» network security

PlayStation Network Hack – What You Don’t Know Can Hurt You

Posted on May 1, 2011 by Dan Berger in Main | 1 Comment

In a press conference late last week, Sony PlayStation Network executives confirmed that the recent hacking incident that exposed personally identifiable information and credit card numbers of all or part of the user database, was an exploit of a known vulnerability – just not one known to Sony.

The “external intrusion” has left 77 million PlayStation Network and Qrirocity users without access to the services or their personal data stored there for the past 10 days.  In the press conference, Sony Computer Entertainment CEO Kaz Hirai publicly addressed the security breach, the network shutdown and tentative restoration date, as well as Sony’s other plans to “make good”  to its  millions of loyal users.

Hirai-san stated that there’s “no evidence that credit card numbers, expiration dates or billing addresses” were stolen and that there have been no confirmed cases of credit card fraud relating to this incident. However, he later urged all PSN members to check monthly credit card billing statements for possible fraudulent charges. Previously, the company had stated that as many as 10 million credit cards may have been “exposed” but there was no “proof” that they had been stolen.

These seemingly incongruous statements may be the result of semantics, Japanese-English translation or both. Or perhaps it just shows how data security breaches by their very nature can create chaos or at least a lot of unknowns. The incubation period and extent of potential harm for stolen personal information can vary in length and degree. What is clear is that some hackers delight in infiltrating systems “just because they’re there,” most sophisticated and well-orchestrated attacks are driven by underground, malevolent economic pay-offs.

Sony’s reputation re-building efforts, proposed compensatory offers to members, network security enhancements and organizational changes are all admirable and necessary in the wake of this massive breach. But there’s also the hard truth that perhaps all of this could have been avoided. At Redspin,  we assess network infrastructure and applications against known vulnerabilities. We then take a “hacker’s eye view” and analyze and report on potential attack vectors. Our findings reports suggest improvements  to network infrastructure, tightening security controls, and hardening web applications.

We urge our clients to be proactive about security – implement a regular cycle of security testing, remediation, validation and retesting. Our Enterprise Solution provides a structured approach to institutionalize security as part of operations. And its certainly affordable – particularly when one considers the potential costs of a catastrophic breach.

 

Epsilon Breach

Posted on April 5, 2011 by John Abraham in Main | Leave a comment

The latest big security breach to hit the news is an important reminder about a couple of key aspect of security. While few details are available as to the nature of the breach, some general security principals apply. Here are a couple that come to mind.

The existence of a security control is not the same as the effectiveness of a control

Here is yet another reminder that security is all about the details. The existence of a security control is not the same as the effectiveness of a security control. Unlike the recent Nasdaq Director’s Desk breach a few months ago in which Nasdaq detailed very extensive efforts and technologies to maintain security (and they still got breached), a review of the Epsilon website revealed very little about their security controls. The Epsilon privacy policy page (dated February 7, 2011 at the time we reviewed) does address some general aspects:

How Is Information About Me Kept Secure?
We protect information we collect about you by maintaining physical, electronic and procedural safeguards. All information is secure and may be accessed only by key staff members of Epsilon. We take reasonable precautions to protect your information both online and offline. Periodically, our employees are notified about the importance we place on privacy and security, and what they can do to ensure our clients’ information is protected. The servers on which we store data are kept in a secure environment.

Our experience is that these kinds of statements on a web site are more marketing anyway – whether detailed like Nasdaq or more general like Epsilon. In reality an effective information security program is more difficult than just words on a page or just dropping in technology or controls. An effective information security program is more of a culture, a lifestyle, a dedication to ideals that transcend lingo such as SSL, 128 bit encryption, intrusion detection system, firewall and multiple-layers-of-security.

An effective information security program takes a risk-based approach in which management understands that resources are limited so security efforts are focused on the most critical areas. That means not only implementing a security control, but also following-up to verify that the control is configured and working effectively, and maintaining the control to ensure that its configuration is still effective in a world of evolving threats and dynamic corporate networks. That’s a lot  more commitment than just acquiring technology and dropping it into your data center. A few examples of repeated security risk we see.

