passive mode provides a reactive protection. It can be configured to reset the attacker’s connection, IP blocking, and Ip logging but it can’t stop the initial attack from reaching the targets. The reason is because the packets it inspects have been copied and forwarded to it by SPAN sessions or by promiscuosly listening traffic on a segment.
When the sensor is on inline mode, traffic has to traverse the sensor’s interfaces ( pair ).Traffic gets inspected, tested againts the signatures and then if OK then forwarded to the destination. This approach offers preventing protection because the sensor can stop an attack BEFORE it reaches the target which is something than IDS ( passive sensors ) can’t do
In summary I suggest you to try using your sensor on inline mode … it not only offers the same functinality of IDS but extra protection against attacks.
passive模式提供了passive保护,可以讲起配置为重置攻击者的连接,IP阻止和IP日志记录,但是它不能阻止初始攻击到达目标。原因是因为它坚持的数据包已被SPAN会话复制或转发给它,或者是通过随意监听网段上的流量。
当传感器处于inline模式时,流量必须遍历传感器的接口(一对)。对流量进行检查,再次测试签名,然后如果确定,则将其转发到目的地。这种方法提供了预防性保护,因为传感器可以在攻击到达目标之前阻止攻击,这是IDS(passive传感器)无法做到的
总而言之,我建议您尝试在inline模式下使用传感器。它不仅提供与IDS相同的功能,而且还提供了针对攻击的额外保护。
A passive IPS is not capable of blocking any traffic. On its own, it is capable of sending TCP connection resets. If it is paired with a firewall/router, it can send block requests to those devices. There are a few other things, but blocking can not be done.
In order to have the IPS block traffic, you have to put it “inline”. Inline means that what ever traffic you wish to inspect and, if necessary, block must go through the sensor.
passive IPS无法阻止任何流量。 它本身能够发送TCP连接重置。 如果与防火墙/路由器配对,它可以将阻止请求发送到这些设备。 还有其他一些事情,但是无法完成阻止。
为了使IPS阻止流量,您必须将其“inline”。 inline意味着您要检查的所有流量以及必要时阻塞的流量都必须通过传感器。
扫一扫
281
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
