Datasheet
Data Sheet
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 10
Cisco Traffic Anomaly Detector Module Overall Feature Summary
Table 2 lists features of the Cisco Traffic Anomaly Detector Module.
Table 2. Cisco Traffic Anomaly Detector Module Features
Feature Description
Attack Recognition
●
Spoofed and nonspoofed attacks
●
TCP (syns, syn-acks, acks, fins, fragments) attacks
●
User Datagram Protocol (UDP) attacks (random port floods, fragments)
●
Internet Control Message Protocol (ICMP) attacks (unreachable, echo, fragments)
●
Domain Name System (DNS) attacks
●
Client attacks
●
Inactive and total connections attacks
●
HTTP Get Flood attacks
●
Border Gateway Protocol (BGP) attacks
●
Session Initiation Protocol (SIP) voice over IP (VoIP) attacks
Continuous Learning and
Detection
●
Can operate in continuous learning and detection mode (Release 5.0 and later)
●
Simultaneously adjusts thresholds and detects attacks
●
Switches between learning and detection modes automatically
●
Returns to learning mode after an attack is completed
Learns for Anomaly Guard
Module
●
Ability to learn traffic profiles for zones defined on guards
●
Ability to upload learning information to guards automatically
Traffic Analysis
●
Ability to capture and packets that are traversing the guard and save them as pcap files
●
The GUI allows extensive analysis of the captured packets
●
The user may limit capture to packets with a certain decision value only (forward, drop,
reply)
●
The user may filter the capture using a tcpdump expression
Communications Protocols
●
Secure Shell (SSH), Secure Sockets Layer (SSL), File Transfer Protocol (FTP), Secure
FTP (SFTP)
Management
●
Console to command-line interface (CLI)
●
SSH to CLI
●
SSL to Cisco Device Manager
●
Simple Network Management Protocol (SNMP) MIB, MIBII, and traps
Authentication,
Authorization, and
Accounting (AAA) Support
●
Integrates with AAA through TACACS+
●
Privilege-level and command-level authorization and accounting
Security
●
IP table and self-DDoS protection on management interfaces
Logging
●
Comprehensive syslogging and events
Configuration and Deployment Options
The Cisco Traffic Anomaly Detector Module offers two distinct deployment options—integrated
mode and dedicated mode.
In integrated mode, one or more Cisco Traffic Anomaly Detector Modules are installed in existing
Cisco Catalyst 6500 Series or Cisco 7600 Series chassis deployed in the data center and residing
in the normal Layer 3 data path. A copy of traffic destined for resources to be monitored for
protection must be sent to the Traffic Anomaly Detector Module by Switched Port Analyzer (SPAN)
sessions, by physical port or VLAN, or by VLAN access control list (VACL) capture.
In dedicated mode, the Cisco Traffic Anomaly Detector Module is installed in a dedicated Cisco
Catalyst 6500 Series switch or Cisco 7600 Series router adjacent to a downstream switch or router
near the devices or zones being protected, providing a more scalable solution for large and
growing environments. In this configuration, a copy of traffic must be sent to the dedicated switch
or router via remote SPAN or fiberoptic link splitter.