  • We see many firewalls with ineffective rules because of subtle errors in the configuration
  • Its very common to see intrusion detection systems (IDS) that generate so many false-positive alerts, that they are totally irrelevant other than to supply jargon for a company’s website security statements
  • Web applications are widely insecure – there is just so much complexity in a full-featured web application and web developers are driven to release features on short time frames and limited budgets – what else would you expect

Vendor risk

Time and time again, a key area of risk for an organization’s security are their vendors. Whether you are a healthcare organization, guided by HIPAA, and use the term Business Associate, or you are a financial services player and call it vendor management, or you call it anything else from outsourcing to a business partnership – these other organizations with which you do business create risk. That is not to say you should not work with other companies – its a requirement in business today. However, organizations do need to understand that these business relationships may create additional risk and need to ensure that those organizations have effective security controls. That of course can be difficult. Most companies don’t have the resource to do their own audit of a vendor – though this is not uncommon. Another approach can be to review the company’s security assessment – that is if they even allow you to review it – if they even have one. However, reviewing a security assessment can also be a problem. For example, as we noted above its not the existence of a security control that matters, rather its the effectiveness that is at issue, and that is much harder to test. Many security assessments, whether completed in-house or by an objective third-party often just identify that a control exists: firewall – yep, IDS – check, website with SSL – OK. While your ability to evaluate your vendor might be limited, you can at least attempt to review their security assessment. If you are not satisfied with that and you don’t have the resources to send in a team like Redspin to evaluate their security, you might try to send them a security questionnaire. For example, here is a Business Associate Security Questionnaire we created for our healthcare clients.

So while Chase is one of the biggest banks in the US and likely has the resources to build out a robust information security program, here they are notifying customers of a data breach anyway, all because of Epsilon – who likely had existing-but-ineffective security controls in place.

The Top 10 Coast-to-Coast

Posted on January 11, 2011 by Dan Berger in Main | Leave a comment

On January 4th, Kroll, a worldwide risk consultancy firm headquartered in New York, released their “top 10 data security issues for 2011.”  Two days later, we published Redspin’s “top 10 security issues for 2011.” (I promise, we didn’t read their version first!) So aside from the coincidence, it’s the differences between the two lists that really caught my eye. Maybe it’s an East Coast-West Coast thing. Or maybe they wear their Bruno Maglis a little tight, while we’re sporting Vibram FiveFingers. Perhaps it’s just a difference in perspective. Kroll, being risk consultants, created a list of potential data security risks.  Redspin is in the business of providing security assessments which include findings and analysis. For us, a list of risk areas alone is incomplete without actionable recommendations.

In Kroll’s Top 10, they simply identify potential breach types.  Number 2, for example, is theft, of laptops, cell phones and even “low-tech” item such as paper files. Kroll’s # 3 is lost devices. Their other breach concerns include sending private data (such as EHR) over networks and unintentional social media exposure. Kroll also discusses the risk of the regulatory environment tightening, particularly HIPAA/HITECH, in response to publicized breaches.  To me, this is a little like saying “fire” is dangerous but the new fire safety laws might also hurt your business. At Redspin, our version might be “don’t play with matches, at least not around any sensitive data.”

Thus our Top 10 list looks quite different. We start by assuming sensitive information will be accessed, wired and wirelessly from all possible devices – desktops, laptops, iPads, Droids. As penetration testers, we know that our “assumption” is basically just the cold hard truth. Almost any networked computing device can be hacked, given enough time and resources. If you accept this premise, does it make any sense to still try to exert control over the device itself? Further, an increasing number of companies are deploying applications and storing data in the cloud. Wireless is nearly ubiquitous. Secure the perimeter? What perimeter?

So we say focus on the data. Quoting from the #1 issue on our list:  “Ensure only people who need access are granted access. Understand where the data must be stored to support business processes and update your information security policies to include mobile devices.”  If you get stuck on that last part, we offer a free mobile device security policy template on our new website at www.redspin.com Our full Top 10 List is there too.

As technology use becomes more mobile and social, the line between personal and business use will continue to blur. My hunch is that Pandora’s inbox is already wide open.  Social media is already a fertile ground for farming private data (and I don’t mean “Farmville.” Oh wait, maybe I do!), we strongly suggest that you “ensure that your policies clearly state what can and cannot be communicated through social media and train your employees appropriately.”

Which brings us to a 2011 New Year’s resolution that both Redspin and Kroll agree on. Train your people on privacy issues and information security awareness. In this regard, we offer social engineering testing. Our assessment determines how vulnerable you are to employee disclosure through insecure or shared password information, unapproved use of portable media, and even unauthorized physical access to premises (you should see us in our blue contractor uniforms and tool belts).

