• Detection  The ways and means to identify malicious attacks on networks and resources.

• Prevention  How to stop detected attacks from being executed.

• Reaction  How to immunize the systems from future attacks and provide real-time alerts.

We'll learn that Cisco IDS sensors provide Active Defense detection using several methods, including signature detection and other hybrid techniques. We'll also discuss the ways Cisco IDS can stop an attacker in his footsteps by sending TCP resets or dynamically manipulating firewall rule sets to prevent unwanted access. Finally, we'll see how Cisco IDS solutions, such as the Host IDS sensor, can protect your resources, thwarting attacks through intelligent integration with application services and operating systems.

But, just what is Cisco Intrusion Detection? In this chapter, we'll answer that question as we look closely at the specific Network and Host IDS platforms that comprise the Cisco IDS solution. We'll discuss the 4200 IDS Sensor product line, the new IDS modules available for the Cisco Catalyst 6500 and Cisco 2600, 3600, and 3700 routers, and the Cisco Host IDS software.

Next, we'll examine how to effectively manage the Cisco intrusion detection systems by using tools like Cisco IDS Event Viewer (IEV), IDS Device Manager (IDM), Cisco Secure Policy Manager (CSPM), and CiscoWorks VPN/Security Management Solution (VMS). Each of these tools has benefits for different environments and uses different mechanisms and protocols to communicate with Cisco IDSs in the network. We will discuss two protocols that Cisco has used to facilitate communication between the management stations and the sensors, the Cisco PostOffice Protocol and Cisco Remote Data Exchange protocol.

Let's begin by defining Cisco Intrusion Detection.