Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NIPS <> Guard & Anomaly Detector

I'm looking for a comparison of Cisco IPS versus Guard & Anomaly Detector in order to find out which solutions offers which benefits to protect against DDoS attacks from the Internet and where which solution has shortcomings. If I have the guard and detector do I still need NIPS and vice versa.



Re: NIPS <> Guard & Anomaly Detector

The Guard is an active DDoS attack mitigation device that protects the zone against DDoS attacks. The Guard receives traffic that is diverted from the attacked zones and inspects the diverted traffic to identify and separate malicious flows from legitimate transactions. The Guard removes specific attack packets and forwards legitimate traffic packets to their targeted destination, helping to ensure that real users and real transactions get through.

Typically, you deploy the Guard in a distributed upstream configuration at the backbone level. When the Guard receives an external indication of an attack, such as from a Detector, it diverts only the traffic of the attacked zone to itself. Any traffic destined for other zones not under attack continues to flow to their destinations without being diverted to the Guard. The Guard analyzes the packets, removes the DDoS components, and allows only clean traffic packets to continue on to the intended zone. During the attack, the Guard constantly filters the traffic and adjusts the attack mitigation process as the attack evolves.

The Guard uses the following features to manage zone traffic:

•A traffic diversion process that diverts the zone traffic to the Guard for learning purposes, protects against DDoS attacks, and injects legitimate traffic back into the network.

•An algorithm-based learning process that can learn the characteristics of normal zone traffic and customize the zone protection capabilities. This process provides the Guard with traffic reference points and protection instructions in the form of zone policies and policy thresholds.

•Protection processes that can distinguish between legitimate and malicious traffic. The protection processes filter the malicious traffic so that only the legitimate traffic can pass through to the zone.

These components enable the Guard to assume its protective role when there is an attack but allows the Guard to remain unobtrusively in the background when there is no attack. When there are no suspected attacks, you do not need to activate the diversion process, and the Guard does not see the traffic.

New Member

Re: NIPS <> Guard & Anomaly Detector

Thanks for the additional information. What I'm looking for is how I can persuade my customer to buy the guard/detector in addition to the NIPS. The NIPS seems to be quite effective to limit DDoS attacks, so why would I still want to have the guard/detector?