Effective CISSP Questions

Your organization implemented an intrusion detection system (IDS) with passive sensors that receive traffic from switch hubs through spanning ports. However, it cannot analyze the activity within encrypted network communications. Which of the following is the most effective solution?
A. Install IDS agents on endpoints.
B. Install an IDS load balancer to distribute traffic.
C. Install an inline IDS sensor in front of the firewall.
D. Install an IDS sensor tapped to the firewall internal interface.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Install IDS agents on endpoints.

A host-based IDS can monitor and analyze the activity within encrypted network communications by installing agents on endpoints. A network-based IDS, relying on sensors to passively sniff traffic, is not able to do so because encrypted activities are typically protected end to end. Options B, C, and D are network-based IDS.

NIST SP 800-94 introduces four IDS deployment reference models:

  • Host-Based
  • Network-Based
  • Network Behavior Analysis (NBA)
  • Wireless

A network-based IDS can be hardened and deployed, inline or passive (network tapped or sniffing), in front of a firewall. However, it’s more common to deploy it behind a firewall in a more secure environment.

A (network-based) IDS with Network Behavior Analysis (NBA) capability monitors traffic passing through gateways and traffic across internal networks through switch hubs.

Passive Network-Based IDPS Sensor Architecture Example
Passive Network-Based IDPS Sensor Architecture Example (Source: NIST SP 800-94)



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您的組織建置了帶有被動式傳感器(passive sensor)的入侵檢測系統(IDS),這些傳感器通過鏡像埠(spanning port)從交換集線器接收流量。 但是,它無法分析加密的網絡通信活動。 以下哪項是最有效的解決方案?
A. 在端點上安裝IDS代理(agent)。
B. 安裝IDS負載均衡器以分配流量。
C. 在防火牆的前面安裝一個串接式(inline)的IDS傳感器。
D. 在防火牆內部接口上安裝一個IDS傳感器。

Leave a Reply