Skip navigation
Cisco Learning Home > CCNA Security Study Group > Discussions
8166 Views 15 Replies Latest reply: Jul 22, 2013 11:03 AM by Greg RSS 1 2 Previous Next

Currently Being Moderated

CCNA security

Feb 9, 2010 6:40 AM

Ganesh 68 posts since
Oct 4, 2009

Which two protocols enable Cisco SDM to pull IPS alerts from a Cisco ISR router?

  • 74 posts since
    Jan 2, 2009
    Currently Being Moderated
    1. Feb 9, 2010 7:54 AM (in response to Ganesh)
    Re: CCNA security

    Hi Ganesh,


    I would say - SDEE & Syslog.


    -Chirag

  • Ryan Schuett 421 posts since
    Sep 29, 2008
    Currently Being Moderated
    2. Feb 9, 2010 11:18 AM (in response to Ganesh)
    Re: CCNA security

    I would agree with Chirag. SDEE and syslog are the way the IPS communicates information (alarms, events, errors, etc) to external devices.

     

    Ryan

  • Beller0ph0n - CCNA 12 posts since
    Jun 9, 2009
    Currently Being Moderated
    3. Feb 10, 2010 12:00 AM (in response to Ganesh)
    Re: CCNA security
  • joel araujo 66 posts since
    Mar 9, 2009
    Currently Being Moderated
    4. Feb 10, 2010 1:42 AM (in response to Beller0ph0n - CCNA)
    Re: CCNA security

    Tomislav

     

    Why do you think https is one of the protocols that allow the SDM to access the IPS alerts on a router?

     

    SDDE and Syslog are the 2 protocols, used to collect IPS related events.
    since syslog is not secure, cisco decided to use SDDE as a preferred protocol.

    If you have a look at page 399(chapter 11 - Using IPS to secure a Network), of the official exam guide, it  provides detailed information on SDF files, for IPS, there the only 2 protocols mentioned are, SDDE and syslog.

    Https and Http can both be used to manage the routers.


    regards


    Joel

  • Beller0ph0n - CCNA 12 posts since
    Jun 9, 2009
    Currently Being Moderated
    5. Feb 10, 2010 3:40 PM (in response to joel araujo)
    Re: CCNA security

    Hi Joel !

     

    It's true that both SDEE (secure) and syslog (insecure) protocols can be used to send Cisco IPS alerts. But in case you've enabled SDEE you also need to enable HTTP/HTTPS on a router. By using HTTPS instead of HTTP, you can ensure that your data is secured as it traverses the network. Now, the original question asked by Ganesh is :

     

    Which two protocols enable Cisco SDM to pull IPS alerts from a Cisco ISR router?

     

    I've had that question on my CCNA Security exam and possible answers (I had to choose two) were :

     

    syslog

    SDEE

    FTP

    SSH

    HTTPS

     

    In regard to the previous explanation I claim that correct answers are SDEE and HTTPS, since SDEE requires HTTP or HTTPS to be (enabled on a router) used.

     

    Best regards, Tomislav.

  • Leo Pastor 124 posts since
    Jun 27, 2008
    Currently Being Moderated
    6. Feb 10, 2010 4:48 AM (in response to Ganesh)
    Re: CCNA security

    What is this question from?

  • Leo Pastor 124 posts since
    Jun 27, 2008
    Currently Being Moderated
    7. Feb 10, 2010 5:21 AM (in response to joel araujo)
    Re: CCNA security

    There are many systems that can collect SDEE messages, including syslog. IOS IPS can be configured to log SDEE messages to the console and syslog server, for instance, as you can read on the document "Configuring Cisco IOS IPS Using Cisco SDM and CLI" here: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8043bc32.html

     

    Another related example is SDEE messages being exchanged through HTTPS and being collected by MARS to further processing. See, for instance, the Section " Enable SDEE for IOS IPS Software" here: http://cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgRtrSw.pdf#5

     

    Take in account that collecting or storing messages and exchanging them could be done using different protocols.

