1 2 Previous Next 15 Replies Latest reply: Jul 22, 2013 11:03 AM by Greg RSS

    CCNA security


      Which two protocols enable Cisco SDM to pull IPS alerts from a Cisco ISR router?

        • 1. Re: CCNA security

          Hi Ganesh,

          I would say - SDEE & Syslog.


          • 2. Re: CCNA security
            Ryan Schuett

            I would agree with Chirag. SDEE and syslog are the way the IPS communicates information (alarms, events, errors, etc) to external devices.



            • 3. Re: CCNA security
              Beller0ph0n - CCNA
              • 4. Re: CCNA security
                joel araujo



                Why do you think https is one of the protocols that allow the SDM to access the IPS alerts on a router?


                SDDE and Syslog are the 2 protocols, used to collect IPS related events.
                since syslog is not secure, cisco decided to use SDDE as a preferred protocol.

                If you have a look at page 399(chapter 11 - Using IPS to secure a Network), of the official exam guide, it  provides detailed information on SDF files, for IPS, there the only 2 protocols mentioned are, SDDE and syslog.

                Https and Http can both be used to manage the routers.



                • 5. Re: CCNA security
                  Beller0ph0n - CCNA

                  Hi Joel !


                  It's true that both SDEE (secure) and syslog (insecure) protocols can be used to send Cisco IPS alerts. But in case you've enabled SDEE you also need to enable HTTP/HTTPS on a router. By using HTTPS instead of HTTP, you can ensure that your data is secured as it traverses the network. Now, the original question asked by Ganesh is :


                  Which two protocols enable Cisco SDM to pull IPS alerts from a Cisco ISR router?


                  I've had that question on my CCNA Security exam and possible answers (I had to choose two) were :








                  In regard to the previous explanation I claim that correct answers are SDEE and HTTPS, since SDEE requires HTTP or HTTPS to be (enabled on a router) used.


                  Best regards, Tomislav.

                  • 6. Re: CCNA security
                    Leo Pastor

                    What is this question from?

                    • 7. Re: CCNA security
                      Leo Pastor

                      There are many systems that can collect SDEE messages, including syslog. IOS IPS can be configured to log SDEE messages to the console and syslog server, for instance, as you can read on the document "Configuring Cisco IOS IPS Using Cisco SDM and CLI" here: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8043bc32.html


                      Another related example is SDEE messages being exchanged through HTTPS and being collected by MARS to further processing. See, for instance, the Section " Enable SDEE for IOS IPS Software" here: http://cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgRtrSw.pdf#5


                      Take in account that collecting or storing messages and exchanging them could be done using different protocols.

                      • 8. Re: CCNA security
                        Leo Pastor

                        Using HTTPS is of course recommended over HTTP whenever possible, but the question is not in a particular context, and it could be even incomplete, so you could be discussing different things or aspects of the problem.


                        Also, beware of breaking your NDA, explicit content of your exam is not allowed to be discussed!

                        • 9. Re: CCNA security
                          joel araujo



                          I have reason to believe that the question is from p4s or examexpert.
                          Both the Official and the Authorised exam guide from ciscopress also have questions similar to this one.


                          Q5- Which protocol used by IPS is preferred over syslog, because it provides a secure communications channel,
                          and it can be used to communicate between IPS clients and servers(for example, a management workstation that
                          collects and correlates events from multiple sensors in the network)?


                          a- CTIQBE
                          b- SDEE
                          c- TLS
                          d- SRTP

                          The question implies that both syslog and SDEE are the protocols used to access IPS events.


                          HTTPS alone does not allow access to IPS events. Its used for secure management.

                          • 10. Re: CCNA security
                            Leo Pastor

                            "HTTPS alone does not allow access to IPS events. Its used for secure management."


                            It is true, the same for Syslog.


                            HTTPS is used for SECURE communications, and it can be used for a number of situations. Take a look at the 2nd link on my previous post to see an example (with MARS). So, we could use HTTPS for secure management, maybe loging into the router to access its configuration securely, or it could be used to transfer information, not necessarily doing management, in a secure fashion.


                            Again, questions from braindumps should be avoided!




                            • 11. Re: CCNA security
                              Brandon Bailey

                              To confirm, it is SDEE and syslog. That is the answer right out of the book. The Cisco press book that I brought has a boson CD that has a directory of 300 Q&As this question is one of them. Read chapter 11 it will confirm this answer.

                              • 12. Re: CCNA security
                                joel araujo



                                Thanks for the link.

                                my question is from the ciscopress book, the list of questions at the end of chapter 11.


                                These are the options available when configuring router IPS:


                                Router(config)#ip ips notify ?
                                  SDEE  Send events to SDEE
                                  log   Send events as syslog messages


                                the only 2 options when configuring IPS on a router are SDEE and syslog







                                • 13. Re: CCNA security

                                  I would agree to the points made by Leo, Beller0ph0n, Brandon & Joel.

                                  Out of curiosity, I did a search on Google with the question verbatim & the search results had Pass4sure written all over it.

                                  In short - It depends on a individual as to which documentation he/she wants to believe more, Cisco or Pass4sure. Personally, I would believe Cisco Docs.


                                  • 14. Re: CCNA security
                                    Aref - CCNPx2 (R&S - Security) / Network+ / Security+

                                    In my opinion, the correct naswer is:


                                    SDEE and HTTPS


                                    The explaination in brief is, in the "Implementing Cisco IOS Network Security (IINS): (CCNA Security exam 640-553) (Authorized Self-Study Guide)" book of Cisco Press, it is written as a note "to "PULL" IPS alerts from the router, SDM use SDEE and NOT Syslog, and to enable SDEE you have to enable HTTP or HTTPS on the router.


                                    Again, it is a tricky question, but think good, and read carefully the question and think about the word "PULL", you will figure out that the answer is: SDEE and HTTPS.

                                    1 2 Previous Next