Many network administrators use Simple Network Management Protocol (SNMP) to provide a preemptive method of detecting network faults. This protocol allows SNMP agents to inform SNMP management stations when abnormal events take place on the network that the network administrator should address.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
SNMP allows a network administrator to proactively manage a network by providing early detection of network faults or incorrect network configuration. Network administrators use SNMP to do the following:
An SNMP environment has several participants, including
NOTE
Windows 2000 doesn't ship with an SNMP management station component. The Windows 2000 support tools includes a simple graphical SNMP manager called SNMPUtilg.exe. For an extended feature set, consider implementing third-party solutions such as HP OpenView from Hewlett-Packard or Unicenter TNG from Computer Associates.
SNMP agents send status messages to the SNMP management station. The status messages include regular updates sent to an SNMP management station or responses to SNMP queries. In specific instances the SNMP agent will send an SNMP trap message to indicate that a defined event has taken place.
NOTE
Another difference between SNMP status messages and SNMP trap messages is that they're directed to different ports on the SNMP management station. SNMP status messages are sent to User Datagram Protocol (UDP) port 161 on the SNMP management station, and SNMP trap messages are sent to UDP port 162.
SNMP allows you to query network devices and clients for configuration information. In the wrong hands, this configuration information may reduce your network's security by exposing sensitive information, such as Active Directory account information or router configuration.
To provide security for your organization's SNMP deployment, you must consider the following design points:
The SNMP protocol provides limited security through the configuration of SNMP communities. SNMP communities define a collection of SNMP agents that can be managed as a collection on the network. The SNMP community doesn't have to map to domains within your Active Directory, but it should map to areas of management within your network.
An SNMP agent can belong to multiple communities, and you can configure rights for each community. You can assign rights to be
Figure 9.12 shows an SNMP agent configured to belong to two communities, Corporate and Redmond. SNMP management stations have been assigned different rights for each community.
Within this dialog box, you can enable the option to send authentication traps. An authentication trap will inform a configured SNMP management station if an SNMP management station from a community that's not included in the approved communities list attempts to manage the SNMP agent.
Figure 9.12 SNMP agent configured to respond to two communities
Figure 9.12 shows additional security configuration for the SNMP Service. You can configure each SNMP agent to respond only to specific SNMP management stations. If an SNMP message is received from an unapproved management station, the SNMP agent will send an SNMP trap message to a configured management station. In addition, you can configure SNMP agents to send messages only to a preconfigured management station. This configuration prevents unauthorized management stations from requesting data from SNMP agents. If an unauthorized management station attempts to manage the SNMP agent, you can configure an authorized management station as the host that SNMP trap messages are sent to indicating the unauthorized access, as shown in Figure 9.13.
Figure 9.13 Configuring the destination for SNMP trap messages for the Corporate community
Because SNMP status messages and SNMP trap messages are sent in clear text across the network, a network sniffer can intercept the SNMP messages and read the information in them. You can configure IPSec to require that SNMP status messages and SNMP trap messages be encrypted.
Be careful when implementing IPSec. All SNMP agents must support the use of IPSec. If a single SNMP agent doesn't support IPSec, you'll have to configure IPSec to only request and not require IPSec encryption. Otherwise you'll have to remove the SNMP agent that doesn't support IPSec from your management scheme.
Table 9.6 outlines the design decisions that you face when designing a secure SNMP deployment for your Windows 2000 network.
Table 9.6 Securing the SNMP Service
To | Do the Following |
---|---|
Prevent SNMP management stations from modifying configuration by using SNMP SET commands | Configure the communities in which the SNMP agent participates to be Read-Only communities. This configuration prevents the SNMP agent from processing SNMP SET messages. |
Prevent unauthorized SNMP management stations from managing SNMP agents | Change the community name from the default name of "Public." Be sure to choose a community name that's difficult to guess. |
Track unauthorized management attempts | Configure the SNMP agent to send trap messages for authentication traps and to have the SNMP traps sent to a spe cific SNMP management station. |
Protect SNMP messages from interception | Encrypt SNMP messages by using IPSec. This requires that all SNMP management stations and SNMP agents support IPSec encryption. |
Lucerne Publishing wants to use SNMP to manage network devices, clients, and servers. As mentioned earlier, each domain will manage its own SNMP environments and SNMP will be used to query information, not to configure SNMP-enabled devices. To ensure security for its SNMP environment, Lucerne Publishing will include the following items in its security design:
Lucerne Publishing has to review its situation carefully to determine whether it should implement IPSec for SNMP messages. The company must find out if all network devices deployed on its network support IPSec. If they don't, it would be unwise to deploy IPSec because Lucerne Publishing would lose the ability to monitor the network devices.
SNMP is an excellent tool for proactively managing your network. If you configure it properly for security, you can prevent attackers from taking advantage of security weaknesses in the SNMP protocol. When you deploy SNMP in your environment, always make sure that you configure approved communities and SNMP management stations. Don't leave the default configuration because the default uses the Public community name and allows any SNMP management stations to manage SNMP agents on the network.