Lastly, it’s certainly wise to know where your potential breach areas are. It’s even better to have policies and controls in place that address them. But ultimately you need to test those policies and controls to see if they are working.  That’s Redspin’s forte. In addition to social engineering, we offer a full suite of penetration testing services for your IT infrastructure (external and internal, including wireless), and web applications

In conclusion, if politics makes strange bedfellows, I’d suggest network security guys and risk consultants just stop for an occasional drink at the bar. Most people think of penetration testers as “ethical” hackers. But you can also think of us as the policy-testing dudes.

FTC slams ControlScan

Posted on March 3, 2010 by Nathan Drier Leave a comment

I wrote about this a while back, but it seems like others are taking note:

“The U.S. Federal Trade Commission (FTC) on Thursday (Feb. 25) screamed “the Emperor has no clothes” by reporting to consumers that one of the largest firms issuing “Verified Secure Breach Protection” seals doesn’t really verify much at all. The practical impact of the ruling for E-Commerce sites is unclear, both because the FTC has little authority to enforce its rulings and because consumers have typically been impressively apathetic about security and privacy issues.”

http://www.storefrontbacktalk.com/securityfraud/ftc-to-controlscan-your-web-site-security-seals-are-lies/

and

http://www.databreaches.net/?p=10165

Web Application Trends and Predictions from Breach Security

Posted on February 19, 2010 by Nathan Drier Leave a comment

Here is an interesting recap of some of the top web incidents of 2009, along with some projections for 2010.  It’s done by one of the guys at Breach Security.  It includes a recap and some technical details on the TJX hack, Time’s ‘Most Influential Person’ poll abuse, fun with Twitter, and more.  A good read and some good perspective.  You need to disclose some info to download – but its worth it.

http://www.breach.com/resources/whitepapers/top-web-incidents-2009.html

Virtulization Sprawl: Don’t be Victimized!

Posted on December 11, 2009 by Nathan Drier Leave a comment

A few days ago, I was talking about spinning up a new VM to take on some random task, and a fellow Redspin geek jokingly asked if I had ever heard of virtualization sprawl.  I took a second to think about the population of Debian VM’s I had built in the past year;  I had more than doubled the headcount in our server block.  The geek in me says “Spin em up! Disk space is cheap! Cacti loves to make graphs!”, while the security engineer in me says “How the heck are you going to keep all these boxes secure?”

Virtualization is huge, and its here to stay.  It just makes the trigger so easy to pull.  It takes 20 minutes to build a new Debian VM from scratch, or only 3 minutes to copy an image and give it a new IP.  No more hunting for hardware or trying to salvage some old server.  You get an entire server, with a entire stack of services and a fresh operating system at the click of a mouse.  One of the last customer sites I visited had grown their VM farm as well, from 30ish virtual machines in 2008, to 200+ virtual machines in 2009.  While virtualization is fantastic, it comes with a little baggage:

  • Machine Management. You’ve gone from 4 VM’s to 400, and you’re a little lost on how to manage them.  Your old policies on managing hardware-based servers don’t apply, and you have everyone in your company begging you to let them spin up a new virtual server.  How can you keep track of machines if you don’t even know they exist in the first place?  How do you limit or control the creation of new virtual machines, without squashing all the sweet benefits that virtualization offers?
  • Security. Just because they are virtual doesn’t make them unhackable.  In fact, virtual machines have a higher attack surface than their hardware-based brethren since attacks can be focused either at the hypervisor, or at the VM itself.  They require the same security TLC as a regular server (patching, hardening, GPO policies, auditing, etc) but the speed at which these machines arrive makes it hard to manage.  Are you sure all those windows servers made it into your WSUS schedule?   Mix that in with 12 different operating systems across 3 hypervisors, and you’ve got a playground for conficker.
  • Support. Here comes the hard part.  You’re not sure who built the VM, when it got spun up, or who takes care of it – but you know its down because your phone is ringing off the hook.  You don’t know the operating system, let alone admin credentials to even begin troubleshooting.  The VM is a ghost, but obviously a critical ghost.  How can you expect to fire up the engine again when you can’t even pop the hood?
  • Cost: One of the main keys of virtualization is to save money.  Less hardware = more in the IT fund…right?  Where hardware costs go down, the cost of licensing can skyrocket.  Since VM’s are so easy to create – sometime they get built out of ease and convenience instead of business needs (or the VM’s built outrun your licensing pool).  Why bog down a domain controller when you can build a new VM to serve up NTP?

