Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to avoid the next SSL vulnerability outbreak

Hayato Koeda, Asia Pacific Japan Vice President, A10 Networks, Inc. | May 19, 2014
Since the Heartbleed vulnerability was publicly disclosed in the beginning of April, IT administrators around the world have scrambled to patch web servers and to inspect and update their firewalls, mail servers, SSL VPN equipment, and just about every other device on the network that uses SSL.

Ensure SSL Implementations Are Secure

When offloading SSL traffic with ADCs, it is important to ensure that SSL implementations are secure and they do not include vulnerable versions of OpenSSL. Leading ADC vendors are striving to deliver secure, tested, and validated SSL encryption, and apply best practices in network security in every step of product design, development, and testing, so their products will not be impacted.

Achieving security certification is a good indicator of vendors' efforts. To demonstrate that products meet recognized benchmarks for security and functionality assurance, vendors have to submit them to standards laboratories for evaluation so that they can achieve Federal Information Processing Standard (FIPS), Common Criteria, Joint Interoperability Command (JITC) certification, or other certifications. While such certifications do not prevent products from falling victim to a zero-day SSL vulnerability, they ensure that certified products meet stringent cryptographic design and implementation requirements. This evaluation process reduces the risk that attackers will uncover vendor-specific vulnerabilities in the software and hardware.

For example, FIPS certification entails in depth testing of SSL key management, SSL roles, services and authentication, protection against attacks, and many other software and hardware requirements. In other words, achievement of such security standards assures that their products meet exacting SSL security requirements that are available.

Be Ready for Physical Attacks

Besides cyber-attacks and software vulnerabilities, organizations must consider physical threats, such as thieves or malicious insiders that might try to physically tamper with equipment to access digital keys.

To protect their devices from physical attacks like tampering and bus probing, many ADC vendors offer hardware security modules (HSMs) on select models. They typically protect SSL private keys and provide a physical assertion on access, while some of them can also deliver performance and FIPS certification. In addition, HSMs offer the benefit of being tamper-resistant, which allows administrators to know if their network appliances have been compromised or powered on or off.

By deploying advanced ADCs which enable SSL offload and are installed with HSM cards for secure SSL key management and tamper-resistant features, IT professionals can avoid the risk of an SSL vulnerability outbreak, and be able to concentrate on their key business goals.

[1] http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html

[2] http://www.eweek.com/security/heartbleed-ssl-encryption-vulnerability-requires-quick-attention.html

[3] http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html

[4] Some of these vulnerabilities may be due to custom implementations or extensions to OpenSSL rather than vulnerabilities in OpenSSL itself.

 

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.