Which of the following options would you consider?
(Choose two.)
Implement IDS/IPS agents on each Instance running in VPC
Configure an instance in each subnet to switch its network interface card to promiscuous mode and analyze network traffic.
Implement Elastic Load Balancing with SSL listeners in front of the web applications
Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse proxy server.
Explanations:
Implementing IDS/IPS agents on each instance allows for the detection and prevention of threats at the instance level. This approach provides tailored protection based on the specific application and its vulnerabilities. However, managing multiple agents can increase complexity and resource usage.
Configuring an instance in each subnet to switch its network interface card to promiscuous mode may allow it to capture traffic; however, this approach is generally impractical in cloud environments like VPCs, where traffic is typically routed through virtualized networking. Promiscuous mode is not supported in all situations and can lead to performance issues.
Implementing Elastic Load Balancing with SSL listeners is a good practice for distributing traffic and encrypting data in transit, but it does not provide intrusion detection or prevention capabilities on its own. While it enhances security through SSL, it lacks the active monitoring and response features that IDS/IPS solutions offer.
Implementing a reverse proxy layer in front of web servers allows for centralized traffic management and the ability to inspect traffic for threats. By configuring IDS/IPS agents on each reverse proxy server, you can analyze traffic before it reaches the web servers, providing an effective layer of security to prevent intrusions.