SDEE is a somewhat open standard used by many IPS/IDS vendors, including Cisco, ISS, Sourcefire, and TruSecure. "Somewhat open" means that you can use it, but it is ultimately owned by the International Computer Security Association (ICSA). SDEE uses Extensible Markup Language (XML) to organize the format of IDS alerts (or events) and specifies the protocol as HTTP. SDEE was designed to be both flexible and extensible. SDEE, when used on Cisco IDS/IPS sensors, is backward compatible with Remote Data Exchange Protocol (RDEP) (a similar, but older communication protocol for Cisco IDS devices).
The original idea for SDEE was to standardize the event and alerting format among vendors so that many different vendor IPS/IDS solutions could be supported within a customer's network.
The SDEE framework is built on top of XML and uses HTTP as a transport with Secure Socket Layer/Transport Layer Security (SSL/TLS) standards for encryption and secure authentication with passwords and certificates. This is the same standard used on many shopping, banking, and other sites that require secure communication.
Besides allowing a standard, secure event-logging protocol, SDEE also guarantees delivery of log messages. SDEE uses TCP for the transport protocol. It is also a pull method, meaning that the monitoring station pulls event logs from the device, just as your web browser pulls information from a web server. Syslog and SNMP, on the other hand, are push methods, meaning that they blindly fire event logs onto the network, without knowing whether they reach their destination.
Currently, SDEE is widely used by Cisco for all network IDS and IPS logs. Other vendors have committed to using it. Contact your IDS/IPS vendor to see whether it has implemented SDEE in its devices.
Was this article helpful?