Which of the following can be used by Cisco IPS devices to report intrusion alerts? (Select 2 choices.)
Cisco Intrusion Prevention System (IPS) devices can use either Security Device Event Exchange (SDEE) or Syslog to report intrusion alerts. SDEE is a protocol that was designed for reporting security events by using an encrypted and authenticated session between devices. For example, Cisco IPS Manager Express (IME) can monitor up to 10 security sensors by using the SDEE protocol.
The Syslog protocol is used to transmit logging information, including security events, from a device to a syslog server. However, data sent using Syslog is typically sent as plain text. An attacker could intercept the messages and view the contents of the messages. By default, when User Datagram Protocol (UDP) is used, Syslog data is sent over UDP port 514, and when Transmission Control Protocol (TCP) is used, Syslog data is sent over TCP port 1468.
Cisco IPS devices do not use Simple Network Management Protocol (SNMP) to report intrusion alerts.
SNMP is used to monitor and manage network devices by collecting statistical data about those devices. Three versions of SNMP currently exist. SNMP version 1 (SNMPv1) and SNMPv2 do not provide encryption? password information, known as community strings, is sent as plain text with messages. If an attacker intercepts the message, the attacker can view the password information. SNMPv3 improves upon SNMPv1 and SNMPv2 by providing encryption, authentication, and message integrity to ensure that the messages are not tampered with during transmission. Thus, whenever possible, you should use SNMPv3 instead of SNMPv1 or SNMPv2. SNMP uses UDP port 161 for SNMP control traffic and UDP port 162 for SNMP trap traffic.