  • Leo Pastor 124 posts since
    Jun 27, 2008
    Currently Being Moderated
    8. Feb 10, 2010 5:35 AM (in response to Beller0ph0n - CCNA)
    Re: CCNA security

    Using HTTPS is of course recommended over HTTP whenever possible, but the question is not in a particular context, and it could be even incomplete, so you could be discussing different things or aspects of the problem.

     

    Also, beware of breaking your NDA, explicit content of your exam is not allowed to be discussed!

  • joel araujo 66 posts since
    Mar 9, 2009
    Currently Being Moderated
    9. Feb 10, 2010 5:46 AM (in response to Leo Pastor)
    Re: CCNA security

    Leo,

     

    I have reason to believe that the question is from p4s or examexpert.
    Both the Official and the Authorised exam guide from ciscopress also have questions similar to this one.

     

    Q5- Which protocol used by IPS is preferred over syslog, because it provides a secure communications channel,
    and it can be used to communicate between IPS clients and servers(for example, a management workstation that
    collects and correlates events from multiple sensors in the network)?

     

    a- CTIQBE
    b- SDEE
    c- TLS
    d- SRTP

    The question implies that both syslog and SDEE are the protocols used to access IPS events.

     

    HTTPS alone does not allow access to IPS events. Its used for secure management.

  • Leo Pastor 124 posts since
    Jun 27, 2008
    Currently Being Moderated
    10. Feb 10, 2010 6:05 AM (in response to joel araujo)
    Re: CCNA security

    "HTTPS alone does not allow access to IPS events. Its used for secure management."

     

    It is true, the same for Syslog.

     

    HTTPS is used for SECURE communications, and it can be used for a number of situations. Take a look at the 2nd link on my previous post to see an example (with MARS). So, we could use HTTPS for secure management, maybe loging into the router to access its configuration securely, or it could be used to transfer information, not necessarily doing management, in a secure fashion.

     

    Again, questions from braindumps should be avoided!

     

     

    HTH

  • Brandon Bailey 22 posts since
    Dec 4, 2009
    Currently Being Moderated
    11. Feb 10, 2010 6:17 AM (in response to Ganesh)
    Re: CCNA security

    To confirm, it is SDEE and syslog. That is the answer right out of the book. The Cisco press book that I brought has a boson CD that has a directory of 300 Q&As this question is one of them. Read chapter 11 it will confirm this answer.

  • joel araujo 66 posts since
    Mar 9, 2009
    Currently Being Moderated
    12. Feb 10, 2010 6:29 AM (in response to Leo Pastor)
    Re: CCNA security

    Leo,

     

    Thanks for the link.

    my question is from the ciscopress book, the list of questions at the end of chapter 11.

     

    These are the options available when configuring router IPS:

     

    Router(config)#ip ips notify ?
      SDEE  Send events to SDEE
      log   Send events as syslog messages

     

    the only 2 options when configuring IPS on a router are SDEE and syslog

     

     

    regards,

     

     

    Joel

  • 74 posts since
    Jan 2, 2009
    Currently Being Moderated
    13. Feb 10, 2010 8:12 AM (in response to joel araujo)
    Re: CCNA security

    I would agree to the points made by Leo, Beller0ph0n, Brandon & Joel.


    Out of curiosity, I did a search on Google with the question verbatim & the search results had Pass4sure written all over it.


    In short - It depends on a individual as to which documentation he/she wants to believe more, Cisco or Pass4sure. Personally, I would believe Cisco Docs.


    -Chirag

  • Aref 2,532 posts since
    Nov 29, 2011
    Currently Being Moderated
    14. Dec 1, 2011 7:54 AM (in response to Ganesh)
    Re: CCNA security

    In my opinion, the correct naswer is:

     

    SDEE and HTTPS

     

    The explaination in brief is, in the "Implementing Cisco IOS Network Security (IINS): (CCNA Security exam 640-553) (Authorized Self-Study Guide)" book of Cisco Press, it is written as a note "to "PULL" IPS alerts from the router, SDM use SDEE and NOT Syslog, and to enable SDEE you have to enable HTTP or HTTPS on the router.

     

    Again, it is a tricky question, but think good, and read carefully the question and think about the word "PULL", you will figure out that the answer is: SDEE and HTTPS.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)