Here are the options with Heartbleed-flawed networking gear (Hint: there aren't many)

Companies faced with the threat posed by networking equipment that contains the notorious Heartbleed bug have few security options beyond working closely with affected vendors, most notably Cisco Systems and Juniper Networks.

Both vendors were working with customers Friday to help them patch products that contain the vulnerability found in OpenSSL, the open-source implementation of the widely used Secure Sockets Layer protocol for encrypting data traveling through corporate networks.

The U.S. government has warned that hackers are trying to exploit the bug to steal usernames, passwords and other sensitive information.

Many companies use Cisco or Juniper routers, switches, firewalls or virtual private networks (VPNs), all of which could contain the bug.

Cisco has identified at least 16 products that were vulnerable and was investigating 65 others. Juniper has found eight products containing the flaw and was investigating one more.

The vendors had posted advisories on the affected products and were updating the notifications as new information became available. (Juniper and Cisco)

On Friday, a Cisco spokesman said the company "was definitely making progress, remediating some products, working through the products that haven't been classified, and adding product-specific information for our customers."

"Our advice to them is to stay connected to this information and consider any implications for their network," he said.

Juniper said in a statement that the flaw affected a "subset" of its products, including versions of the company's SSL VPN software, "which presents the most critical concern for customers."

"The company issued a patch for its SSL VPN product on Tuesday and is working around the clock to provide patched versions of code for our other affected products," Juniper said.

"We encourage our customers to contact Juniper's Customer Support Center for detailed advisories and product updates."

Working closely with the vendors is the best option for companies with vulnerable networks, said Gary McGraw, chief technology officer for consulting firm Cigital, which specializes in software security.

Networking gear cannot be easily replaced or taken offline without causing major disruptions to business operations.

Until patches are released, CSOs and security pros should zero in on identifying where the most sensitive information is traveling on the network and the equipment that touches that data.

"May be you can change what you're sending, may be you can take your highest risk traffic and reroute it," McGraw said. "It's going to be on a case-by-case basis."

Companies also have the option of using the administration tools used to manage routers and firewalls and restrict access to the IP addresses of computers known to be safe, Jake Williams a certified instructor and computer vulnerability analyst with the SANS Institute, said. That way, a hacker coming in from a rogue device would be blocked.

However, the same solution cannot be easily applied to employees using a vulnerable SSL VPN connection between their smartphones and tablets and the corporate network, Williams said. Companies could switch all traffic to a non-standard port, but that would entail changes to the end-user device, as well as the networking gear, which might not be practical.

In those cases, CSOs will likely have to weigh the risk of continuing to allow employees to use the VPNs versus taking them down until a patch can be applied.

"This is going to come down to risk tolerance for each individual company," Williams said.

"Basically, they're going to have to take a look and say, 'We assess the risk to be so low, or the cost to be so high, that we'll accept the risk based on the lost revenue if we didn't allow them (employees) to connect.'"

Cybersecurity firm Codenomicon discovered and published information about the Heartbleed bug Monday night. On Thursday, U.S. Department of Homeland Security warned companies that cybercriminals could exploit the vulnerability.

"At this time there have not been any reported attacks or malicious incidents involving this particular vulnerability, but because it is a highly visible media topic, it is possible that cybercriminals could exploit it in the future," the advisory said.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsNetworkingciscoHeartbleedjunipersoftwareSSLdata protectionjuniper networksnetworking hardwareCisco Systems

More about CiscoCiscoJuniperJuniperSANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place