Explanation/Reference:
Section: Considerations for Expanding an Existing Network Explanation
Explanation:
When Cisco Intrusion Prevention System (IPS) is configured in promiscuous mode, IPS response latency is increased, thereby increasing the risk of a successful attack. In addition, IPS in promiscuous mode supports the Reset TCP connection action, which mitigates Transmission Control Protocol (TCP) attacks by resetting TCP connections.
Promiscuous mode, which is also referred to as monitor-only operation, enables an IPS to passively examine network traffic without impacting the original flow of traffic. This passive connection enables the IPS to have the most visibility into the networks on the switch to which it is connected. However, promiscuous mode operation increases response latency and increases the risk of successful attacks because copies of traffic are forwarded to IPS for analysis instead of flowing through IPS directly, thereby increasing the amount of time IPS takes to determine whether a network attack is in progress. This increased response latency means that an attack has a greater chance at success prior to detection than it would if the IPS were deployed inline with network traffic.
Remote Switched Port Analyzer (RSPAN) must be enabled on switch ports so that IPS can analyze the traffic on those ports. RSPAN enables the monitoring of traffic on a network by capturing and sending traffic from a source port on one device to a destination port on a different device on a nonrouted network.
IPS in promiscuous mode supports three actions to mitigate attacks: Request block host, Request block connection, and Reset TCP connection. The Request block host action causes IPS to send a request to the Attack Response Controller (ARC) to block all communication from the attacking host for a given period of time. The Request block connection action causes IPS to send a request to the ARC to block the specific connection from the attacking host for a given period of time. The Reset TCP connection action clears TCP resources so that normal TCP network activity can be established. However, resetting TCP connections is effective only for TCP-based attacks and against only some types of those attacks.
IPS in promiscuous mode does not directly block all communication from an attacking host. In promiscuous mode, IPS can send a request to block the host to the ARC but does not directly block the host. One advantage of sending block requests to the ARC is that attacking hosts can be blocked from multiple locations within the network. IPS can directly deny all communication from an attacking host when operating in inline mode by using the Deny attacker inline action.
Reference:
CCDA 200-310 Official Cert Guide, Chapter 13, IPS/IDS Fundamentals, pp. 534-535 Cisco: Cisco IPS Mitigation Capabilities: Promiscuous Mode Event Actions