At first glance, the numbers related to Internet security breaches can be staggering, both in terms of sheer frequency and financial impact. Market researcher TruSecure estimates that losses from computer crime in 2003 could total over 2.8 billion. The Code Red worm in 2001 alone caused an estimated $2 billion in damages and cleanup costs. Shortly thereafter, the Nimda worm was unleashed, with estimates of over $2.5 billion in damage.

In the eighth annual CSI/FBI Computer Crime and Security Survey, 251 of 530 companies surveyed reported combined losses of nearly $202 million, most of which stemmed from proprietary information theft and Denial-of-Service attacks. A bright spot in the 2003 CSI/FBI report indicated that reported losses of the companies surveyed dropped for the first time since the initial 1995 survey. This drop in costs occurred even though the number of attempted attacks did not diminish. Could this savings be attributed to increased corporate vigilance and attention to network security?

Perhaps most troubling of these figures, however, is the fact that many security incidents go undetected and most go unreported. Companies and governments readily admit they don't report incidents to avoid competitive disadvantage and negative publicity. Furthermore, the CSI/FBI report also indicates that a majority of known attacks occur from within an organization, proving that it is no longer adequate to "lock the front door."

A new scourge has become a reality as well; the threat of electronic terrorism is widely recognized as a real motivation for attack. Governments and terrorist organizations alike practice overt and covert techniques aimed at disrupting the very network and systems infrastructure on which we so heavily depend.

This book presents a combination of intrusion detection systems (IDS) and security theory, Cisco security models, and detailed information regarding specific Cisco-based IDS solutions. The concepts and information presented in this book are one step towards providing a more secure working and living network environment. This book also exists as a guide for Security Administrators seeking to pass the Cisco Secure Intrusion Detection Systems Exam (CSIDS 9E0-100), which is associated with CCSP, Cisco IDS Specialist, and Cisco Security Specialist 1 certifications.

Cisco has developed two primary and dynamic components that form their security model, the Architecture for Voice, Video, and Integrated Data (AVVID) and the Secure Blueprint for Enterprise Networks (SAFE), that are intended as tools for network and security architects to assist in the efficient, modular, and comprehensive design of today's modern networks.

Along with AVVID and SAFE, Cisco has developed a Security Wheel to provide a roadmap for implementing enterprisewide security and a foundation for effective and evolving security management. Within these security models, Cisco has identified four security threat categories and three attack categories. Administrators should understand each of these categories to better protect their network and systems environments.

In addition to Cisco security theory, there exist many different types of IDS functions such as Network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). We'll examine each of these and other types throughout this chapter and describe in detail how IDS actually function to detect potential security events.

Finally, we'll discuss the potential issues and shortcomings of an IDS so that administrators can understand the limitations of their security devices. Hopefully, armed with this information, white hat security professionals can provide their organizations and governments proper, comprehensive, and forward-thinking security capabilities.