This section covers how Cisco IDS can monitor and identify intruder-based attacks and how security information is monitored and acted upon.
Cisco IDS uses multilayer protection options to prevent an attack from successfully reaching the end target system such as a file server or desktop computer. After the attack or intruder-based traffic is identified and determined to be intrusive, the network administrator can stop the attack before any serious damage occurs. This can involve dropping the packet, resetting the TCP session (terminating the session), modifying real-time ACLs on routers and switches, or dynamically modifying the firewall policy to shun (stop) the intruder.
Analyzing the log files can be a daunting task for any security expert. Cisco IDS 4.0 and above now provides a more detailed information database about the alarms triggered, providing the user with forensics data and advanced analysis data to simplify the support process.
The scenario at the end of this chapter details a typical attack scenario and how to decipher the details provided. This is the best method to demonstrate the capabilities of the IDS sensors, and the exam performs the same testing procedures on candidates. CCIE Security candidates can expect to be given similar scenarios and asked to answer questions based on the information provided.
Was this article helpful?