SNMP service network security configuration under win2003 environment

The goal of SNMP is to manage the software and hardware platforms produced by many manufacturers on the Internet. Therefore, SNMP is greatly affected by the Internet standard network management framework.

The SNMP service acts as an agent that collects information that can be reported to an SNMP management station or console. You can use SNMP services to collect data and manage Windows Server 2003, Microsoft Windows XP and Microsoft Windows 2000-based computers across the entire corporate network.

Typically, the method of securing communication between an SNMP agent and an SNMP management station is to assign a shared community name to these agents and management stations. When the SNMP management station sends a query to the SNMP service, the community name of the requester is compared to the community name of the agent. If it matches, the SNMP management station has been authenticated. If it does not match, it indicates that the SNMP agent considers the request to be "failed to access" and may send an SNMP trap message.

SNMP messages are sent in clear text. These plaintext messages are easily intercepted and decoded by a network analysis program such as "Microsoft Network Monitor". Unauthorized personnel can capture community names to get important information about network resources.

<;IP Security Protocol" (IP Sec) can be used to protect SNMP communications. You can create an IP Sec policy that protects traffic on TCP and UDP ports 161 and 162 to protect SNMP transactions.

Creating a Filter List

To create an IP Sec policy that protects SNMP messages, first create a filter list. Here's how:

Click Start, point to Administrative Tools, and then click Local Security Policy.

Expand security settings, right-click on "IP Security Policy on Local Computer" and click "Manage IP Filter List and Filter Action".

Click the “Manage IP Filter List& rdquo; tab and click Add.

In the IP Filter List dialog box, type SNMP message (161/162) (in the Name box), then type the TCP and UDP port 161 filter (in the Description box).

Click the Use “Add Wizard” checkbox to clear it, then click Add.

In the "Source Address" box (located on the Address tab of the displayed IP Filter Properties dialog box), click “any IP address”. In the “Destination Address" box, click My IP Address. Click on “Mirror. Match the packet with the opposite source and destination address check box to select it.

Click the Protocols tab. In the “Select Protocol Type” box, select UDP. In the “Set IP Protocol Port” box, select “From this port”, then type 161 in the box. Click “to this port”, then type 161 in the box.

Click OK.

In the IP Filter List dialog, select Add.

In the "Source Address" box (located on the Address tab of the displayed IP Filter Properties dialog box), click “any IP address”. In the “Destination Address" box, click My IP Address. Check the "Mirror, match packets with opposite source and destination addresses" checkbox.

Click the Protocols tab. In the Select Protocol Type box, click TCP. In the “Set IP Protocol" box, click “From this port”, then type 161 in the box. Click “to this port”, then type 161 in the box.

Click OK.

In the IP Filter List dialog box, click Add.

In the "Source Address" box (located on the Address tab of the displayed IP Filter Properties dialog box), click “any IP address”. In the “Destination Address" box, click My IP Address. Click on the "Mirror, match the packet with the opposite source and destination addresses" checkbox to select it.

Click the Protocols tab. In the “Select Protocol Type” box, click UDP. In the “Set IP Protocol" box, click “From this port”, then type 162 in the box. Click “to this port”, then type 162 in the box.

Click OK, in the IP Filter List dialog box, click Add.

In the "Source Address" box (located on the Address tab of the displayed IP Filter Properties dialog box), click “any IP address”. In the “Destination Address" box, click My IP Address. Click on “Mirror. Match the packet with the opposite source and destination address check box to select it.

Click the Protocols tab. In the Select Protocol Type box, click TCP. In the “Set IP Protocol" box, click “From this port”, then type 162 in the box. Click “to this port”, then type 162 in the box.

Click OK

Click OK in the IP Filter List dialog box, and then click OK in the Manage IP Filter List and Filter Actions dialog box.

Creating an IPSec Policy

To create an IPSec policy to enforce IPSec for SNMP communication, follow these steps:

Right-click on the local computer in the left pane On the IP Security Policy, then click Create IP Security Policy.

“IP Security Policy Wizard”Start. Previous12Next page Total 2 pages