Filter
Top Products
36-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 36 Managing IPS Device Interfaces
Understanding Interface Modes
mode, packets do not flow through the sensor; the sensor analyzes a copy of the monitored traffic.
In inline mode, the IPS is in the traffic flow and can directly affect the traffic. For more information
about sensing modes, see Understanding Interface Modes, page 36-2.
Note On appliances, all sensing interfaces are disabled by default. You must enable them to use
them. On modules, the sensing interfaces are permanently enabled. See the IPS document
cited above for a list of sensing interfaces by device type.
• Alternate TCP reset—You can configure sensors to send TCP reset packets to try to reset a network
connection between an attacker host and its intended target host. In some installations when the
interface is operating in promiscuous mode, the sensor may not be able to send the TCP reset packets
over the same sensing interface on which the attack was detected. In such cases, you can associate
the sensing interface with an alternate TCP reset interface and any TCP resets that would otherwise
be sent on the sensing interface when it is operating in promiscuous mode are instead sent out on
the associated alternate TCP reset interface.
If a sensing interface is associated with an alternate TCP reset interface, that association applies
when the sensor is configured for promiscuous mode but is ignored when the sensing interface is
configured for inline mode (interface or VLAN pair), because TCP resets are always sent on the
sensing interfaces in those modes.
Note With the exception of IDSM-2, any sensing interface can serve as the alternate TCP reset
interface for another sensing interface. The alternate TCP reset interface on IDSM-2 is fixed
because of hardware limitation. However, there is only one sensing interface on IPS modules
(on routers or ASA devices), so you cannot specify an alternate TCP reset interface on them.
See the IPS document cited above for a list of eligible alternate TCP reset interfaces by
device type, and for more information about the conditions under which you would use one.
Understanding Interface Modes
Sensing interfaces can operate in various modes. The mode configured for an interface determines the
traffic it can inspect and how it can respond to events.
This section contains the following topics:
• Promiscuous Mode, page 36-2
• Inline Interface Mode, page 36-3
• Inline VLAN Pair Mode, page 36-3
• VLAN Group Mode, page 36-4
Promiscuous Mode
In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of the
monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous
mode is that the sensor does not affect the packet flow with the forwarded traffic. The disadvantage of
operating in promiscuous mode, however, is the sensor cannot stop malicious traffic from reaching its
intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response
actions implemented by promiscuous sensor devices are post-event responses and often require