Securing SNMP Messages with IP Security

  • Article

If you want to use IPSec to protect SNMP messages, you must configure all SNMP - enabled systems to use IPSec, or the communications will fail. If you can't configure all SNMP- enabled systems to use IPSec, at a minimum, you must configure the IPSec policies of the systems that are SNMP- enabled so that they can send cleartext ** (unencrypted) information. However, this somewhat defeats the idea of trying to secure messages because all communications will be unsecured.

IP Security does not automatically encrypt the SNMP protocol. You must create filter specifications in the appropriate IP filter list for traffic between the management systems and SNMP agents. The filter specification must include two sets of settings.

The first set of filter specifications are for typical SNMP traffic (SNMP messages) between the management system and the SNMP agents:

  • Mirrored: enabled

  • Protocol Type: TCP

  • Source and Destination Ports: 161

  • Mirrored: enabled

  • Protocol Type: UDP

  • Source and Destination Ports: 161

The second set of filter specifications are for SNMP trap messages sent to the management system from the SNMP agents:

  • Mirrored: enabled

  • Protocol Type: TCP

  • Source and Destination Ports: 162

  • Mirrored: enabled

  • Protocol Type: UDP

  • Source and Destination Ports: 162

For additional information about creating filter specifications, see Windows 2000 Help.