Connecting to 2K3 via ipsec

rweales · Post by **rweales** » Wed May 03, 2006 1:04 pm

I've configured Network Security for the SNMP Service in Windows Server 2003 as per http://support.microsoft.com/?kbid=324261.

However I can no longer query the machine from my Linux Cacti console.

My concern stems from this part of the MS how-to:

"Click the Authentication Methods tab. Kerberos is the default authentication method. If you require alternate authentication methods, click Add. In the New Authentication Method Properties dialog box, select the authentication method that you want from the following list, and then click OK:

rweales · Post by **rweales** » Wed May 03, 2006 1:49 pm

For some reason, I can't post the part of the MS article, but it uses AD/Kerberos for auth. How can Cacti communicate to AD this way?

BSOD2600 · Post by **BSOD2600** » Wed May 03, 2006 4:30 pm

This isn't a Cacti problem.

You've enabled kerberos authentication for snmp requests. Your linux box must authenticate itself via kerberos with the computer/domain before snmp communication will work; this does not need happen in Cacti.

rweales · Post by **rweales** » Thu May 04, 2006 10:48 am

So my real question is, for those who monitor MS servers, is it necessary to follow MS guidelines in regard to securing SNMP traffic? I have denied 161 and 162 from leaving the LAN, and I understand that SNMP is clear text, but besides the community string, what is the real threat?

BSOD2600 · Post by **BSOD2600** » Thu May 04, 2006 1:48 pm

I'd just set up a non-standard community name and restrict the IPs which can talk to SNMP. The risk of leaving it open, is that a person can find out a LOT about the computer via snmp.... what processes, user logged in, hardware, etc.

Cacti

Connecting to 2K3 via ipsec

Connecting to 2K3 via ipsec

Is it neccessary

Who is online