The effectiveness of an IDS/IPS is entirely dependent on where it sits in the network topology. Choosing between passive monitoring and in-line prevention, and selecting the right traffic aggregation method, dictates your security posture.
SPAN (port mirroring) copies traffic to the IDS via a switch. It's cheap but can drop packets under high load. Network TAPs are hardware devices that physically split the signal, guaranteeing 100% packet delivery to the IDS, even during traffic spikes.
💡 Pro-tip: Always use hardware TAPs for critical perimeter and core links. SPAN ports are acceptable for internal, lower-priority VLAN monitoring where occasional packet loss is tolerable.
Ensuring the IDS interface connected to the TAP is negotiating at full line-rate (e.g., 10Gbps) is critical to prevent interface-level bottlenecks.
IPS must be placed in-line (traffic flows through it) to drop packets. IDS is placed out-of-band (receives a copy). In-line placement requires high availability and fail-open hardware bypass to prevent network outages.
⚠️ Never place an in-line IPS without a hardware bypass card. If the IPS loses power or crashes, the bypass card physically bridges the network cables, keeping the business online.
| Method | Packet Loss Risk | Cost |
|---|---|---|
| SPAN Port | High under load | Low (Built-in) |
| Network TAP | Zero | High (Hardware) |
| In-Line IPS | N/A (Drops packets) | High (HA required) |
Verify exercises to earn ★ 200 XP and unlock next lab level.