cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
761
Views
0
Helpful
4
Replies

IOS-IPS alarm reporting tool

g.rodegari
Level 1
Level 1

Hi,

I'd like to employ 5-6 end point routers with embedded IPS.

I do not have the opportunity to employ VMS o CSIMS.

To configure these, then, I'll use the SDM.

Instead, for the alarm reporting:

- If I configure the communication with the old post-office protocol, I think that I can use the IEV software

- If I use the new SDEE communication protocol, what can I use to collect and report the allarms?

Thanks,

Kind regards,

G.

4 Replies 4

marcabal
Cisco Employee
Cisco Employee

I don't think the old post-office protocol will work with the newer IPS features of the router.

(The documentation says it was deprecated)

To use SDEE you will need to use a viewer that supports SDEE.

The Cisco options include:

Security Monitor (part of VMS, latest release includes SDEE support)

Cisco Works SIMS (an OEM from NetForensics - I am not positive that it supports SDEE yet)

Protego PN-MARS (Protego is being bought by Cisco - I know they have SDEE support, but not sure if it is in their released version)

Unfortunately there is not a simple no-additional-cost viewer (like IEV) that supports SDEE.

Another alternative you may want to consider is to use syslog. The router can send the alerts as syslog events.

There are many free syslog viewers available for download on the Internet.

Thank you very much,

Thenn I think to use syslog... VMS or SIMMS are too complex and expensive for only few routers...

Bye,

G.

> Another alternative you may want to consider is to use syslog.

Is syslog event reporting possible for dedicated IDS sensors too? We have many sensors (mostly 4235 model), and maintaining user accounts on every sensor AND for every sensor on every event receiving device is going to be a total nightmare.

Thanks...

No

The sensor Appliances and Modules do not currently support creating syslogs for alerts.

The sensor Appliances and Modules with version 5.0 do support sending events as SNMP traps, but I am not sure if the IPS feature on IOS routers support SNMP traps for the alerts.

A dedicated management tool like VMS (Security Monitor), NetForensics (CW SIMS), or Protego (PNMARS) is really the way to go.

But as you know it does mean managing the user accounts.

My suggestion is to use a consistent user account with a consistent password on all of the sensors.

You would create that account and setup the password on the initial setup of each sensor.

Marco

Review Cisco Networking for a $25 gift card