■ Promiscuous mode—The Security Appliance can send copies of live traffic assigned to
the IPS policy to the AIP-SSM for inspection. Using promiscuous mode avoids direct
manipulation of the live traffic flow, allowing higher throughput and less latency that
may be caused during inline mode. What is lost is the ability to stop an attack as it is
happening. Without direct access to the live traffic flow, the AIP-SSM is working in a
reactive security state, rarely responding during the fact and potentially causing a need
for manual intervention by a security administrator to stop the attack.
Redirecting traffic to a secondary module can cause an additional point of failure. If the AIPSSM
module fails for any reason, the traffic that has been redirected there would be dropped
altogether. This could be a problem if the security policy for a site is to be always online. Two
options are supported in the ips command to resolve this issue: