Home | FAQ | Contact Us | Site Map | Request Info
Anti-Virus | Audit & Reporting | Authentication | Content Management | Directory Services | Firewalls | Intrusion Detection | PKI | SSL VPN | Spam Filters | Managed Services | Services | VPN | About Us

 



 

 

Cisco Systems, Inc.(R)

Efficient Intrusion Protection

Cisco integrated network security solutions enable organizations to protect productivity gains and reduce operating costs.

The Cisco Intrusion Protection is designed to efficiently protect your data and information infrastructure. With the increased complexity of security threats, achieving efficient network intrusion security solutions is critical to maintaining a high level of protection. Vigilant protection ensures business continuity and minimizes the effect of costly intrusions.

Cisco's advancements deliver an efficient intrusion protection system through four critical elements:

1. Accurate threat detection—Cisco Intrusion Detection System Version 4.0 (Cisco IDS 4.0) delivers the first step in providing a secure environment by comprehensively detecting all potential threats

2. Intelligent threat investigation—Cisco Threat Response technology virtually eliminates false alarms, and automatically determines which threats need immediate attention to avoid costly intrusions.

3. Ease of management—Browser-based tools simplify the user interaction, while providing powerful analytical tools that allow for a rapid and efficient response to threats.

4. Flexible deployment options—A range of high-availability devices provide the flexible backbone for creating the secure and efficient intrusion protection system.

All four elements combine to achieve a secure, efficient, and comprehensive intrusion protection solution.

Accurate Threat Detection

Providing unprecedented security, the Cisco IDS 4.0 is the core of the Cisco Intrusion Protection. It is designed to accurately identify and classify known and unknown threats targeting your network, including worms, denial-of-service (DoS), and application attacks. The first step in delivering an efficient and secure intrusion protection system is accurately detecting all possible threats. To achieve this goal, multiple detection methods are employed, thus ensuring comprehensive coverage. The methods include stateful pattern recognition, protocol analysis, traffic anomaly detection, and protocol anomaly detection. In addition, Cisco IDS 4.0 enhances the capability to prevent detected attacks from reaching their targets. And, several ease-of-use features are integrated to maximize efficiency.

Comprehensive Threat Protection

  • Multiple Detection Methods—Cisco IDS uses an array of detection methods to accurately detect nearly all potential threats. Building on seven years of IDS experience, Cisco delivers a hybrid system using detection methods most appropriate for the threat including stateful pattern recognition, protocol analysis, traffic anomaly detection, and protocol anomaly detection. Cisco IDS 4.0 delivers enhancements to these detection methods, most notably in the area of protocol anomaly detection. Additionally, Cisco IDS 4.0 delivers a Layer 2 signature engine to provide protection from ARP spoofing techniques in switched environments. These advanced detection techniques coupled with anti-IDS evasion techniques such as IP defragmentation, TCP streams reassembly, and deobfuscation, provide comprehensive protection against an array to threats allowing users to quickly identify and mitigate potential damage to data or networked assets.
  • Extensive protocol monitoring—Cisco IDS 4.0 can monitor all the major TCP/IP protocols including, but not limited to, IP, Internet Control Message Protocol (ICMP), TCP, and User Datagram Protocol (UDP). It can also statefully decode application-layer protocols such as File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), HTTP, Domain Name System (DNS), remote procedure call (RPC), NetBIOS, NNTP, and Telnet.
  • Comprehensive attack detection—The Cisco IDS 4.0 has the most extensive and comprehensive capability to detect attacks in all the following categories:
    • Exploits activity—Indicative of someone attempting to gain access or compromise systems on your network, such as Back Orifice, failed login attempts, and TCP hijacking
    • DoS activity—Indicative of someone attempting to consume bandwidth or computing resources to disrupt normal operations, such as Trinoo, TFN, and SYN floods
    • Reconnaissance activity—Indicative of someone probing or mapping your network to identify "targets of opportunity" such as ping sweeps and port sweeps; usually a precursor to an actual exploit attempt
    • Misuse activity—Indicative of someone attempting to violate corporate policy; this can be detected by configuring the sensor to look for custom text strings in the network traffic; for example, XYZ Corporation could easily configure the Cisco IDS to send an alarm on and eliminate any connection that transmits the phrase "XYZ Confidential" in e-mail or FTP

Damage Prevention

Cisco IDS uses multilayer protection options to prevent an attack from successfully reaching the target. After the attack is accurately identified and classified, the system can stop the attack before damage occurs. Whether dropping the packet, terminating the session, reconfiguring access control lists (ACLs) on routers and switches, or dynamically modifying the firewall policy to "shun" the intruder, Cisco IDS offers an array of immediate response actions to stop attacks that can cost you time and money. Cisco IDS 4.0 enhances these techniques by extending its capability to include shunning by source and destination port number in addition to source and destination IP address. This provides added levels of granularity to the way in which response actions can be configured.

