Introduction

In Chapter 1, we learned the fundamental principals and theory of security and intrusion detection systems. We also looked at Cisco-centric security mechanisms such as Cisco AVVID and SAFE. Cisco focuses on two primary types of IDSs, Host IDSs, and Network IDSs. Within each of these systems, Cisco develops products that promote an "active defense" to secure the network environment. Cisco Active Defense focuses on three points:

• Detection The ways and means to identify malicious attacks on networks and resources.

• Prevention How to stop detected attacks from being executed.

• Reaction How to immunize the systems from future attacks and provide real-time alerts.

We'll learn that Cisco IDS sensors provide Active Defense detection using several methods, including signature detection and other hybrid techniques. We'll also discuss the ways Cisco IDS can stop an attacker in his footsteps by sending TCP resets or dynamically manipulating firewall rule sets to prevent unwanted access. Finally, we'll see how Cisco IDS solutions, such as the Host IDS sensor, can protect your resources, thwarting attacks through intelligent integration with application services and operating systems.

But, just what is Cisco Intrusion Detection? In this chapter, we'll answer that question as we look closely at the specific Network and Host IDS platforms that comprise the Cisco IDS solution. We'll discuss the 4200 IDS Sensor product line, the new IDS modules available for the Cisco Catalyst 6500 and Cisco 2600, 3600, and 3700 routers, and the Cisco Host IDS software.

Next, we'll examine how to effectively manage the...