Which of the following can be used by Cisco IPS devices to report intrusion alerts? (Select 2 choices.)
A.
SDEE
B.
SNMPv1
C.
SNMPv2
D.
SNMPv3
E.
Syslog
Explanation:
Cisco Intrusion Prevention System (IPS) devices can use either Security Device Event Exchange (SDEE) or
Syslog to report intrusion alerts. SDEE is a protocol that was designed for reporting security events by using an
encrypted and authenticated session between devices. For example, Cisco IPS Manager Express (IME) can
monitor up to 10 security sensors by using the SDEE protocol.
The Syslog protocol is used to transmit logging information, including security events, from a device to a syslog
server. However, data sent using Syslog is typically sent as plain text. An attacker could intercept the messages
and view the contents of the messages. By default, when User Datagram Protocol (UDP) is used, Syslog data
is sent over UDP port 514, and when Transmission Control Protocol (TCP) is used, Syslog data is sent over
TCP port 1468.
Cisco IPS devices do not use Simple Network Management Protocol (SNMP) to report intrusion alerts.SNMP is used to monitor and manage network devices by collecting statistical data about those devices. Three
versions of SNMP currently exist. SNMP version 1 (SNMPv1) and SNMPv2 do not provide encryption?
password information, known as community strings, is sent as plain text with messages. If an attacker
intercepts the message, the attacker can view the password information. SNMPv3 improves upon SNMPv1 and
SNMPv2 by providing encryption, authentication, and message integrity to ensure that the messages are not
tampered with during transmission. Thus, whenever possible, you should use SNMPv3 instead of SNMPv1 or
SNMPv2. SNMP uses UDP port 161 for SNMP control traffic and UDP port 162 for SNMP trap traffic.Cisco: Cisco IOS Intrusion Prevention System: Monitoring Cisco IOS IPS Signatures via Syslog or SDEE