Easy to Use

  • Flexible policy language—Because the security objectives for each IDS deployment are unique, Cisco IDS allows users to create and modify policies to specifically suit the environment in which they are deployed. Using the innovative Cisco Threat Analysis Micro Engine (T.A.M.E.) policy language, users have the flexibility to create new policies or modify existing policies to meet their unique security objectives. Because T.A.M.E. policies are decoupled from the sensing application, changes do not affect the sensor performance or reliability. Unlike other security languages that rely on simple pattern matching, Cisco T.A.M.E language allows users to take advantage of the underlying protocol analysis capabilities. Cisco IDS 4.0 simplifies the policy management with improved navigation, allowing global changes to be implemented across categories. Additionally, Cisco IDS 4.0 now provides detailed information about the alarm trigger, providing the user with forensics data and advanced analysis data to simplify the support process.
  • Automated updates to streamline management—Cisco IDS Active Update technology automates the process of updating deployed sensors, thus reducing the operating costs. This process provides a facility to automatically distribute new signature files and application upgrades to sensors without operator involvement. Using a secure staging technique, new signature files are placed on a central server and passed to the sensor at scheduled intervals. After verifying the integrity of the package, the sensor automatically installs the update. This new capability significantly streamlines the process of regularly updating remote sensors, thereby lowering the recurring operational costs associated with this task. Additionally, users can subscribe to Cisco IDS Active Update notification services to stay informed about breaking vulnerability news and posted countermeasures. These policy updates are developed and maintained by the Cisco Countermeasures Research Team (Cisco-CRT). This elite team of security professionals is dedicated to rapid response to new and evolving threats.

Intelligent Threat Investigation

Cisco's Threat Response technology works with Cisco Network IDS sensors to provide an efficient intrusion protection solution. Cisco Threat Response virtually eliminates false alarms, escalates real attacks, and aids in the remediation of costly intrusions.

Unlike other intrusion-management solutions, only Cisco Threat Response technology provides an automated, just-in-time analysis of each targeted host to determine whether a compromise has actually occurred. Only by investigating the host under attack can you efficiently uncover the real intrusions and address them quickly. The automated, real-time capabilities of this technology help protect your network environment around the clock.

The result? False alarms are eliminated and real intrusions are quickly identified and addressed, saving you time, resources, and the high costs associated with recovering from a successful attack.

Increased Efficiency, Reduced Costs

  • Elimination of false alarms and escalation of real attacks—With its innovative intrusion-investigation process focused on the targeted host, Cisco Threat Response accurately determines whether or not an IDS alarm needs your attention. Designed to handle intrusion response in the same way an experienced security officer would, Cisco Threat Response carefully examines the targeted host to determine if the attack worked. This technology uses a three-phased approach:
    • Basic investigation of target vulnerability—The first step involves a noninvasive real-time check of the OS of the targeted system, its patch levels, and its Web services as applicable to determine if the attack could have succeeded. For example, a Linux attack against a Windows system would be downgraded, and indicated as a failed attack, whereas a Windows attack against a Windows system would be indicated as a potentially successful attack.
    • Advanced investigation of target—The second step is a detailed system-level investigation that includes the capture and analysis of Web logs, system logs, and other relevant data. Based on this detailed level of investigation, the Cisco Threat Response technology can determine if an attack succeeded or failed. Failed attacks are downgraded so staff can focus on the critical events. (This capability is available only as part of a CiscoWorks VPN Security Management Solution [VMS] technology bundle).
    • Forensic data capture—It is not enough to simply tell you that a confirmed problem exists. Cisco Threat Response goes further to actively collect relevant forensic evidence and provide you with intelligent information so you can make informed decisions. This technology immediately copies and safely stores audit trails, log files, and intrusion traces from the targeted system. In this way, the intruder cannot avoid detection by tampering with these files. Cisco Threat Response real-world advice and recovery procedures guide you in dealing with the incident effectively. (This capability is available only as part of a CiscoWorks VMS technology bundle.)
  • Fast, consistent, and automated process—Twenty-four hours a day, seven days a week, Cisco Threat Response robustly, consistently, and automatically investigates attacks that threaten your network. Responding in seconds to a detected network attack, Cisco Threat Response leaves an intruder wondering what happened.
  • Easy deployment—Cisco Threat Response technology allows for host investigation without the need to deploy software agents on each system within the enterprise. This means rapid deployment and ease of maintenance.

Ease of Management

Cisco provides effective security monitoring and configuration regardless of deployment size using a range of management options. All management tools are designed with an intuitive user interface, and easy navigation that enables rapid installation, configuration, and management of security events and devices. In addition, Cisco IDS 4.0 delivers a full featured IOS-like Command Line Interface (CLI) over a secure SSH connection. Intuitive Event Display.

