Security-related SNMP service configuration

Source: Internet
Author: User

The SNMP Service is used in many systems. At present, we often use Windows systems, UNIX/Linux systems. Next we will introduce how to configure network security for the SNMP service in Win 2003.

The SNMP Service acts as a proxy and collects information that can be reported to the SNMP Management site or the console. You can use the SNMP service to collect data and manage Windows Server 2003, Microsoft Windows XP, and Microsoft Windows 2000-based computers throughout the company's network.

Generally, the communication between the SNMP agent and the SNMP management station is protected by specifying a shared community name for these agents and management stations. When the SNMP Management site sends a query to the SNMP service, the requester's community name is compared with the proxy's community name. If yes, the SNMP Management site has passed authentication. If the request does not match, the SNMP Agent considers the request as an "failed access" attempt and may send an SNMP Trap Message.

SNMP messages are sent in plaintext. These plaintext messages are easily intercepted and decoded by network analysts such as Microsoft Network Monitor. Unauthorized users can capture community names to obtain important information about network resources.

"IP Security Protocol" (IPSec) can be used to protect SNMP communication. You can create an IPSec Policy to protect communications between TCP and UDP ports 161 and 162 to protect SNMP transactions.

SNMP service configuration 1. Create Filter list

To create an IPSec Policy to protect SNMP messages, you must first create a Filter list. The method is:

Click Start, point to administrative tools, and then click Local Security Policy. Expand security settings, right-click "IP Security Policy on the Local Computer", and then click "manage IP Filter list and filter xx ".

Click the manage IP Filter List tab, and then click Add.

In the IP Filter List dialog box, type SNMP message (161/162) in the Name box), and then type TCP and UDP port 161 filter in the description box ).

Click the "add wizard" check box to clear it, and then click Add.

In the "Source Address" box on the address Tab Of the displayed IP Filter Properties dialog box), click "any IP Address ". In the target address box, click my IP address. Click "image. Select the check box that matches data packets with the opposite source and target addresses.

Click the protocol tab. In the select protocol type box, click UDP. In the "set IP protocol port" box, click "from Port", and then type 161 in the box. Click "to this port" and type 161 in the box.

Click OK.

In the IP Filter List dialog box, click Add.

In the "Source Address" box on the address Tab Of the displayed IP Filter Properties dialog box), click "any IP Address ". In the target address box, click my IP address. Click "image. Select the check box that matches data packets with the opposite source and target addresses.

Click the protocol tab. In the select protocol type box, click TCP. In the "set IP protocol" box, click "from Port", and then type 161 in the box. Click "to this port" and type 161 in the box.

Click OK.

In the IP Filter List dialog box, click Add.

In the "Source Address" box on the address Tab Of the displayed IP Filter Properties dialog box), click "any IP Address ". In the target address box, click my IP address. Click "image. Select the check box that matches data packets with the opposite source and target addresses.

Click the protocol tab. In the select protocol type box, click UDP. In the "set IP protocol" box, click "from Port", and then type 162 in the box. Click "to this port" and type 162 in the box.

Click OK.

In the IP Filter List dialog box, click Add.

In the "Source Address" box on the address Tab Of the displayed IP Filter Properties dialog box), click "any IP Address ". In the target address box, click my IP address. Click "image. Select the check box that matches data packets with the opposite source and target addresses.

Click the protocol tab. In the select protocol type box, click TCP. In the "set IP protocol" box, click "from Port", and then type 162 in the box. Click "to this port" and type 162 in the box.

Click OK.

In the IP Filter List dialog box, click OK, and then click OK in the manage IP Filter list and Filter Operations dialog box.

SNMP service configuration 2. Create an IPSec Policy

To create an IPSec Policy to enforce IPSec for SNMP communication, follow these steps:

Right-click "IP Security Policy on local computer" in the left pane, and then click Create IP Security Policy.

The IP Security Policy Wizard starts.

Click Next.

On the "IP Security Policy Name" Page, type Secure SNMP In the Name box. In the description box, type

Force IPSec for SNMP Communications, and then click Next.

Click the activate default response rule check box to clear it, and then click Next.

On the "completing IP Security Policy wizard" Page, confirm that the "Edit attributes" check box is selected, and click Finish.

In the secure SNMP Properties dialog box, click the "add wizard" check box to clear it, and then click Add.

Click the IP Filter List tab, and then click SNMP message (161/162 ).

Click the filter xx tab, and then click Security.

Click the authentication method tab. The default authentication method is Kerberos. If you need another authentication method, click Add. In the new authentication method Properties dialog box, select the authentication method to use from the list below, and then click OK:

Active Directory default Kerberos V5 protocol) use this string pre-shared key)

In the new rule Properties dialog box, click application, and then click OK.

In the SNMP Properties dialog box, confirm that the SNMP message (161/162) check box is selected, and then click OK.

In the right pane of the local security settings console, right-click the Security SNMP rule, and then click specify.

Complete this process on all Windows-based computers running the SNMP service. This IPSec Policy must also be configured on the SNMP Management site.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.