A possible architecture for a self-defending network could include (please note that I have focused on the Cisco platform but other best-of-breed solutions are possible as well): A regular 6500 chassis can be configured to house a firewall blade (ACE/FWSM), an IPS module (IDSM2), content management modules and, potentially, a dedicated Web application firewall (ACE WAF). This provides a platform to protect against signature-based network- and application-level attacks, at the same time providing for zero-day protection through an endpoint security product. The data correlation and analysis of data from each of those appliances is achieved using Cisco's Security Monitoring, Analysis and Response System, or MARS, which is Cisco's proprietary security information event management (SIEM) product.
A typical proactive mitigation example could involve the security agent detecting suspicious activity on a host PC, which it then forwards to the MARS platform. The MARS platform then collaborates with the IPS module to monitor flows to and from that endpoint and cut off any potential attacks.
One thing to keep in mind, however, is that you do not have to be Cisco-centric in building a "self-defending" stack that incorporates the devices listed above. The key to having an effective multi-vendor "self-defending" stack is to ensure each security point product is able to collaborate with the others. This collaboration can be quite complicated and difficult, given that most vendor platforms are either point products built on a closed platform, or are built to support their own integrated security stacks. An example of an open platform that supports multiple vendor security products is Crossbeam X-series platform.
This was first published in July 2010