Cisco IDS 4210 10/100 SENSOR 规格指南
1-10
Installing Cisco Intrusion Prevention System Appliances and Modules 5.1
OL-8677-01
Chapter 1 Introducing the Sensor
How the Sensor Functions
actions implemented by promiscuous sensor devices are post-event responses and often require
assistance from other networking devices, for example, routers and firewalls, to respond to an attack.
While such response actions can prevent some classes of attacks, in atomic attacks the single packet has
the chance of reaching the target system before the promiscuous-based sensor can apply an ACL
modification on a managed device (such as a firewall, switch, or router).
assistance from other networking devices, for example, routers and firewalls, to respond to an attack.
While such response actions can prevent some classes of attacks, in atomic attacks the single packet has
the chance of reaching the target system before the promiscuous-based sensor can apply an ACL
modification on a managed device (such as a firewall, switch, or router).
Inline Interface Mode
Operating in inline interface mode puts the IPS directly into the traffic flow and affects
packet-forwarding rates making them slower by adding latency. This allows the sensor to stop attacks by
dropping malicious traffic before it reaches the intended target, thus providing a protective service. Not
only is the inline device processing information on layers 3 and 4, but it is also analyzing the contents
and payload of the packets for more sophisticated embedded attacks (layers 3 to 7). This deeper analysis
lets the system identify and stop and/or block attacks that would normally pass through a traditional
firewall device.
packet-forwarding rates making them slower by adding latency. This allows the sensor to stop attacks by
dropping malicious traffic before it reaches the intended target, thus providing a protective service. Not
only is the inline device processing information on layers 3 and 4, but it is also analyzing the contents
and payload of the packets for more sophisticated embedded attacks (layers 3 to 7). This deeper analysis
lets the system identify and stop and/or block attacks that would normally pass through a traditional
firewall device.
In inline interface mode, a packet comes in through the first interface of the pair on the sensor and out
the second interface of the pair. The packet is sent to the second interface of the pair unless that packet
is being denied or modified by a signature.
the second interface of the pair. The packet is sent to the second interface of the pair unless that packet
is being denied or modified by a signature.
Note
You can configure AIP-SSM to operate inline even though it has only one sensing interface.
Note
If the paired interfaces are connected to the same switch, you should configure them on the switch as
access ports with different access VLANs for the two ports. Otherwise, traffic does not flow through the
inline interface.
access ports with different access VLANs for the two ports. Otherwise, traffic does not flow through the
inline interface.
Inline VLAN Pair Mode
You can associate VLANs in pairs on a physical interface. This is known as inline VLAN pair mode.
Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the
pair. Inline VLAN pairs are supported on all sensors that are compatible with IPS 5.1 except NM-CIDS,
AIP-SSM-10, and AIP-SSM-20.
Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the
pair. Inline VLAN pairs are supported on all sensors that are compatible with IPS 5.1 except NM-CIDS,
AIP-SSM-10, and AIP-SSM-20.
Inline VLAN pair mode is an active sensing mode where a sensing interface acts as an 802.1q trunk port,
and the sensor performs VLAN bridging between pairs of VLANs on the trunk. The sensor inspects the
traffic it receives on each VLAN in each pair, and can either forward the packets on the other VLAN in
the pair, or drop the packet if an intrusion attempt is detected. You can configure an IPS sensor to
simultaneously bridge up to 255 VLAN pairs on each sensing interface. The sensor replaces the VLAN
ID field in the 802.1q header of each received packet with the ID of the egress VLAN on which the sensor
forwards the packet. The sensor drops all packets received on any VLANs that are not assigned to inline
VLAN pairs.
and the sensor performs VLAN bridging between pairs of VLANs on the trunk. The sensor inspects the
traffic it receives on each VLAN in each pair, and can either forward the packets on the other VLAN in
the pair, or drop the packet if an intrusion attempt is detected. You can configure an IPS sensor to
simultaneously bridge up to 255 VLAN pairs on each sensing interface. The sensor replaces the VLAN
ID field in the 802.1q header of each received packet with the ID of the egress VLAN on which the sensor
forwards the packet. The sensor drops all packets received on any VLANs that are not assigned to inline
VLAN pairs.