48 Network Intrusion Prevention Design Guide: Using IBM Security Network IPS
You use the Logs area of the dashboard of your Network IPS appliance to view
system, firewall, and security alert logs. You can filter these lists for specific
keywords and network characteristics and then save your searches for future use.
You use the Diagnostics area of your Network IPS appliance to test
communications and trace IP packets.
In the Downloads section, you can view and download log files and packet
captures that are associated with your Network IPS appliance and translate log
2.2.3 Deployment options
The IBM Security Network IPS appliances can be cabled and configured in
several types of deployment scenarios. For a more detailed description of these
options, including HA scenarios, see Chapter 3, “IBM Security Network IPS
architecture” on page 73. This chapter focuses on introducing some of the
Inline or passive mode
The IBM Security Network IPS supports three modes of operation:
Passive monitoring mode is similar to a traditional intrusion detection system
(IDS). It sits on a side channel of the actual production-network and passively
listening in on and analyzes the traffic using a promiscuous interface. In this
mode, responding to TCP attacks is done manually by sending TCP reset
packets to both source and destination hosts to prevent certain attacks.
Inline simulation mode acts as a learning mode for the appliance sitting inline
in the network, alerting you about traffic that might otherwise have been
blocked (in inline prevention mode). This mode is often used by organizations
to ensure that no false positives are blocking valid traffic before converting to
inline protection mode.
Inline protection mode also sits inline on the wire. However, it actively blocks
malicious and unwanted traffic according to the security policy that has been
applied, without user intervention being required. The malicious packets are