Monitoring and Managing Alarms and Alerts

Cisco sensors can identify a wide range of attacks. Being aware that the attacks are happening is a big part of the IPS/IDS solution, and this section examines the options for working with the alarms and alerts generated by the IDS/IPS device.

As the sensor generates alerts, those alerts are fed real time into a monitoring system, which can display the information in beautiful color-coded formats, or you could go to the database of stored alerts, extract them, and analyze them that way, as well. Three main protocols are used in delivering alerts. They are Security Device Event Exchange (SDEE), syslog, and SNMP. You can use one or all of these methods to get the alerts off of the sensor and sent to the device that you choose to use to view what is happening in the world of alerts.

SDEE is used for real-time delivery of alerts, and is the most secure method for delivering alerts. These can be sent to an application running on a server. One example is the software named IPS Manager Express (IME), which can run on a workstation and be a central point of event viewing that can support up to 10 sensors simultaneously. Other management consoles, such as Cisco Security Manager (CSM), can also be used and can support greater numbers of simultaneous sensors. The upper limit of what is reasonable is about 25 sensors reporting to a single manager machine.