Lock down SNMP traffic using IPSec

Network management and monitoring tools that use SNMP can greatly increase the efficiency of your network operations. However, it's vital that you take steps to secure the information you transfer using this protocol. In this edition of Security Solutions, Mike Mullins tells you how.

The Simple Network Management Protocol (SNMP) is a network management standard widely used in TCP/IP networks. SNMP provides a means to manage network devices, including servers, workstations, routers, bridges, and hubs, from a central location. Early versions of SNMP had several vulnerabilities, and the protocol has gone through several revisions.

SNMP currently sports three separate versions. There are major differences between these editions, so let's take a closer look at each one.

As the first incarnation of SNMP, v1 uses community strings set to widely known names by default. (For example, Microsoft uses public.)

All messages travel across the wire in plain text, and anyone with a packet sniffer installed on the network can read them. This version includes no security features.

The next version increased the level of security by adding privacy to the conversation. It uses the Data Encryption Standard (DES) to encrypt the data packet, except for the destination address. The encrypted data contains the community string and the source IP address.

SNMPv2 addressed the privacy concerns of passing community strings in plain text by using encryption. However, it didn't address authentication.

Consequently, this incarnation of SNMP addresses the authentication of the message from the source to the destination. In addition, it provides three levels of security.

The highest level of security includes authentication and privacy. The middle level features authentication but no privacy, and the bottom level doesn't include either authentication or privacy.

SNMP suffered from vulnerabilities in its early days, and a lot of networks shied away from using it to control devices. The introduction of SNMPv3 added a great deal of security, and its use could revitalize network management.

However, it's important to keep in mind that some devices still aren't compliant with this version of the protocol. For such devices, make sure you add an extra layer of security to provide authentication and privacy of your network management traffic.

If you do plan to use SNMP to control and monitor network devices that don't support SNMPv3, then it's easy to use IPSec to secure that traffic. (If you're not familiar with creating IPSec policies, check out "Configure IT Quick: Configure Windows 2000 IPSec to secure network traffic.") Once you've configured your IPSec policy for SNMP, you'll be able to send management and control information between the management server and your network devices with a high degree of security.

For remote networks that you'll be managing and monitoring with SNMP, I suggest creating an IPSec tunnel to the first network device (which is usually a router or firewall) that you physically maintain. This tunnel secures your network traffic across the public portion of your network (i.e., your Internet transport). In addition, it will simplify the addition of monitoring devices on the other end of your network as well as reduce the complexity of your overall architecture.

Final thoughts

Network management and monitoring tools that use SNMP can greatly increase the efficiency of your network operations. But it's vital that you remember to secure that data as it crosses the network, or it could become a vulnerability to your operations. One of your best bets is to secure those network conversations with IPSec.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Editor's Picks

Free Newsletters, In your Inbox