PrepAway - Latest Free Exam Questions & Answers

Which of the following devices are least likely to deny…

Which of the following devices are least likely to deny a connection inline when an attack is detected? (Select 2
choices.)

PrepAway - Latest Free Exam Questions & Answers

A.
an IPS

B.
a router

C.
an IDS

D.
a Layer 3 switch

E.
a Layer 2 switch

Explanation:
A Layer 2 switch and an Intrusion Detection System (IDS) are least likely to deny a connection inline when an
attack is detected. An IDS is a network monitoring device that does not sit inline with the flow of network traffic?
an IDS passively monitors a copy of network traffic, not the actual packet. Typically, an IDS has one
promiscuous network interface attached to each monitored network. A promiscuous device listens to all data
flowing past it regardless of the destination. Because traffic does not flow through the IDS, the IDS cannot
mitigate singlepacket attacks and is unable to directly block malicious traffic, like a virus, before it passes onto
the network. However, an IDS can actively send alerts to a management station when it detects malicious
traffic.
A Layer 2 switch is a device that operates at Layer 2 of the Open Systems Interconnection (OSI) network
model. Although a Layer 2 switch can implement security controls, such as port security and virtual LAN (VLAN)
access control lists (ACLs), a Layer 2 switch by itself is not typically configured to detect and mitigate external
security threats.
An Intrusion Prevention System (IPS) sits inline with the flow of traffic, thus actively monitoring network traffic
and blocking malicious traffic, such as an atomic or singlepacket attack, before it passes onto the network.Blocking an attack inline can prevent the attack from spreading further into the network. An IPS requires at
least two interfaces for each monitored network: one interface listens to traffic entering the IPS, and the other
listens to traffic leaving the IPS. In addition, an IPS acts similarly to a Layer 2 bridge in that it passes traffic
through to destinations on the same subnet? an IPS cannot route to destinations on a different subnet. An
interface of an IPS can be put in promiscuous mode? when this happens, the device operates as an IDS on
that interface. However, an IPS does not require that a physical interface be in promiscuous mode in order to
monitor network traffic.
A router is a device that connects multiple subnets of the same or different networks and passes information
between them. The functionality of a router can vary depending on the size of the network on which it is
deployed. For example, a Cisco IPS Advanced Integration Module (AIM) can be installed in a router to integrate
IPS functionality at the hardware level. Alternatively, an IOS feature set with IPS capabilities can be installed to
provide IPS functionality at the software level. A router operating as an IPS can serve as a part of the network
security structure as well as a bridge between two segments of the network.A Layer 3 switch is a device that
can operate at both Layer 2 and Layer 3 of the OSI model. Layer 3 switches perform switching operations at
Layer 2 but are also capable of forwarding traffic at Layer 3. Although a Layer 3 switch by itself is not typically
configured to detect and mitigate external security threats, some chassisbases Layer 3 switches, such as Cisco
Catalyst 6500 series switches, support hardware modules that can provide IPS functionality.

Cisco: Cisco IPS Mitigation Capabilities


Leave a Reply