Encrypt SNMP v1 and v2c traffic with IPsec in Windows domain network

SNMP supports three versions. SNMP v1 and SNMP v2c are not encrypted. SNMP v3 is encrypted, but unfortunately not supported in Windows. This doesn't mean the end of the game. Check out how to encrypt unencrypted SNMP v1 and SNMP v2c using IPsec in Windows domain networks.

SNMP is a common network monitoring protocol used to get different metrics from target hosts. It supports three versions. SNMP v1 and SNMP v2c are not encrypted. If a malicious IT guy tries to intercept the communication, he will see things going in plain text. SNMP v3 is encrypted, but unfortunately not supported in Windows and Windows Servers.

SNMP v1 and v2c are transmitting traffic in plain text. The traffic is intercepted and shows community string “financedepartment”.

The common question we can hear is how can we perform secured monitoring between network monitoring solutions and target Windows machines? There are two ways of doing it. The first one is to use third-party SNMP v3 agents. I already talked about that in the article How to achieve SNMPv3 compliance in Windows and Windows Server.

The second way is to use SNMP v1 and SNMP v2c and encrypt it with IPsec. IPsec is natively supported in Windows and can be easily configured using Active Directory and Group Policy Management Objects (GPMO). In case you want to use IPsec in the Workgroup environment, you need to use the Local Security Policy and configure it on each Windows machine separately. Yes, this would be a time-consuming task.

In this article, I’ll show you how to encrypt SNMP v1 and SNMP v2c traffic that is happening between NMS (Network Monitoring Solution) and target Windows machines. The complete procedure is done using Windows Server 2022 and Windows 11, but it is equally applicable to previous Windows versions.

HOW TO DO IT?

You need to have Administrator rights on Active Directory Server to configure the IPsec security rule and apply it in the domain network.

  1. Open Group Policy Management (Server Manager > Tools).
  2. Expand forest and select the OU where you wan to create group policy object. If you don’t have OU and you want to test what we do here, you can create GPO directly on a domain level.
  3. Right click on OU and click Create a GPO in this domain, and Link it here…
  4. Type the name of the group policy and click OK.
  5. Richt click on created group policy and click Edit.
  6. Expand Computer Configuration > Policies > Windows Settings > Security Settings and select IP Security Policies on Active Directory.
Navigate to Windows security policies
  1. Right click on IP Security Policies on Active Directory and click Create IP Security Policy to run the wizard for creating a policy.
  2. Under Welcome to the IP Security Policy Wizard click Next.
  3. Define the name of the policy. In my case it is SNMP IPsec.
Define the name of the IP Security Policy
  1. Under Requests for Secure Communication click Next.
  2. You have successfully completed specifying the properties for your new IP Security policy. Select Edit properties (new window will open) and click Finish and close the wizard.
  3. Click Add to a add a new security rule.
Create security rule
  1. Under Welcome to the Create IP Security Rule Wizard click Next. A security rule contains a collecation of security actions that ae activated whena communication matches the criteria in the IP filter list.
  2. Select This rule does not specify a tunnel and click Next. An IPSec tunnel allows packets to traverse a public or private network with the security level of a direct, private connection between two computers.
Specify the tunnel endpoint for the IP Security rule
  1. Under the Network Type select All network connection and click Next.
Select the network type
  1. Under IP Filter List click Add to add a new filter.
  2. Type the name of new IP filter list and click Add.
Create an IP filter list
  1. Under Welcome to the IP Filter Wizard click Next. This wizard helps you provide the source, destination adn traffic type information needed to filter IP traffic. You can add multiple filters to buil an IP filter list that matches on IP packets for multiple source or destination computers, or for many different traffic types.
  2. Add the IP filter description and select mirrored property and then click Next.
  3. Choose Any IP addess as a source address and click Next.
  4. Choose Any IP addess as a destination address and click Next.
  5. Select UDP as a protocl type and click Next. Why UDP? Because SNMP is based on UTP.
Select a protocol type
  1. Specify the SNMP port you use in your network and click Next. By default it is port 161 (SNMP) and 162 (SNMP Traps).
Select port/s
  1. Click Finish to close the wizard.
  2. Click OK to close the wizard. You can see the IP filters are created and available in tje list.
Save the filter
  1. Select created IP Filter List and click Next.
Select created IP filter list
  1. Under Welcome to the IP Security Filter Action Wizard and click Next. A filter action sets the security requirements for a data transfer.
  2. Define the name of the filter action and click Next.
  3. Select Negotiate security under Filter Action General Options and click Next.
Filter action general options
  1. Select Do not allow unsecured communication and click Next.
Do not allow unsecured communication
  1. Select Integrity and encryption to encrypt the data and click Next.
Select integrity and encryption
  1. You have successfully completed the IP Security Filter Action Wizard. Click Finish to close the wizard.
  2. Select the Filter Action you created and then click Next.
Select filter action you created
  1. Under Authentifcation method you can use one three methods including Active Directory default (Kerberos v5 protocl), certificate from the CA and pre-shared key. It is recommended to first use CA (if possible) and then Kerberos and pre-shared key. Click Next.
Choose Authentication Method
  1. You have successfully completed specifying the properties for your new rule. Click Finish to close the wizard.
  2. Click Apply and then OK.
IP Security rules
  1. Right click on IP security rule and click Assign.
Assign security rule
  1. Run PowerShell as Administrator and type the following command to force group policy update.
gpupdate /force
  1. The policy will be applied on Windows client or Windows server machines after the next log-on. You can force it by signing out and signing in again, or by login into your target Windows machine and executing the same command in PowerShell or Command Prompt.
 gpupdate /force
Force group policy update on target Windows 11 machine
  1. Congratulations. You have encrypted unencrypted SNMP v1 and SNMP v2c communication with IPsec. What happens when someone intercepts the SNMP v1 and SNMP v3 traffic? Here it is.
SNMP communication interception

I hope you find this article useful. If you would like to share it with your friends and your virtual network, please do it by clicking on the social media button below.

Comments (2):

  1. Eric

    November 15, 2021 at 23:58

    Will this work if I am trying to encrypt SNMP traffic within the same subnet to a Lexmark network printer?

    Reply
    • Jasmin Kahriman

      November 17, 2021 at 21:46

      Hi Eric – In this case, group policy objects are only applied to Windows machines. However, there are ways to encrypt SNMP v1 and SNMP v2c communication with other devices as well. Do your monitoring solution and Lexmark support SNMP v3?

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Share via
Copy link