RE: Creating IPSEC rules for SNMP

I've recently become a student of IPSEC so I'll give this a shot. Someone
will correct me if I am wront. I would also recommend becoming more familiar
with IPSEC in general if you're going to use it.

https://www.microsoft.com/technet/ne...c/default.mspx

One of the really smart senior networking guys here said to avoid using
IPSEC for granular control such as port/protocol filtering. I know it flies
in the face of the info presented in the KB and may add to your confusion. I
don't recall all of the reasons bug potential for filter conflicts was one.
Maybe performance is another due to the more granular filtering.

We use IPSEC broadly internally to all secure communications between all
hosts using a AD Group Policy and IPSEC to accomplish something call Server
and Domain Isolation (SDI), which is basically just protecting
trusted/managed host from untrusted unmanaged hosts through policy based
isolation. There are exemptions required for DC, DHCP, DNS and other
services.

1) Since you are requiring security, then yes.
2) The packet is passed to the correct TCP/UDP port once the packet is
successfully authenticated at the IP level. The payload the monitoring
station receives is exactly what it expects at that point.
3) Yes, you can use Group Policy to deploy the IPSEC policies.

"Erick" wrote:

> If I were to follow the documentation, "How To: Configuring Network Security
> for the SNMP Services in Windows 2003" it would take me a long time to do
> each server my company is monitoring. My questions(s) are:
>
> Do all servers (especially the monitoring station) need to have these
> changes made otherwise the connection will be lost? If a client is talking
> through IPSEC then how will the monitoring station be able to interpet it?
>
> Is it possible this could be set up through Active Directory?
>
> Thank you!


JohnGil (MSFT)

Thank you for your insightful response I found it very helpful. I started
attending Walsh College where I'm studying for the CISSP exam. The program
and course of study tends to make a person over zealous.

"JohnGil (MSFT)" wrote:

> I've recently become a student of IPSEC so I'll give this a shot. Someone
> will correct me if I am wront. I would also recommend becoming more familiar
> with IPSEC in general if you're going to use it.
>
> https://www.microsoft.com/technet/ne...c/default.mspx
>
> One of the really smart senior networking guys here said to avoid using
> IPSEC for granular control such as port/protocol filtering. I know it flies
> in the face of the info presented in the KB and may add to your confusion. I
> don't recall all of the reasons bug potential for filter conflicts was one.
> Maybe performance is another due to the more granular filtering.
>
> We use IPSEC broadly internally to all secure communications between all
> hosts using a AD Group Policy and IPSEC to accomplish something call Server
> and Domain Isolation (SDI), which is basically just protecting
> trusted/managed host from untrusted unmanaged hosts through policy based
> isolation. There are exemptions required for DC, DHCP, DNS and other
> services.
>
> 1) Since you are requiring security, then yes.
> 2) The packet is passed to the correct TCP/UDP port once the packet is
> successfully authenticated at the IP level. The payload the monitoring
> station receives is exactly what it expects at that point.
> 3) Yes, you can use Group Policy to deploy the IPSEC policies.
>
> "Erick" wrote:
>
> > If I were to follow the documentation, "How To: Configuring Network Security
> > for the SNMP Services in Windows 2003" it would take me a long time to do
> > each server my company is monitoring. My questions(s) are:
> >
> > Do all servers (especially the monitoring station) need to have these
> > changes made otherwise the connection will be lost? If a client is talking
> > through IPSEC then how will the monitoring station be able to interpet it?
> >
> > Is it possible this could be set up through Active Directory?
> >
> > Thank you!