Why do you think https is one of the protocols that allow the SDM to access the IPS alerts on a router?
SDDE and Syslog are the 2 protocols, used to collect IPS related events.
since syslog is not secure, cisco decided to use SDDE as a preferred protocol.
If you have a look at page 399(chapter 11 - Using IPS to secure a Network), of the official exam guide, it provides detailed information on SDF files, for IPS, there the only 2 protocols mentioned are, SDDE and syslog.
Https and Http can both be used to manage the routers.
Hi Joel !
It's true that both SDEE (secure) and syslog (insecure) protocols can be used to send Cisco IPS alerts. But in case you've enabled SDEE you also need to enable HTTP/HTTPS on a router. By using HTTPS instead of HTTP, you can ensure that your data is secured as it traverses the network. Now, the original question asked by Ganesh is :
Which two protocols enable Cisco SDM to pull IPS alerts from a Cisco ISR router?
I've had that question on my CCNA Security exam and possible answers (I had to choose two) were :
In regard to the previous explanation I claim that correct answers are SDEE and HTTPS, since SDEE requires HTTP or HTTPS to be (enabled on a router) used.
Best regards, Tomislav.
There are many systems that can collect SDEE messages, including syslog. IOS IPS can be configured to log SDEE messages to the console and syslog server, for instance, as you can read on the document "Configuring Cisco IOS IPS Using Cisco SDM and CLI" here: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8043bc32.html
Another related example is SDEE messages being exchanged through HTTPS and being collected by MARS to further processing. See, for instance, the Section " Enable SDEE for IOS IPS Software" here: http://cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgRtrSw.pdf#5
Take in account that collecting or storing messages and exchanging them could be done using different protocols.
Using HTTPS is of course recommended over HTTP whenever possible, but the question is not in a particular context, and it could be even incomplete, so you could be discussing different things or aspects of the problem.
Also, beware of breaking your NDA, explicit content of your exam is not allowed to be discussed!
I have reason to believe that the question is from p4s or examexpert.
Both the Official and the Authorised exam guide from ciscopress also have questions similar to this one.
Q5- Which protocol used by IPS is preferred over syslog, because it provides a secure communications channel,
and it can be used to communicate between IPS clients and servers(for example, a management workstation that
collects and correlates events from multiple sensors in the network)?
The question implies that both syslog and SDEE are the protocols used to access IPS events.
HTTPS alone does not allow access to IPS events. Its used for secure management.
"HTTPS alone does not allow access to IPS events. Its used for secure management."
It is true, the same for Syslog.
HTTPS is used for SECURE communications, and it can be used for a number of situations. Take a look at the 2nd link on my previous post to see an example (with MARS). So, we could use HTTPS for secure management, maybe loging into the router to access its configuration securely, or it could be used to transfer information, not necessarily doing management, in a secure fashion.
Again, questions from braindumps should be avoided!
Thanks for the link.
my question is from the ciscopress book, the list of questions at the end of chapter 11.
These are the options available when configuring router IPS:
Router(config)#ip ips notify ?
SDEE Send events to SDEE
log Send events as syslog messages
the only 2 options when configuring IPS on a router are SDEE and syslog
I would agree to the points made by Leo, Beller0ph0n, Brandon & Joel.
Out of curiosity, I did a search on Google with the question verbatim & the search results had Pass4sure written all over it.
In short - It depends on a individual as to which documentation he/she wants to believe more, Cisco or Pass4sure. Personally, I would believe Cisco Docs.
In my opinion, the correct naswer is:
SDEE and HTTPS
The explaination in brief is, in the "Implementing Cisco IOS Network Security (IINS): (CCNA Security exam 640-553) (Authorized Self-Study Guide)" book of Cisco Press, it is written as a note "to "PULL" IPS alerts from the router, SDM use SDEE and NOT Syslog, and to enable SDEE you have to enable HTTP or HTTPS on the router.
Again, it is a tricky question, but think good, and read carefully the question and think about the word "PULL", you will figure out that the answer is: SDEE and HTTPS.