Securing SNMP messages with IPSec
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Securing SNMP messages with IPSec
By configuring IPSec policies on all SNMP agents and managers, you can help prevent malicious users and attackers from intercepting SNMP messages. If you cannot configure IPSec policies on all SNMP hosts but you want to ensure that all hosts can communicate with each other, you must configure IPSec policies that allow plaintext communication. However, allowing plaintext communication is not recommended.
IPSec does not automatically encrypt the SNMP traffic. You must create filter specifications in the appropriate IP filter list for traffic between the SNMP managers and agents.
To make SNMP messages more secure, you must add two sets of filter specifications to a new or existing IPSec policy on the SNMP-enabled host. The first set of filter specifications regulates typical SNMP traffic or SNMP messages between the SNMP managers and the SNMP agents. This set of filter specifications typically consists of one filter specification for inbound traffic and one for outbound traffic. You must create these specifications in the IP Filter Properties dialog box. For more information about creating filter specifications, see Filter list, Set an active IP filter list for a rule, and Add, edit, or remove IP filter lists.
On the Addresses tab:
In Source address, click A specific IP address and type the address of the SNMP manager.
In Destination address, click My IP Address, which refers to the IP address of the SNMP agent to which the policy is assigned.
Select the Mirrored check box to automatically create the filter specification for outbound traffic.
On the Protocol tab:
Under Select a protocol type, click TCP or UDP. If you require both these protocols, create an additional filter specification.
Click From any port, click To this port, and type 161.
The second set of filter specifications regulates trap messages, and it consists of one filter specification for inbound traffic and one for outbound traffic:
On the Addresses tab:
Under Source address, click A specific IP address and type the IP address of the SNMP agent.
Under Destination address, click My IP Address, which refers to the IP address of the SNMP manager to which the policy is assigned.
Select the Mirrored check box to automatically create the outbound filter specification.
On the Protocol tab:
Under Select a protocol type, click TCP or UDP. If you require both these protocols, create an additional filter specification.
Click From any port, click To this port, and type 162.
For more information on SNMP messages, see SNMP messages.
To send secure SNMP messages, you must configure IPSec policies on SNMP managers as well as SNMP agents. The Windows Server 2003 family supports but does not include SNMP management software.