So whats an admin to do?  You cant fight the charm of virtualization, but you want to do it right.  As the coming months and years roll by, virtualization is going to get bigger, more affordable, and more mainstream.  If setting up some sort of virtual infrastructure is in your plan, now is the time to start some prep work.  If you already have a ton of VM’s floating around – take a second look at your deployment and management policies and see if they could use a tuneup.  The benefits it brings to your organization can drastically outweigh the cons by considering the following:

  • Policies: Like we said before – your old hardware-based policies don’t apply.  Create a guideline to enforce deployment standards.  Specify who can build images, who is responsible for importing them into hypervisors, and who will manage them.  Create a detailed list of all current VM’s and their use (see below), and be sure to audit this list on a regular basis to find VM’s that are no longer used and can be decommissioned or consolidated.  If the rules are laid out beforehand, anyone who wants to play will have to abide by them.
  • Standard Images: Creating some standard images to build off of will help streamline the process.  This creates a baseline for all VM’s to be built from that can include basic hardening, auditing, installation of company-wide applications (antivirus, logging agents, etc).  This gives you tighter control over the deployment process by specifying the operating systems and configuration baselines that get pushed out.
  • VM Lifecycle Management: A very important issue with VM’s is lifecycle management.  It basically boils down to keeping track of VM’s and their use.  VM’s, unlike physical servers, easily travel from hypervisor to hypervisor, making them somewhat difficult to keep track of.  VM’s also have lifespan issues – where a forgotten VM that is no longer used, is no longer on a patching schedule, but still has a live IP address can cause lots of problems.  Microsoft and Novell (along with others) have released software applications to help with VM lifecycle management.  These work by tracking new virtual machines are they are spun-up, moved into production, bounced around hypervisors, and then retired.

Its up to you to decide how fancy you get.  Your tools to combat VM Sprawl can be as simple as Nmap and a spreadsheet, or as complex as enterprise management applications that can store entire network state.   Whatever path you find yourself on, take an hour or two to go through your existing VM’s to document them, and get some sort of plan in place for adding more.  You’ll thank me later.

Automated Scanning Vendors – Are they enough?

Posted on September 16, 2009 by Nathan Drier 3 Comments

There are many choices out there when it comes down to validating the security of your external network. The range of services and skill levels available are almost overwhelming when you first set out on your search. You’ll find high school students who charge you for Nmap ouput, veterans of the security industry who write shellcode in assembly as a hobby, and everything in between. You want to make sure your website and mail server aren’t easy pickings for hackers….but where do you start?

Somewhere along the line, you read about a vendor that offers daily, automated scanning. You browse around the website and are impressed; glossy, web 2.0 transitions, pretty graphs, and mesmerizing verbiage. Then you find the price-tag; its less than a third of what you’ve been quoted by other companies. You glance at your dwindling security budget, and then back to the other benefits they offer: PCI certification, website security verification seals, and daily scanning. At this point you are more than interested, and I don’t blame you.

Seduced

The way it works is simple. You sign up for a scan, feed in your domains names and IP addresses, and hit the giant GO button. Twenty minutes later, you have the scan results in your web portal. If the scan comes back clean, or with no high risk issues – they give you access to a “Site Seal”. This seal goes on your website and shows customers that you passed a scan from a certain vendor, and this assumes a certain level of security. From here on out, the availability of the seal on your website is contingent upon ‘passing’ these scans. If a nasty IIS vulnerability comes out and you don’t patch – you fail the scan and your seal gets taken away.

There are many of these vendors to choose from; Hackersafe, ScanAlert, ControlScan, Shoppersafe, HackResistant, TrustKeeper, Trust-Guard, eSecurity and Comodo, just to name a few. Each of them offer the general vulnerability scanning service, with numerous add-ons. These additions can range from website badges saying you are using a particular vendor, detailed customer service, help with issue remediation, and some even offer insurance if your site ever gets hacked. What’s that old adage about boasting that your site is hack-proof?

Behind the Scenes

This is all great news, but what’s really going on behind the scenes of a scan? What do they really look for? More importantly, what issues and vulnerabilities would they miss? To answer some of my own questions, I created a fake website and signed it up for a number of these scanning vendors. I built a Ubuntu Linux system and installed some common services such as Apache and SSH. I then configured Apache and iptables for debug logging, and used tcpdump to capture all the traffic coming to the web site. During the testing, I allowed connections to my website only from the scanning vendor to eliminate Internet noise. This setup allowed me to get a copy of ALL the data that the scanning vendor sent to the web server. Basically, I had the data to reverse engineer their scan.

