05-17-2017 01:41 AM - edited 03-05-2019 08:32 AM
I am setting up a monitoring server which will monitor SNMP alerts for a few different clients. I am a small IT Services company and wanted to learn the correct way to setup this up and to ensure its secure as possible.
I was thinking of setting up a VPN between client and my server monitoring server with firewall on both sides blocking all ports expect for SNMP port 161 to me this seems to the right way to go about it but I would like to know how managed services providers do it?
Solved! Go to Solution.
05-30-2017 05:17 AM
You will want to open UDP port 162 in the client --> server direction for SNMP traps for when something occurs on their devices. Additionally, if you want to monitor things like CPU or interface bandwidth utilization you'll want to open UDP 161 in the server --> client direction.
Any SSL or IPSec VPN will work for securely getting the information between the clients and your server. Do you know which type of VPN you will be using?
If security is a prime concern you may also want to use SNMPv3 to ensure that the data in each packet is encrypted even when it's not in the VPN tunnel.
05-30-2017 05:17 AM
You will want to open UDP port 162 in the client --> server direction for SNMP traps for when something occurs on their devices. Additionally, if you want to monitor things like CPU or interface bandwidth utilization you'll want to open UDP 161 in the server --> client direction.
Any SSL or IPSec VPN will work for securely getting the information between the clients and your server. Do you know which type of VPN you will be using?
If security is a prime concern you may also want to use SNMPv3 to ensure that the data in each packet is encrypted even when it's not in the VPN tunnel.
05-30-2017 05:23 AM
Hi, thanks for you reply I will be using pfsense as the firewall which will have a site to site vpn using IPSec over VPN. The VPN link will have all ports blocked expect for SNMP does this sound a logical setup? I want to be secure and take no chances.
My side of the network will have pfsense and most of the clients have a draytek firewall's at the moment however these will probably get replaced overtime to ASA 5506 firewalls.
05-30-2017 05:49 AM
Yes, that sounds logical.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide