Network Security for Configuring SNMP Services in Win 2003

How to configure network security for Windows Server 2003 for the Simple Network Management Protocol (SNMP) service.

The SNMP service acts as an agent that collects information that can be reported to an SNMP management station or console. You can use the SNMP service to collect data and manage Windows Server 2003, Microsoft Windows XP, and Microsoft Windows 2000-based computers across the entire corporate network.

Typically, the method of securing communication between an SNMP agent and an SNMP management station is to assign a shared community name to these agents and management stations. When the SNMP management station sends a query to the SNMP service, the community name of the requester is compared to the community name of the agent. If it matches, the SNMP management station has been authenticated. If it does not match, it indicates that the SNMP agent considers the request to be "failed to access" and may send an SNMP trap message.

SNMP messages are sent in clear text. These plaintext messages are easily intercepted and decoded by a network analysis program such as "Microsoft Network Monitor". Unauthorized personnel can capture community names to get important information about network resources.

<;IP Security Protocol" (IP Sec) can be used to protect SNMP communications. You can create an IP Sec policy that protects traffic on TCP and UDP ports 161 and 162 to protect SNMP transactions.
Creating a Filter List

To create an IP Sec policy that protects SNMP messages, first create a filter list. Here's how:

Click Start, point to Administrative Tools, and then click Local Security Policy.

Expand security settings, right-click on "IP Security Policy on Local Computer" and click "Manage IP Filter List and Filter Action".

Click the “Manage IP Filter List& rdquo; tab and click Add.

In the IP Filter List dialog box, type SNMP message (161/162) (in the Name box), then type the TCP and UDP port 161 filter (in the Description box).

Click the Use “Add Wizard” checkbox to clear it, then click Add.

In the "Source Address" box (located on the Address tab of the displayed IP Filter Properties dialog box), click “any IP address”. In the “Destination Address" box, click My IP Address. Click on “Mirror. Match the packet with the opposite source and destination address check box to select it.

Click the Protocols tab. In the “Select Protocol Type” box, select UDP. In the “Set IP Protocol Port” box, select “From this port”, then type 161 in the box. Click “to this port”, then type 161 in the box.

Click OK.

In the IP Filter List dialog, select Add.

In the "Source Address" box (located on the Address tab of the displayed IP Filter Properties dialog box), click “any IP address”. In the “Destination Address" box, click My IP Address. Check the "Mirror, match packets with opposite source and destination addresses" checkbox.

Click the Protocols tab. In the Select Protocol Type box, click TCP. In the “Set IP Protocol" box, click “From this port”, then type 161 in the box. Click “to this port”, then type 161 in the box.

Click OK.

In the IP Filter List dialog box, click Add.

In the "Source Address" box (located on the Address tab of the displayed IP Filter Properties dialog box), click “any IP address”. In the “Destination Address" box, click My IP Address. Click on the "Mirror, match the packet with the opposite source and destination addresses" checkbox to select it.

Click the Protocols tab. In the “Select Protocol Type” box, click UDP. In the “Set IP Protocol" box, click “From this port”, then type 162 in the box. Click “to this port”, then type 162 in the box.

Click OK, in the IP Filter List dialog box, click Add.

In the "Source Address" box (located on the Address tab of the displayed IP Filter Properties dialog box), click “any IP address”. In the “Destination Address" box, click My IP Address. Click on “Mirror. Match the packet with the opposite source and destination address check box to select it.

Click the Protocols tab. In the Select Protocol Type box, click TCP. In the “Set IP Protocol" box, click “From this port”, then type 162 in the box. Click “to this port”, then type 162 in the box.

Click OK.
Click OK in the IP Filter List dialog box, and then click OK in the Manage IP Filter List and Filter Actions dialog box.

Creating an IPSec Policy

To create an IPSec policy to enforce IPSec for SNMP communication, follow these steps:

Right-click on the IP on the local computer in the left pane Security Policy ", then click Create IP Security Policy.

“IP Security Policy Wizard”Start.

Click Next.

Type Secure SNMP in the Name box on the "IP Security Policy Name" page. In the Description box, type Force IPSec for SNMP Communications, and then click Next.

Click the “Activate Default Response Rule> checkbox to clear it, then click Next.

On the "Completing the IP Security Policy Wizard" page, verify that the "Edit Attributes" checkbox is selected and click Finish.

In the Security "NMP Properties" dialog box, click the Use the “Add Wizard” checkbox to clear it, then click Add.

Click the IP“Filter List” tab and then click SNMP Messages (161/162).

Click the Filter Actions tab and then click Need Security.

Click the Authentication Methods tab. The default authentication method is Kerberos. If you need another authentication method, click Add. In the New Authentication Method Properties dialog box, select the authentication method to use from the list below and click OK:

Active Directory Default (KerberosV5 Protocol)

Use this character String (Pre-Shared Key)

In the New Rule Properties dialog box, click Apply and then click OK.

In the SNMP Properties dialog box, verify that the SNMP (161/162)” checkbox is selected, then click OK.

In the right pane of the "Local Security Settings" console, right-click the secure SNMP rule and click Assign.

Complete this process on all Windows-based computers running SNMP services. This IPSec policy must also be configured on the SNMP management station.