<p><em>Despite several warnings from governments, enterprises and IT experts, the entire IT world is devising strategies to handle the Heartbleed bug - an OpenSSL vulnerability, says</em><strong><em> Shibu Paul</em></strong><br><br>Just over a year ago, the tech industry was jolted by a very serious vulnerability in OpenSSL. The vulnerability Heartbleed makes it possible for anyone to steal and read encrypted information - including usernames and passwords - from servers that are considered secure. The impact of Heartbleed has extended far beyond websites using SSL encryption, affecting wireless networks and internal networks of enterprises. The security bug affects certain versions of OpenSSL that do not properly handle heartbeat extension packets. This allows attackers to craft packets that trigger a buffer over-read, resulting in the exposure of sensitive information from clients and servers.<br><br>Enterprises that deployed Application Delivery Controllers (ADCs) and secure access gateways (AG Series) also incorporated proprietary SSL stack, and thus were not affected by Heartbleed. However, many competing products are based on OpenSSL, and their respective manufacturers raced to implement patches and fix to protect their customers. Despite several warnings from governments, enterprises and IT experts, the entire IT world is devising strategies to handle the Heartbleed bug - an OpenSSL vulnerability. Instead, customers that are vulnerable to this issue need to implement proprietary SSL, which offers significant advantages over open source solutions.<br><br>With the 20-20 hindsight afforded by a year’s distance from the Heartbleed announcement, what has changed and what have we learned?<br><br><strong>Heartbleed was neither the first, nor the last: </strong>OpenSSL had multiple vulnerability announcements prior to Heartbleed and even over the last year. With regard to attacks like Man-in-the-Middle and ClientHello, neither AG Series SSL VPNs nor APV Series ADCs were vulnerable due to our proprietary SSL stack. The FREAK vulnerability affected very few products, i.e. end-of-sale ADCs and SSL VPNs, as well as some functions of WAN optimization controllers. New software versions for these products are available to mitigate these vulnerabilities.<br><br><strong>Security is a mindset, not a feature: </strong>There were vulnerability announcements about SSL/TLS and other components of application delivery networking last year. However, all SSL companies focusing on security need to terminate SSL traffic on ADCs to safeguard vulnerable applications and avoid similar vulnerabilities. From the beginning, companies have to be fanatical about removing unnecessary features and loopholes in the software to improve both security and performance. This security mindset paid off with the Bash vulnerability because APV and AG Series do not expose Bash for remote access.<br><br><strong>Web and application servers may still be vulnerable to Heartbleed: </strong>Security industry firm Venafi recently issued a report stating that nearly three quarters of Global 2000 firms have public-facing systems that remain vulnerable. The primary reason cited by the report was incomplete remediation, typically by failing to replace SSL keys and certificates. Note that adding a Heartbleed-proof ADC (shameless plug) like APV Series can provide an additional layer of defense while providing load balancing, SSL offloading and other functions that improve server and application performance.<br><br><strong>The nature of malicious attacks has changed: </strong>At the dawn of the Internet, it was mostly kiddie scripters and other idle minds responsible for attacks. Now, headline-grabbing malicious attacks are perpetrated by organized criminals and even nations with a goal of compromising personal financial information, sensitive corporate and government information, and even a nation’s infrastructure. The damage is about money and national security - the stakes are very high.<br><br>While OpenSSL is but one potential attack vector, Heartbleed and other OpenSSL vulnerabilities point out the new reality for IT professionals; they must remain ever mindful, ever vigilant, and ever diligent to protect the networks they manage against malicious attacks.<br><br><em>The author is Regional Sales Director – India, ME and SEA, Array Networks</em></p>