Thank you, That looks good. I wonder if firewalls can be configured like
this? Or is it just MS Windows specific? Also I was a bit confused about how
the filters work. I cant figure out if all communications on port 161 and
162 will be IP Sec, and how would a switch handle that? I know it is
designed to work with existing networks but, if it can't communicate via
IPSec will it send a request packet in clear text?
I guess I've got some playing to do. Maybe, you can set policy based on IP's
too.
Michael Krygeris
Sr. Field Engineer
Somix Technologies, INC.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Vishwas
Gadgil
Sent: Thursday, August 23, 2001 8:13 AM
To: [EMAIL PROTECTED]
Subject: Re: [WhatsUp Forum] SNMP - DMZ - IPSec
In continuation with Anthony's response, I searched on MS Technet. Here is
what
I have found.
-----
Chapter 10 - Simple Network Management Protocol - from windows 2000 resource
kit.
-----
Securing SNMP Messages with IP Security
If you want to use IPSec to protect SNMP messages, you must configure all
SNMP -
enabled systems to use IPSec, or the communications will fail. If you can�t
configure all SNMP- enabled systems to use IPSec, at a minimum, you must
configure the IPSec policies of the systems that are SNMP- enabled so that
they
can send cleartext (unencrypted) information. However, this somewhat defeats
the
idea of trying to secure messages because all communications will be
unsecured.
IP Security does not automatically encrypt the SNMP protocol. You must
create
filter specifications in the appropriate IP filter list for traffic between
the
management systems and SNMP agents. The filter specification must include
two
sets of settings.
The first set of filter specifications are for typical SNMP traffic (SNMP
messages) between the management system and the SNMP agents:
�Mirrored: enabled
�Protocol Type: TCP
�Source and Destination Ports: 161
�Mirrored: enabled
�Protocol Type: UDP
�Source and Destination Ports: 161
The second set of filter specifications are for SNMP trap messages sent to
the
management system from the SNMP agents:
�Mirrored: enabled
�Protocol Type: TCP
�Source and Destination Ports: 162
�Mirrored: enabled
�Protocol Type: UDP
�Source and Destination Ports: 162
For additional information about creating filter specifications, see Windows
2000 Help.
-----
See if that helps.
Anthony Valuikas wrote:
> I found a paper from Microsoft about it in Technet. That is why I started
to
> look. I'll see if I can find the number and forward it on. The title is
> something like "securing snmp with ip security".
>
> Thanks,
> Tv
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/whatsup_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/whatsup_forum%40list.ipswitch.com/
