since an IDS analyzes a copy of network traffic, an IDS can support asymmetric traffic flows in which the original traffic may use a different return path than it used to arrive at its original destination. Because monitored traffic does not pass through an IDS, it does not add latency to the traffic flow.