Question

What is promiscuous mode in IDS? What is in-line mode in IDS? When is appropriate to use one or the other in your network?

Answer 1

Intrusion Detection System (IDS)- IDS is a system which checks the network traffic for suspicious activities and alerts the administrator when such activities are founded.

IDS works by capturing the packets from traffic in real-time but works on copies of data traffic to detect suspicious activity. This is known as the promiscuous mode in IDS. Therefore, IDS analyze the copy of the data rather than the original forwarded data packet which makes its way to the destination. Thus allowing some malicious traffic to pass before it can respond.

IDS working in inline-mode provide protection from malicious attacks in real time. In inline-mode actual data packet is checked for suspicious activity and therefore can actively block the packet from reaching the destination.    

Appropriate to use in Network

I depends on the network that you are using. Both promiscuous and inline mode has its own advantage and disadvantage depending on the network

For IDS in promiscuous mode -- deploying senor in promiscuous mode does not have an impact on the existing network such as on latency. Moreover, the failure of senor does not impact on the network. But it sometimes cannot stop malicious packets to reach the destination. It is less helpful in stopping the virus and worms.

For IDS in inline mode -- deploying senor in an inline mode upon failure of senor have an impact on the network. It may also affect the performance of the network. But it is helpful in stopping virus and worms from the network.

IDS in inline-mode is more appropriate given that it has well-defined security policies.