Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
964
Views
5
Helpful
4
Replies

Zero-day attacks through a SIG

jlwomeld
Level 1
Level 1

‎08-02-2006 09:23 AM - edited ‎03-10-2019 03:08 AM

Can the IDS catch zero-day attacks and report on them?

Thanks

Labels:
0 Helpful
4 Replies 4

DFiore
Level 1
Level 1

‎08-02-2006 10:48 AM

I think as long as the "zero day" attack uses a vulnerability with a sig it should.

An example is a "new" way to exploit ASN.1. This new exploit should cause the ASN.1 vulnerability signature to fire on the IDS.

However a true zero-day attack (an unknown vulnerability with exploit code to take advantage of it) would probably get through unnoticed.

Is this the opinion of Cisco as well?

0 Helpful

wyley.johnson
Level 4
Level 4
In response to DFiore

‎08-02-2006 01:05 PM

By definition, a "zero-day" attack is one that is unknown and does not have a signature, yet. That is where a behavior-based IDS comes in handy instead of signature-based one. It should provide additional protection for zero-day attacks.

If you are looking for a Cisco product in this realm, you should look at Cisco Security Agent (a Host-based IDS that looks at behavior, not signatures).

0 Helpful

travis-dennis_2
Level 7
Level 7
In response to DFiore

‎08-02-2006 01:10 PM

Here is my take on this subject. Security should be installed in layers. From hte Perimeter to the core and then on end points and network nodes. You should have properly hardened routers backed up by a firewall with IDS/IPS on the outside and inside. Then a properly segmented network by way of VLANS etc to allow traffic only where it needs to go. Should anyone get past these measures then host-based intrusion prevention by products such as Cisco Security agent will come into play for "zero-day" attacks. CSA works off rules, not patterns so the end result is if the "zero-day" attack tries to do something it is not allowed to do, write to the registry, delete files, etc, CSA kicks in to stop it. No signatures needed.

Learn more about this and other fine Cisco products at http://www.cisco.com/en/US/products/hw/vpndevc/index.html

Now go ask John Cambers if my endorsement check is ready. I have a car note due.

Hope this helps.

Please remember to rate all replies

marcabal
Cisco Employee
Cisco Employee
In response to travis-dennis_2

‎08-02-2006 03:16 PM

Just thought I would thow this into the conversation.

.

The Cisco Anomaly Guard and Anomaly Detector products are designed to look for and protect from Anomalous traffic on the network. The Anomalous traffic can often be caused by "zero-day" attacks.

There is an Ask The Expert event that started on July 28th and will last until August 11th that is specifically discussing the Guard and Detector.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddbc7d1

If you want to learn more about how Guard and Detector can help in protecting against "zero-day" attacks you might try posting a comment on the Ask the Expert postings.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card