Work with network vendors for Heartbleed solutions, say experts

If your networking gear contains the Heartbleed bug your best option is to work closely with the equipment vendor to address any vulnerabilities, especially if that vendor happens to be Cisco Systems or Juniper Networks.

A story on notes that both vendors are being proactive in working with customers to close down vulnerabilities opened up by the bug, which is found in OpenSSL, the open-source version of the widely used Secure Sockets Layer protocol that encrypts data on corporate networks.

“Many companies use Cisco or Juniper routers, switches, firewalls or virtual private networks (VPNs), all of which could contain the bug,” the article by Antone Gonsalves noted. At the time of the article Cisco had identified at least 16 products that were vulnerable and was investigating 65 others, while Juniper had found eight products with the flaw and was investigating one more, Gonsalves said.

The article quoted security expert Gary McGraw, CTO of software security consultant Cigital, as saying that co-operation with vendors is the best option for companies that may be vulnerable. Until patches are released, IT security specialists should identify the most sensitive information on the network and determine which equipment touches it.

“Maybe you can change what you’re sending, may be you can take your highest risk traffic and reroute it,” McGraw said. “It’s going to be on a case-by-case basis.”

Jake Williams, a computer vulnerability analyst with the SANS Institute, added that companies can use the administration tools for managing routers and firewalls to restrict access to the IP addresses of computers known to be safe. This would block hackers from gaining access via a rogue device.

But that solution may not work for employees using a vulnerable SSL VPN connection between their smartphones and tablets and the corporate network. Williams said that in some cases some risk will likely have to be accepted. Companies can switch all traffic to a non-standard port, but that would require changes to the end-user device and the networking equipment, which might not be a practical step. That’s when security decision makers may be forced to balance the risk of allowing users to keep using the VPNs as opposed to taking them down so a patch can be applied.

“This is going to come down to risk tolerance for each individual company,” Williams said. “Basically, they’re going to have to take a look and say, ‘We assess the risk to be so low, or the cost to be so high, that we’ll accept the risk based on the lost revenue if we didn’t allow them [employees] to connect.'”

Andrew Brooks
Andrew Brooks
Andrew Brooks is managing editor of IT World Canada. He has been a technology journalist and editor for 20 years, including stints at Technology in Government, Computing Canada and other publications.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web