• October 6, 2024

Event Analysis in IPS-Only Mode – Cisco IPS-Only Deployment in Inline Mode

Event Analysis in IPS-Only Mode

If a threat defense is deployed in the dedicated IPS-only mode with an inline interface pair, and a packet matches against an intrusion rule with block action, the management center marks the connection event with Intrusion Block. Let’s see how it works on live traffic.

Figure 6-14 shows two different connection events triggered by the same source and destination hosts. In both cases, the intrusion rule 1:718 is enabled to block an incorrect login attempt to a Telnet server. In this example, when the login attempt is successful, the management center simply displays an Allow connection event; however, the next time an incorrect login credential is entered, threat defense blocks that connection attempt, and the management center displays a Block connection event with the marking of Intrusion Block.

  

Figure 6-14 Connection Events in IPS-Only Mode (Customized Table View of Events)

Figure 6-15 shows the corresponding intrusion event for both Telnet connections, as shown in Figure 6-14. The management center is showing only one intrusion event for two login attempts. This is because the first login attempt is successful, so the threat defense does not find packets that can match the syntax of intrusion rule 1:718. However, the next time the threat defense detects an incorrect login attempt, the connection is blocked and the intrusion rule 1:718 is triggered.

  

Figure 6-15 Intrusion Event in IPS-Only Mode (Customized Table View of Events)

Note

Because this chapter focuses on understanding the dedicated IPS-only mode, the primary objective is to demonstrate the behavior of a threat defense when an access control and an intrusion policy are deployed in inline interface mode. The intrusion policy configuration and the intrusion rule 1:718 are described in detail in Chapter 15, “Network Analysis and Intrusion Policies.”

Summary

This chapter describes how to configure a threat defense in inline mode and how to enable fault-tolerance features on an inline set. The chapter also describes various command-line tools that you can use to verify the status of an interface, an inline pair, and an inline set.

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have a couple of choices for exam preparation: the exercises here, Chapter 22, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep practice test software.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topic icon in the outer margin of the page. Table 6-3 lists a reference of these key topics and the page numbers on which each is found.

     

Table 6-3 Key Topics for Chapter 6

Key Topic Element

Description

Page

Paragraph

Inline mode

123

Paragraph

Passive mode

123

Bullet list

Hardware bypass

127

Bullet list

Propagate Link State

131

Bullet list

Snort Fail Open

131

Memory Tables and Lists

Print a copy of Appendix B, “Memory Tables” (found on the companion website), or at least the section for this chapter, and complete the tables and lists from memory. Appendix C, “Memory Tables Answer Key,” also on the companion website, includes completed tables and lists to check your work.

Leave a Reply

Your email address will not be published. Required fields are marked *