This chapter was organized around the Cisco six-stage security operations model:

  1. Preparation

  2. Identification

  3. Classification

  4. Trace Back

  5. Reaction

  6. Postmortem

Most of the different functions and features described in this chapter can be used in more than one stage. For example, just the number of generated NetFlow records can be an indicator in the Identification stage, and the NetFlow record details can be used in the Classification and Trace Back stages.

Table 16-2 summarizes this chapter by creating a mapping between the security management process and device instrumentation features and functions as well as security management applications.

Table 16-2. Comparison of Features and Scenarios
Feature/ToolBaselining and ValidationReconnaissanceIntrusionDenial of Service
SNMP MIBscheck mark  check mark
SNMP traps  check markcheck mark
Syslog  check mark 
ACLcheck markcheck markcheck markcheck mark
uRFPcheck mark check mark 
BGP-PAcheck mark   
NetFlow collectioncheck markcheck mark check mark
NetFlow MIBcheck markcheck mark check mark
NBARcheck mark  check mark
IP SLAcheck mark  check mark
IDS  check mark 
Cisco NAMcheck mark  check mark
Cisco SDM check markcheck markcheck mark
Cisco CS-MARScheck markcheck markcheck markcheck mark
Arborcheck markcheck markcheck markcheck mark

Part II: Implementations on the Cisco Devices