Just Give it Some Paint

Going through the raw data, I noticed one thing quickly: I saw a whole lot of Nessus traffic. It’s almost identical to a Nessus scan, right down to the plugin output. Some vendors allow you to enable extra functionality such as Nikto (a default add-in in Nessus) some custom plugins and full port scans. The following shows a quick search of the packet capture file:

$ strings vendor1_scan1.pcap | grep Nessus | sort -u

From: Nessus <sip:xxx.xxx.xxx.xxx:5060>

GET /NessusTest455840692.html HTTP/1.1

print(“Content-Type: text/plain\r\n\r\n”, “Nessus=”, 42+42);r

<p>The requested URL /NessusTest455840692.html was not found on this server.</p>

sHarmless Nessus echo test

SSH-1.33-NessusSSH_1.0

SSH-1.5-NessusSSH_1.0

TRACE /Nessus1233760340.html HTTP/1.1

User-Agent: Mozilla/4.75 [en] (X11; U; Nessus)

Using Nessus isn’t bad at all – we use it internally here at Redspin and love it. It’s a great way to double-check work, or add another layer of testing in a very automated way. The idea is that relying on Nessus alone with no human interaction, no manual poking and prodding, and no validation will likely leave you with a false sense of security. Vulnerability scanning should aid you in your work, not do the bulk of it. What you get is raw scanner output – nobody to go through and validate the issues, check the services it couldn’t enumerate, or worse: go behind it and see what it missed.

Some vendors did full port scans of the target machine. With most of the vendors, you had to specifically enable this option – although it had no bearing on the site seals or PCI compliance. When I enabled full port scans, and then hid some services on random, high ports – they were caught by the scanner. If you pay for any kind of vulnerability assessment that does not offer full port scanning (barring web application assessments), you are wasting your money.

The reporting was decent. The issues and findings that the vulnerability scanner found were formatted and presented in all the portal nicely. They provide all the information you need to configure your scans properly, and provide enough resources for the customer to understand how to fix the issues. I’m sure if you contacted customer support with the majority of these vendors, they would be more than happy to help. In fact, during my use of one of the scanners, I contacted customer support for help. I kept seeing an issue raised about TCP Sequence Prediction on my IIS server, which is impossible since I was using Apache. I sent support an email, and they replied:

“That threat would be tagged as a False Positive, but since it is purely informational it is not necessary. Only urgent, critical, or high threats need to be remediated for PCI Compliance and seal access.”

Seems like they might be more focused on keeping your site “Seal Approved” than actually solving issues. Seals are good for ROI and increasing customer confidence – but when it comes down to it, I’d be more concerned if someone could make off with customer data.

The price spread on these services is huge. One company offers the scanning for 15 dollars a month, while the next offers it for 1,400 dollars a year. Is it worth it? That depends on your company and your network. I doubt your Myspace page needs an audit. If you sell Beanie Babies in a Yahoo store, or if you are the webmaster of The Furby Fan Club, you might be a prime candidate for one of these vendors. Even if you own a high-volume e-commerce site, studies show that a site seal can increase ROI and Sales by up to 10% because the seal instills so much confidence in the customer. If you get 10% more sales just by having this seal on your site – I’d say its well worth it. Just keep in mind: you paid for the seal on your website, not the peace of mind of a hack-proof network.

The Old Rabbit-in-the-Hat Trick

The truth is, scanning vendors do offer a valuable service. They will indeed identify some of the critical, low-hanging fruit on your network. They may find the very outdated Apache install, the default credentials on that router, and might even find a SQL Injection flaw in your web application. What they won’t find is everything else – things that they don’t have an exact scan fingerprint for. Its like putting all your eggs in one basket, except the eggs are remote-root exploits and the basket has a few holes in it.

I’ve done External Assessments for websites that were certified by one of these vendors, and it was a mess. They were getting a clean bill of health from their scanning vendor, but in reality they were a nightmare. They had a PHPMyAdmin install that was very outdated and contained numerous high-impact vulnerabilities (like the ‘I own your database’ kind), but the directory was renamed (to something obvious) – so the scanner didn’t find it. They also had a version of SMTP that was vulnerable to a buffer overflow with proof of concept code available, but it wasn’t in the scan results because it was a very recent exploit. These are two critical, high-impact vulnerabilities that the largest automated scanning vendor missed.

