• United States



Here are the options with Heartbleed-flawed networking gear (Hint: there aren’t many)

Apr 11, 20144 mins
Cisco SystemsComputers and PeripheralsData and Information Security

Companies faced with the threat posed by networking equipment that contains the notorious Heartbleed bug have few security options beyond working closely with affected vendors.

Companies faced with the threat posed by networking equipment that contains the notorious Heartbleed bug have few security options beyond working closely with affected vendors, most notably Cisco Systems and Juniper Networks.

Both vendors were working with customers Friday to help them patch products that contain the vulnerability found in OpenSSL, the open-source implementation of the widely used Secure Sockets Layer protocol for encrypting data traveling through corporate networks.

The U.S. government has warned that hackers are trying to exploit the bug to steal usernames, passwords and other sensitive information.

Many companies use Cisco or Juniper routers, switches, firewalls or virtual private networks (VPNs), all of which could contain the bug.

Cisco has identified at least 16 products that were vulnerable and was investigating 65 others. Juniper has found eight products containing the flaw and was investigating one more.

The vendors had posted advisories on the affected products and were updating the notifications as new information became available. (Juniper and Cisco)

On Friday, a Cisco spokesman said the company “was definitely making progress, remediating some products, working through the products that haven’t been classified, and adding product-specific information for our customers.”

“Our advice to them is to stay connected to this information and consider any implications for their network,” he said.

Juniper said in a statement that the flaw affected a “subset” of its products, including versions of the company’s SSL VPN software, “which presents the most critical concern for customers.”

“The company issued a patch for its SSL VPN product on Tuesday and is working around the clock to provide patched versions of code for our other affected products,” Juniper said.

“We encourage our customers to contact Juniper’s Customer Support Center for detailed advisories and product updates.”

Working closely with the vendors is the best option for companies with vulnerable networks, said Gary McGraw, chief technology officer for consulting firm Cigital, which specializes in software security.

Networking gear cannot be easily replaced or taken offline without causing major disruptions to business operations.

Until patches are released, CSOs and security pros should zero in on identifying where the most sensitive information is traveling on the network and the equipment that touches that data.

“May be you can change what you’re sending, may be you can take your highest risk traffic and reroute it,” McGraw said. “It’s going to be on a case-by-case basis.”

Companies also have the option of using the administration tools used to manage routers and firewalls and restrict access to the IP addresses of computers known to be safe, Jake Williams a certified instructor and computer vulnerability analyst with the SANS Institute, said. That way, a hacker coming in from a rogue device would be blocked.

However, the same solution cannot be easily applied to employees using a vulnerable SSL VPN connection between their smartphones and tablets and the corporate network, Williams said. Companies could switch all traffic to a non-standard port, but that would entail changes to the end-user device, as well as the networking gear, which might not be practical.

In those cases, CSOs will likely have to weigh the risk of continuing to allow employees to use the VPNs versus taking them down until a patch can be applied.

“This is going to come down to risk tolerance for each individual company,” Williams said.

“Basically, they’re going to have to take a look and say, ‘We assess the risk to be so low, or the cost to be so high, that we’ll accept the risk based on the lost revenue if we didn’t allow them (employees) to connect.'”

Cybersecurity firm Codenomicon discovered and published information about the Heartbleed bug Monday night. On Thursday, U.S. Department of Homeland Security warned companies that cybercriminals could exploit the vulnerability.

“At this time there have not been any reported attacks or malicious incidents involving this particular vulnerability, but because it is a highly visible media topic, it is possible that cybercriminals could exploit it in the future,” the advisory said.