By definition, a "zero-day" attack is one that is unknown and does not have a signature, yet. That is where a behavior-based IDS comes in handy instead of signature-based one. It should provide additional protection for zero-day attacks.
If you are looking for a Cisco product in this realm, you should look at Cisco Security Agent (a Host-based IDS that looks at behavior, not signatures).
Here is my take on this subject. Security should be installed in layers. From hte Perimeter to the core and then on end points and network nodes. You should have properly hardened routers backed up by a firewall with IDS/IPS on the outside and inside. Then a properly segmented network by way of VLANS etc to allow traffic only where it needs to go. Should anyone get past these measures then host-based intrusion prevention by products such as Cisco Security agent will come into play for "zero-day" attacks. CSA works off rules, not patterns so the end result is if the "zero-day" attack tries to do something it is not allowed to do, write to the registry, delete files, etc, CSA kicks in to stop it. No signatures needed.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...