Wednesday, February 24, 2016

Step By Step Windows SNMP Security Configuration and Encryption using IPSec [Part 3]

If you would like to read the other parts in this article series please go to:

Case 1: SNMP Manager running on Windows Machine


Configuring IPSec in the Windows SNMP Manager machine
1. From Windows Server 2012 R2 Server Manager click on Tools menu then click on Local Security Policy.
2. In the Local Security Policy windows left side click on IP Security Policies on Local Computer.

3. In the Local Security Policy windows right side, right click on a free area and click on Create IP Security Policy ... The IP Security Policy Wizard will start, click on Next button.
4. In the IP Security Policy Name window type a suitable name (e.g SNMP) on the Name: text box and click Next button.
5. In the Requests for Secure Communication window click Next button.
 6. In the Complete the IP Security Policy Wizard window make sure that the Edit properties check box is checked and click Finish button.
7.  In the SNMP Properties click on Add... button.
8. In the Security Rule Wizard window click Next button.
9. In the Tunnel Endpoint window click Next button.
10. In the Network Type window select All network connections options and click Next button.
11. In the IP Filter List window click on Add... button.
12. In the IP Filter List window type a name on the Name: (e.g. SNMP Agent and Manager Filter) text box and click on the Add... button.
13. In the IP Filter Wizard window click Next button.
14. In the IP Filter Description and Mirrored property window type a Description (e.g. Write a description) and click Next button
15. In the IP Traffic Source window click on the Source Address drop down list and select My IP Address and click Next button

16. In the IP Traffic Destination window click on the Destination address drop down list and select A specific IP address or Subnet, then type the IP address of the SNMP Agent 192.168.56.50 in the IP Address or Subnet text box and click Next button.

17. In the IP Protocol Type window click on the Select a protocol type drop down list and select UDP then click Next button.
18. In the IP Protocol Port window select From any port  option then select To this port and type 161 and click Next button.
19. In the IP Filter Wizard window select click Finish button.
20. In the IP Filter List window click on the Add... button.
21. In the IP Filter Wizard window click Next button.
22. In the IP Filter Description and Mirrored property window type a Description and click Next button.
23. In the IP Traffic Source window click on the Source address drop down list and select A specific IP address or Subnet, then type the IP address of the SNMP Agent 192.168.56.50 in the IP Address or Subnet text box and click Next button.

24. In the IP Traffic Destination window click on the Destination Address drop down list and select My IP Address and click Next button
25. In the IP Protocol Type window click on the Select a protocol type drop down list and select UDP then click Next button.
26. In the IP Protocol Port window select From any port  option then select To this port and type 162 and click Next button.
27. In the IP Filter Wizard window select click Finish button.
28. In the IP Filter List window click on the OK button.
29. In the IP Filter List window select the created list SNMP Agent and Manager and click on the Next button.
30. In the Filter Action window click on the Add... button
31. In the IP Security Filter Action Wizard window click on the Next button.
32. In the Filter Action Name window type a name for the filter in the Name text box (e.g Secure SNMP) and then click on the Next button.
33. In the Filter Action General Options window select Negotiate security  option then click on the Next button.
34. In the Communicating with computers that do not support IPsec window select the option Do not allow unsecured communication. and then click on the Next button.
35. In the IP Traffic Security window select the option Integrity and encryption option then  click on the Next button.
36. In the IP Security Filter Action Wizard window click on the Finish button.
37. In the Filter Action window select the created filter action Secure SNMP and click on the Next button.
38. In the Authentication Method window select Use this string to protect the key exchange (preshared key) option then type a complex preshared key (e.g. ComplexPreSharedKey) then click on the Next button.
39. In the Security Rule Wizard window click on the Finish button.
40. In the SNMP Properties window click on the OK button.
41. In the Local Security Policy window right click on the new created policy SNMP and click on the Assign.
42. In the Local Security Policy window make sure the created policy SNMP icon changed and a small green point appeared.

At this point the IPSec configuration of the Windows SNMP Manager machine completed successfully.

Case 2: SNMP Manager running on Ubuntu Linux Machine


Configuring IPSec in the Ubuntu Linux SNMP Manager machine
1. Open a terminal on the SNMP Manager Ubuntu Linux machine and install the the Strongswan package if it’s not already installed as the following.

2. Open the IPSec configuration file /etc/ipsec.conf using a text editor like nano.
3. Add the IPSec configuration at the end of the /etc/ipsec.conf file as the following
4. Press CTRL+X then type Y
5. Press Enter to save the file /etc/ipsec.conf
6. Open the IPSec configuration file /etc/ipsec.secrets using a text editor like nano.
7. Add the IPSec Preshared key at the end of the /etc/ipsec.secrets file as the following
8. Press CTRL+X then type Y
9. Press Enter to save the file /etc/ipsec.secrets
10. Restart IPSec deamon.
 

At this point the IPSec configuration of the Ubuntu SNMP Manager machine completed successfully.

Conclusion

  • SNMP is a powerfull management and monitoring protocol.
  • Untill now MS Windows does not support SNMP v3.
  •  MS Windows sends community strings over the network in plaintext.
  • MS Windows SNMP Service supports IP access lists.
  • IPSec could be used to encrypt SNMP traffic and protect MS Windows SNMP service from evasdropping attacks.