Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
25
Helpful
5
Replies

NTP and SNMP traffic over IPsec or Normal link ?

Go to solution
MrBeginner
Spotlight
Spotlight

‎06-06-2022 07:25 PM

Hi,

I would like to ask about for ntp and snmp traffic.

We are running hub spoke VPN . Should we carry ntp and snmp traffic over ipsec tunnel?

Should we carry ntp and snmp trffic as normal traffic ( without encrypt ,not using ipsec tunnel) ?

What is the best practice ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kasun Bandara
VIP
VIP
In response to MrBeginner

‎06-07-2022 05:18 AM

Best practice is to use encrypted traffic as much as possible over public networks. 

And sending traffic over VPN or using encrypted services (such as snmpv3 over snmp v1) is depends on your design and company policy.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

View solution in original post

5 Replies 5

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎06-06-2022 07:35 PM

There's no straight forward answer to this, because this isn't about best practice, rather your organisation's policies and compliance.

If you feel this traffic shouldn't be inspected by MITM (if the network is compromised), sure you can encrypt them via VPN.

 

 

Go to solution
Kasun Bandara
VIP
VIP

‎06-06-2022 08:19 PM

This requirement is mostly depends on how you configured things. if you want to send ntp and snmp out of tunnel, you can use SNMPv3. for NTP use authentication. but if you have required processing power, try to use these traffic inside tunnel. 

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎06-06-2022 11:39 PM

Hi,

I remember sometime back reading through cisco doc, they recommended to
keep these of IPSec (you already having hub and spoke). For NTP, it is
definitely a best practice to ensure that all your network is synced
through the same NTP source within your organization (and that source
should be synced from outside). Same for SNMP, if you collector is within
your intranet, there is no point of sending it over internet as this
requires exposure of your SNMP server to internet which is another risk for
inbound (especially if you use traps instead of poll mode).

**** please remember to rate useful posts

Go to solution
MrBeginner
Spotlight
Spotlight

‎06-07-2022 03:52 AM

Hi All,

Thank. 

I just want to know for security compliance.When i read for doc , i only can find how to secure ntp /snmp (eg, using ACL,V3 snmp..etc) but never mentoon about encrypted traffic or normal traffic. 

So i just want to know what is the best practice for security.

0 Helpful

Go to solution
Kasun Bandara
VIP
VIP
In response to MrBeginner

‎06-07-2022 05:18 AM

Best practice is to use encrypted traffic as much as possible over public networks. 

And sending traffic over VPN or using encrypted services (such as snmpv3 over snmp v1) is depends on your design and company policy.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents