If your networking gear contains the Heartbleed bug your best option is to work closely with the equipment vendor to address any vulnerabilities, especially if that vendor happens to be Cisco Systems or Juniper Networks.
A story on NetworkWorld.com notes that both vendors are being proactive in working with customers to close down vulnerabilities opened up by the bug, which is found in OpenSSL, the open-source version of the widely used Secure Sockets Layer protocol that encrypts data on corporate networks.
“Many companies use Cisco or Juniper routers, switches, firewalls or virtual private networks (VPNs), all of which could contain the bug,” the article by Antone Gonsalves noted. At the time of the article Cisco had identified at least 16 products that were vulnerable and was investigating 65 others, while Juniper had found eight products with the flaw and was investigating one more, Gonsalves said.
The article quoted security expert Gary McGraw, CTO of software security consultant Cigital, as saying that co-operation with vendors is the best option for companies that may be vulnerable. Until patches are released, IT security specialists should identify the most sensitive information on the network and determine which equipment touches it.
“Maybe you can change what you’re sending, may be you can take your highest risk traffic and reroute it,” McGraw said. “It’s going to be on a case-by-case basis.”
Jake Williams, a computer vulnerability analyst with the SANS Institute, added that companies can use the administration tools for managing routers and firewalls to restrict access to the IP addresses of computers known to be safe. This would block hackers from gaining access via a rogue device.
But that solution may not work for employees using a vulnerable SSL VPN connection between their smartphones and tablets and the corporate network. Williams said that in some cases some risk will likely have to be accepted. Companies can switch all traffic to a non-standard port, but that would require changes to the end-user device and the networking equipment, which might not be a practical step. That’s when security decision makers may be forced to balance the risk of allowing users to keep using the VPNs as opposed to taking them down so a patch can be applied.
“This is going to come down to risk tolerance for each individual company,” Williams said. “Basically, they’re going to have to take a look and say, ‘We assess the risk to be so low, or the cost to be so high, that we’ll accept the risk based on the lost revenue if we didn’t allow them [employees] to connect.’”