Heartbleed – Understand the Problem. Get an inventory.
Dealing with the Heartbleed Problem
Heartbleed is a flaw in OpenSSL, the open-source encryption standard used by the majority of websites to provide a secure connection between the service and the user. The module that allows open connections to be reused (or ‘keep-alive’) contains a security hole which, if exploited maliciously, could allow attackers to repeatedly access 64K of memory. There is an excellent graphic at this link which explains it very well
There is no shortage of information on the subject as everyone seems to have an opinion on it. Some of the advice is very poor and the information given may lead to other types of attacks. I would recommend that you start by understanding what heartbleed means and then check out articles which have good advice on what you should and shouldn’t do.
Even if you are not running high profile web services you should look into how it impacts your network. The #1 thing on your list should be to gather an inventory of what systems are running OpenSSL. You can do this by using a deep packet inspection system like LANGuardian which can detect OpenSSL activity no matter what port it is running on. Don’t rely on flow based tools for this as they only base their analysis on what ports are used so there is a good chance you will miss something
Once you have your inventory together you need to make sure you update each server to the latest version of OpenSSL. As I write the current version is 1.0.1g.
LANGuardian can also be used to generate an alert in the event of an exploit attempt. The SSL/TLS decoder can detect when a malformed heartbeat request is sent to a server. An event is generated whenever this is detected. The signature name is “OpenSSL HeartBleed Exploit Attempt”. These events are visible in a new report ‘Heartbleed exploit’ under the Security section. Drilldown to get a list of clients and servers and then review the actions of each client.
We’ve tested using some of the published exploit scripts and with a server with heartbeat enabled and disabled and accuracy is excellent, with few false positives. However, the potential for false positives exists and we continue to test and develop the decoders. Updates will be published as required.
Part 2 of this blog available here.