How to avoid the next SSL vulnerability outbreak

Hayato Koeda, Asia Pacific Japan Vice President, A10 Networks, Inc.

Since the Heartbleed vulnerability was publicly disclosed in the beginning of April, IT administrators around the world have scrambled to patch web servers and to inspect and update their firewalls, mail servers, SSL VPN equipment, and just about every other device on the network that uses SSL.

There are two reasons for the rush. First, the Heartbleed bug has affected many popular websites to the tune of 17% of all SSL-enabled web servers worldwide, according to a survey from Netcraft, a UK-based internet services company[1]. Secondly, the vulnerability is very dangerous. Today, about two-thirds of the world's Websites use OpenSSL 1.0.1[2], the encryption library affected by the Heartbleed bug, putting at risk more than half a million trusted websites[3]. The flaw allows remote attackers to view up to 64 kilobytes of memory on a vulnerable server.

As a result, the vulnerability compromises the integrity of SSL encryption. According to Heartbleed.com, the Heartbleed bug "allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software... This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

Worryingly, OpenSSL is not alone. Security gaps have been discovered in virtually every widely used SSL library. A keyword search for OpenSSL in the US National Vulnerability Database website revealed 152 Common Vulnerabilities and Exposures (CVEs)[4]. In June 2013, former US National Security Agency (NSA) officer Edward Snowden revealed the NSA had used many different ways to snoop on citizens, including decrypting encrypted communications. In fact, the Snowden leaks indicate the NSA decrypted data had been encrypted with weak or even intentionally flawed encryption algorithms, and encryption algorithms are not infallible. With risks like the Heartbleed issue and insecure Dual_EC_DRBG number generator-developed by the NSA-organizations need to carefully evaluate the SSL implementations of their servers, networking devices, and application delivery controllers (ADCs).

Shield Your Vulnerable Infrastructure  

One reason IT administrators are struggling to deal with Heartbleed is that they have to assess and patch a tremendous number of applications. With many applications running on different operating systems with different SSL libraries, administrators must spend several hours testing, patching, and retesting their applications.

An easy way to safeguard vulnerable applications and avoid similar fire drills in the future is to terminate SSL traffic on ADCs. Offloading SSL traffic with ADCs not only reduces the load on application servers, but lowers the cost of managing and updating SSL libraries. Administrators do not have to manage SSL certificates on each individual server, making it possible to eliminate the burden of patching all of their individual servers in the event of an SSL vulnerability outbreak like the Heartbleed issue.

1  2  Next Page