Whats the moral of the story? The basic vulnerability scanning and ROI these services provide can be useful. It comes down to you, the customer, being able to decide what’s best for your business. If your site is a low traffic, brochure-ware setup, or a low-risk e-commerce setup, then maybe a scanning vendor can help you with basic security problems, as well as provide a little boost in ROI / sales. On the other hand, if a website or server is your company’s lifeline, or its critical to your reputation or compliance – you should consider a little more in-depth security assessment.

Simple Network Management Protocol – SNMPv3

Posted on July 1, 2009 by Nathan Drier 1 Comment

SNMP, or Simple Network Management Protocol, has been the go-to management protocol of choice for years. As its name declares, it is a simple and efficient way to monitor hosts. Most everything is SNMP capable these days, from servers to switches, and from firewalls to routers. Even most UPS’s and A/C units have it built in. Most installs of SNMP default to SNMPv2, which is dated technology. In 2004, SNMPv3 was introduced as a replacement for v2, touting increased security and better remote configuration. In an SNMPv2 setup, community strings (passwords) and data float by in plain text, allowing anyone in the right spot on the network to capture them. Once you have the community strings, you can query devices for information (and possibly make configuration changes!). SNMPv3 solves this problem by protecting the authentication handshake, and then encrypting all the SNMP data as it crosses the network.

In this quick how-to, I’ll show you how to setup SNMPv3 on a generic Debian Linux machine.

First, grab the snmpd package from apt:

 aptitude install snmpd

Right after SNMPD pulls down its dependencies and installs, stop the daemon:

 /etc/init.d/snmpd stop

Then we need to make a few configuration changes. For security reasons, SNMP only listens on the localhost interface by default. In order to monitor this Linux box remotely, we need to open that up. Crack open /etc/defaults/snmpd and edit the following line:

SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'

to read

SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid'

Now we need to disable the default SNMPv2, and create a SNMPv3 user. Open up /etc/snmp/snmpd.conf and scroll down and comment out all the lines starting with com2sec in this section:

#       sec.name  source          community
#com2sec paranoid  default         public
#com2sec readonly  default         public
#com2sec readwrite default         private

Since we just ‘disabled’ SNMPv2, we need to enable v3 and create a user. Use the command line utility, net-snmp-config to help to create a SNMPv3 user:

net-snmp-config --create-snmpv3-user -ro -A sadWFqeq3421 -X fferlGq5247 -a SHA -x  AES snmpv3user
 
-ro is read-only user
-A sadWFqeq3421 is the authentication passphrase
-X fferlGq5247 is the privacy passphrase
-a SHA is how the authentication passphrase will be stored (MD5 or SHA)
-x MD5 is how the SNMP data will be encrypted during transit (DES or AES)
snmpv3user is the name of our new user

And if the command went ok, the output should look like this:

adding the following line to /var/lib/snmp/snmpd.conf:
createUser snmpv3user SHA "sadWFqeq3421" AES fferlGq5247
adding the following line to /usr/share/snmp/snmpd.conf:
rouser snmpv3user

Lets start up the SNMPD service again:

/etc/init.d/snmpd start

Lets do a quick test to make sure it all worked ok. From another machine with SNMP installed, we can issue a command like the following to query the remote Debian machine, with our new SNMPv3 user, to check the amount of ram installed:

snmpget -v 3 -u snmpv3user -l AuthPriv -x AES -a SHA -X fferlGq5247 -A sadWFqeq3421 10.0.0.45 1.3.6.1.4.1.2021.4.5.0
 
UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 516528 kB

Looks like it all went well! The output of the last command shows that the machine has 516,528 kB of RAM. For some added security, you can ACL the SNMP service to your query server with some quick iptables rules. These allow ssh from anywhere, SNMP from 10.0.0.42 (your query server) and established connections. Everything else gets dropped:

iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 10.0.0.42/32 -p udp -m udp --dport 161 -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -j DROP

With a SNMPv3 setup, the authentication process and PDU’s (SNMP data) should be encrypted. No more ‘public’ community strings floating by in plain text. The best way to query those SNMP clients is to use a network management application (Cacti is free and a Redspin favorite).

Cacti-Graph
Happy Graphing!