PrepAway - Latest Free Exam Questions & Answers

3 Comments on “What three actions are limitations when running IPS in …

  1. Amergin says:

    These answers are the exact opposite.

    https://www.cisco.com/c/en/us/about/security-center/ips-mitigation.html#7

    Promiscuous Mode Event Actions
    The following event actions can be deployed in Promiscuous mode. These actions are in affect for a user-configurable default time of 30 minutes. Because the IPS sensor must send the request to another device or craft a packet, latency is associated with these actions and could allow some attacks to be successful. Blocking through usage of the Attack Response Controller (ARC) has the potential benefit of being able to perform to the network edge or at multiple places within the network.

    Request block host: This event action will send an ARC request to block the host for a specified time frame, preventing any further communication. This is a severe action that is most appropriate when there is minimal chance of a false alarm or spoofing.

    Request block connection: This action will send an ARC response to block the specific connection. This action is appropriate when there is potential for false alarms or spoofing.

    Reset TCP connection: This action is TCP specific, and in instances where the attack requires several TCP packets, this can be a successful action. However, in some cases where the attack only needs one packet it may not work as well. Additionally, TCP resets are not very effective with protocols such as SMTP that consistently try to establish new connections, nor are they effective if the reset cannot reach the destination host in time.




    0



    1

Leave a Reply