Cisco Cisco Firepower Management Center 4000

Page of 1844
 
17-8
FireSIGHT System User Guide
 
Chapter 17      Introduction to Intrusion Prevention 
  Understanding Intrusion Prevention Deployments
Sensing traffic out-of-band allows you to devote almost all of the device’s sensing bandwidth and 
computational power to monitoring traffic, reconstructing datagrams and streams, normalizing packets, 
detecting anomalies, and alerting you to possible intrusions. Moreover, because the interface is deployed 
out of band and operates in stealth mode, attackers are unlikely to know of its existence, which renders 
it less of a target for attacks.
In an inline deployment, by comparison, you configure a managed device that uses an inline interface 
set. To do this, you connect the device to your network so that traffic flows between the device’s network 
interfaces. When the interface set is configured as Inline, the interfaces are again configured in 
promiscuous mode so that they detect all of the traffic on the network segment regardless of where the 
traffic is going. The device can see all of the traffic on the network segment but is itself invisible. 
However, when the interface set is deployed inline, you can configure rules to drop suspicious packets 
or, for custom standard text rules, to replace malicious portions of a packet payload with more benign 
content.
For example, the following illustration shows a device deployed inline. The device uses an interface set 
containing two of the network interfaces monitoring a single network segment.
Similar to a device using a passive interface set, the device using an inline interface set can see all of the 
traffic that passes through the interfaces in its interface set, regardless of the traffic’s destination. 
However, because the traffic flows between the interfaces, you can modify or block suspicious packets. 
For example, if the device detects a packet whose payload contains a known exploit to which your 
network may be vulnerable, you can configure the system to drop the packet. In this case, the malicious 
packet never reaches its intended target.