  • Secure, browser-based graphical user interface (GUI)—Alarms can be easily viewed from practically any desktop, no matter which operating system is being used on the desktop. The result is rapid access to data from systems throughout the enterprise. The familiar browser interface enhances ease of use. And with Secure Sockets Layer (SSL), security of data is maintained.
  • Unified, scalable view of all security events—With the CiscoWorks VMS Solution, events from all types of security devices, including firewall, virtual private network (VPN), and IDS can be viewed from a single console. Multiple data sources can be supported and managed. This enhances the ability to view security across the enterprise.

Easy Alarm Processing

  • Forensic data—With the Cisco Threat Response technology, the GUI provides a view into the steps taken to investigate and confirm intrusion events. To aid in remediation of intrusions, forensic data collected by this technology is accessible. Examples include Web logs, system logs, and other relevant data. (This capability is available only as part of a CiscoWorks VMS technology bundle.)
  • Correlation of events—CiscoWorks VMS provides event correlation to enable improved confidence in alarm data by corroborating data from multiple security devices.
  • Network security database (NSDB)—The NSDB provides instant access to specific information about the attacks, hyperlinks, potential countermeasures, and related vulnerabilities. Because the NSDB is an HTML database, it can be personalized for each user to include operation-specific information such as response and escalation procedures for specific attacks.

Flexible Reporting and Notification

  • Default reports—Default reports about network activities monitored by sensors on your include summary reports based on alarms, sources, or destinations. Because these reports are HTML based, they can be sent in e-mail to key administration personnel.
  • Custom reporting—Custom reports can be created to meet the specific needs of your environment.

Simple Configuration

  • Wizard-based configuration—Wizards guide the user through the configuration process, enabling quick and easy configuration of sensors.
  • Automatic updates—Automatic update capabilities maintain the effectiveness of the intrusion protection system, and simplify the regular maintenance.
  • Remote management—Because you are not always at the same computer, or where the IDS system is located, remote access capabilities via a secure Web browser connection allow for easy remote connectivity.

Scalable Enterprise Management

  • Multitiered architecture—CiscoWorks VMS promotes a three-tiered architecture that meets the enhanced scalability needs of enterprise security deployments.
  • Flexible device grouping—Easily manage large IDS deployments by grouping devices by function, by location, or by configuration to perform mass configuration changes.
  • Role-based access control—Control administrative access to ensure proper device authorization.
  • Tiered approval model (optional)—Separate configuration definition and deployment authorities to provide proper audit and control.

Flexible Deployment Options

Cisco offers the widest range of network IDS deployment options, providing customers with the ability to choose the intrusion solution that is most cost-effective for their environments. All solutions are designed for high availability and backed by outstanding customer support from Cisco. Network IDS solutions are available in a range of performance levels from 45 Mbps up to 1 Gbps. Network intrusion protection is available as dedicated appliances using the Cisco 4200 IDS Sensor Series, or as integrated solutions using the Cisco Catalyst® 6500 IDS modules. Additionally, a subset of network IDS functions is available as an integrated solution in routers and firewall systems.

Easy Installation

The Cisco Intrusion Protection has been designed for easy, rapid deployment. Appliance sensors were designed for technician-level installation, requiring the sensors to be plugged into the network, turned on, and configured with a few initialization parameters. Installation of the Catalyst 6500 Series 500 Mbps IDS Service Module is as easy as sliding the module into an open chassis slot, configuring the module with the initialization parameters, and configuring the switch to recognize the card and send traffic to it. After the sensors are initialized and running, configurations can be modified and pushed to them from any of the management consoles.

Worldwide, World Class Support

Cisco provides leading-edge services to extend and enhance the operations of your Cisco Systems products. The Cisco IDS 4200 Series sensors and the Catalyst 6500 IDS Module are covered by a full suite of SMARTnet maintenance options. This includes hardware support as well as sensor software upgrades and access to the latest signatures posted on Cisco.com. The management console software is covered by Software Application Support (SAS) and Software Application Support Plus Upgrades (SASU).

Network IDS Deployment Options

  • Cisco IDS 4200 Series sensors—Dedicated IDS solutions enable deployment of IDS sensors wherever they are needed in the network architecture. Four performance levels are available:
    • Cisco IDS 4210—45 Mbps
    • Cisco IDS 4235—200 Mbps
    • Cisco IDS 4250—500 Mbps
    • Cisco IDS 4250 XL—1000 Mbps
  • Cisco IDSM-2 Module for the Cisco Catalyst 6500 chassis—This product efficiently integrates full IDS capabilities into the Cisco Catalyst Switch via a dedicated module, providing integrated protection at 500 Mbps.
  • Switch sensor—The switch sensor provides a limited set of IDS capabilities via a software solution integrated into the OS for the Cisco Catalyst 6500 Series switches.
  • Router sensor—The router sensor provides a focused set of IDS capabilities via a software solution integrated into the router OS.
  • Firewall sensor—The firewall sensor provides a focused set of IDS capabilities via a software solution integrated into the firewall OS.

Last updated:

Copyright 2003 | Cisco Systems, Inc.- All Rights Reserved