Sensor Interfaces; Promiscuous Mode - Cisco IPS-4240-K9 - Intrusion Protection Sys 4240 Installation Manual

Chapter 1 Introducing the Sensor
•
•
•

Sensor Interfaces

The command and control interface is permanently mapped to a specific physical interface, which
depends on the type of sensor you have. You can let the sensing interfaces operate in promiscuous mode,
or you can pair the network sensing interfaces into logical interfaces called "inline pairs." You must
enable the interfaces or inline pairs before the sensor can monitor traffic.
Note On appliances, the sensing interfaces are disabled by default. On modules, the sensing interfaces are
always enabled and cannot be disabled.
The sensing interface does not have an IP address assigned to it and is therefore invisible to attackers.
This lets the sensor monitor the data stream without letting attackers know they are being watched.
Promiscuous mode is contrasted by inline technology where all packets entering or leaving the network
must pass through the sensor. For more information, see
page
The sensor monitors traffic on interfaces or inline pairs that are assigned to the default virtual sensor.
For more information, refer to
To configure the sensor so that traffic continues to flow through inline pairs even when SensorApp is not
running, you can enable bypass mode. Bypass mode minimizes dataflow interruptions during
reconfiguration, service pack installation, or software failure.
The sensor detects the interfaces of modules that have been installed while the chassis was powered off.
You can configure them the next time you start the sensor. If a module is removed, the sensor detects the
absence of the interfaces the next time it is started. Your interface configuration is retained, but the
sensor ignores it if the interfaces are not present.
The following interface configuration events are reported as status events:
•
•
•
•

Promiscuous Mode

In promiscuous mode, packets do not flow through the IPS. The sensor analyzes a copy of the monitored
traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that
the IPS does not affect the packet flow with the forwarded traffic. The disadvantage of operating in
78-16124-01
Make ACL changes on switches, routers, and firewalls that the sensor manages.
ACLs may block only future traffic, not current traffic.
Note
Generate IP session logs, session replay, and trigger packets display.
IP session logs are used to gather information about unauthorized use. IP log files are written when
a certain event or events occur that you have configured the appliance to look for.
Implement multiple packet drop actions to stop worms and viruses.
1-4.
Link up or down
Traffic started or stopped
Bypass mode auto activated or deactivated
Missed packet percentage threshold exceeded
Promiscuous Mode, page 1-3
Assigning Interfaces to the Virtual
Installing Cisco Intrusion Prevention System Appliances and Modules 5.0
How the Sensor Functions
and Inline Mode,
Sensor.
1-3