This chapter was organized around the Cisco six-stage security operations model:
Preparation
Identification
Classification
Trace Back
Reaction
Postmortem
Most of the different functions and features described in this chapter can be used in more than one stage. For example, just the number of generated NetFlow records can be an indicator in the Identification stage, and the NetFlow record details can be used in the Classification and Trace Back stages.
Table 16-2 summarizes this chapter by creating a mapping between the security management process and device instrumentation features and functions as well as security management applications.
Feature/Tool | Baselining and Validation | Reconnaissance | Intrusion | Denial of Service |
---|---|---|---|---|
SNMP MIBs | ||||
SNMP traps | ||||
Syslog | ||||
ACL | ||||
uRFP | ||||
BGP-PA | ||||
NetFlow collection | ||||
NetFlow MIB | ||||
NBAR | ||||
IP SLA | ||||
IDS | ||||
Cisco NAM | ||||
Cisco SDM | ||||
Cisco CS-MARS | ||||
Arbor |