Lock down SNMP traffic using IPSec
Takeaway: Network management and monitoring tools that use SNMP can greatly increase the efficiency of your network operations. However, it's vital that you take steps to secure the information you transfer using this protocol. In this edition of Security Solutions, Mike Mullins tells you how.
The Simple Network Management Protocol (SNMP) is a network management standard widely used in TCP/IP networks. SNMP provides a means to manage network devices, including servers, workstations, routers, bridges, and hubs, from a central location. Early versions of SNMP had several vulnerabilities, and the protocol has gone through several revisions.
SNMP currently sports three separate versions. There are major differences between these editions, so let's take a closer look at each one.
SNMPv1
As the first incarnation of SNMP, v1 uses community strings set to widely known
names by default. (For example, Microsoft uses public.)
All messages travel across the wire in plain text, and anyone with a packet sniffer installed on the network can read them. This version includes no security features.
SNMPv2
The next version increased the level of security by adding privacy to the
conversation. It uses the Data Encryption Standard (DES) to encrypt the data
packet, except for the destination address. The encrypted data contains the
community string and the source IP address.
SNMPv2 addressed the privacy concerns of passing community strings in plain text by using encryption. However, it didn't address authentication.
SNMPv3
Consequently, this incarnation of SNMP addresses the authentication of the
message from the source to the destination. In addition, it provides three
levels of security.
The highest level of security includes authentication and privacy. The middle level features authentication but no privacy, and the bottom level doesn't include either authentication or privacy.
SNMP suffered from vulnerabilities in its early days, and a lot of networks shied away from using it to control devices. The introduction of SNMPv3 added a great deal of security, and its use could revitalize network management.
However, it's important to keep in mind that some devices still aren't compliant with this version of the protocol. For such devices, make sure you add an extra layer of security to provide authentication and privacy of your network management traffic.
If you do plan to use SNMP to control and monitor network devices that don't support SNMPv3, then it's easy to use IPSec to secure that traffic. (If you're not familiar with creating IPSec policies, check out "Configure IT Quick: Configure Windows 2000 IPSec to secure network traffic.") Once you've configured your IPSec policy for SNMP, you'll be able to send management and control information between the management server and your network devices with a high degree of security.
For remote networks that you'll be managing and monitoring with SNMP, I suggest creating an IPSec tunnel to the first network device (which is usually a router or firewall) that you physically maintain. This tunnel secures your network traffic across the public portion of your network (i.e., your Internet transport). In addition, it will simplify the addition of monitoring devices on the other end of your network as well as reduce the complexity of your overall architecture.
Final thoughts
Network management and monitoring tools that use SNMP can greatly increase the efficiency of your network operations. But it's vital that you remember to secure that data as it crosses the network, or it could become a vulnerability to your operations. One of your best bets is to secure those network conversations with IPSec.
Miss a column?
Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.
Print/View all Posts Comments on this article
Am I missing something?
ServiceTech | 02/03/06
|
 
I missed it too
mike@... | 02/03/06
|
|
Check out the links
Mike Mullins | 02/03/06
|
|
Space, the final frontier
craig.engel@... | 02/03/06
|
Title does not fit the article
mikeanselmi@... | 02/03/06
|
|
Is IPsec the answer?
pwilson@... | 02/07/06
|
White Papers, Webcasts, and Downloads
- A Case Study in Scientific Application Streaming at the Harvard School of Engineering and Applied Sciences Intel The School of Engineering and Applied Sciences (SEAS) serves as the ... Download Now
- Windows Activation Technologies in Windows 7 Microsoft Software piracy is one of the most significant problems facing the ... Download Now
- Live Webcast: The Power of Centralization in Distributed Development CollabNet Distributed teams are common in software development today. However ... Download Now
- Software Trial: AdminStudio(r) Migrates MSIs to Windows(r) 7 and App-V(r) Fast Flexera Software AdminStudio? allows IT to quickly prepare reliable virtual and MSI ... Download Now
- Business Value of Windows Server 2008 R2 Hyper-V and Live Migration Microsoft Today's IT departments are under increasing pressure to manage and support ... Download Now
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
