Event Analysis in IPS-Only Mode – Cisco IPS-Only Deployment in Inline Mode
Event Analysis in IPS-Only Mode
If a threat defense is deployed in the dedicated IPS-only mode with an inline interface pair, and a packet matches against an intrusion rule with block action, the management center marks the connection event with Intrusion Block. Let’s see how it works on live traffic.
Figure 6-14 shows two different connection events triggered by the same source and destination hosts. In both cases, the intrusion rule 1:718 is enabled to block an incorrect login attempt to a Telnet server. In this example, when the login attempt is successful, the management center simply displays an Allow connection event; however, the next time an incorrect login credential is entered, threat defense blocks that connection attempt, and the management center displays a Block connection event with the marking of Intrusion Block.
Figure 6-14 Connection Events in IPS-Only Mode (Customized Table View of Events)
Figure 6-15 shows the corresponding intrusion event for both Telnet connections, as shown in Figure 6-14. The management center is showing only one intrusion event for two login attempts. This is because the first login attempt is successful, so the threat defense does not find packets that can match the syntax of intrusion rule 1:718. However, the next time the threat defense detects an incorrect login attempt, the connection is blocked and the intrusion rule 1:718 is triggered.
Figure 6-15 Intrusion Event in IPS-Only Mode (Customized Table View of Events)
Because this chapter focuses on understanding the dedicated IPS-only mode, the primary objective is to demonstrate the behavior of a threat defense when an access control and an intrusion policy are deployed in inline interface mode. The intrusion policy configuration and the intrusion rule 1:718 are described in detail in Chapter 15, “Network Analysis and Intrusion Policies.”
Summary
This chapter describes how to configure a threat defense in inline mode and how to enable fault-tolerance features on an inline set. The chapter also describes various command-line tools that you can use to verify the status of an interface, an inline pair, and an inline set.
As mentioned in the section “How to Use This Book” in the Introduction, you have a couple of choices for exam preparation: the exercises here, Chapter 22, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep practice test software.
Review All Key Topics
Review the most important topics in this chapter, noted with the Key Topic icon in the outer margin of the page. Table 6-3 lists a reference of these key topics and the page numbers on which each is found.
Table 6-3 Key Topics for Chapter 6
Key Topic Element | Description | Page |
Paragraph | Inline mode | 123 |
Paragraph | Passive mode | 123 |
Bullet list | Hardware bypass | 127 |
Bullet list | Propagate Link State | 131 |
Bullet list | Snort Fail Open | 131 |
Memory Tables and Lists
Print a copy of Appendix B, “Memory Tables” (found on the companion website), or at least the section for this chapter, and complete the tables and lists from memory. Appendix C, “Memory Tables Answer Key,” also on the companion website, includes completed tables and lists to check your work.