Cisco Cisco FirePOWER Appliance 8120
17-8
FireSIGHT System User Guide
Chapter 17 Introduction to Intrusion Prevention
Understanding Intrusion Prevention Deployments
Sensing traffic out-of-band allows you to devote almost all of the device’s sensing bandwidth and
computational power to monitoring traffic, reconstructing datagrams and streams, normalizing packets,
detecting anomalies, and alerting you to possible intrusions. Moreover, because the interface is deployed
out of band and operates in stealth mode, attackers are unlikely to know of its existence, which renders
it less of a target for attacks.
computational power to monitoring traffic, reconstructing datagrams and streams, normalizing packets,
detecting anomalies, and alerting you to possible intrusions. Moreover, because the interface is deployed
out of band and operates in stealth mode, attackers are unlikely to know of its existence, which renders
it less of a target for attacks.
In an inline deployment, by comparison, you configure a managed device that uses an inline interface
set. To do this, you connect the device to your network so that traffic flows between the device’s network
interfaces. When the interface set is configured as Inline, the interfaces are again configured in
promiscuous mode so that they detect all of the traffic on the network segment regardless of where the
traffic is going. The device can see all of the traffic on the network segment but is itself invisible.
However, when the interface set is deployed inline, you can configure rules to drop suspicious packets
or, for custom standard text rules, to replace malicious portions of a packet payload with more benign
content.
set. To do this, you connect the device to your network so that traffic flows between the device’s network
interfaces. When the interface set is configured as Inline, the interfaces are again configured in
promiscuous mode so that they detect all of the traffic on the network segment regardless of where the
traffic is going. The device can see all of the traffic on the network segment but is itself invisible.
However, when the interface set is deployed inline, you can configure rules to drop suspicious packets
or, for custom standard text rules, to replace malicious portions of a packet payload with more benign
content.
For example, the following illustration shows a device deployed inline. The device uses an interface set
containing two of the network interfaces monitoring a single network segment.
containing two of the network interfaces monitoring a single network segment.
Similar to a device using a passive interface set, the device using an inline interface set can see all of the
traffic that passes through the interfaces in its interface set, regardless of the traffic’s destination.
However, because the traffic flows between the interfaces, you can modify or block suspicious packets.
For example, if the device detects a packet whose payload contains a known exploit to which your
network may be vulnerable, you can configure the system to drop the packet. In this case, the malicious
packet never reaches its intended target.
traffic that passes through the interfaces in its interface set, regardless of the traffic’s destination.
However, because the traffic flows between the interfaces, you can modify or block suspicious packets.
For example, if the device detects a packet whose payload contains a known exploit to which your
network may be vulnerable, you can configure the system to drop the packet. In this case, the malicious
packet never reaches its intended target.