Spring World 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 30, Issue 4

Full Contents Now Available!

Wednesday, 08 October 2014 21:32

Leveraging Proprietary SSL to Mitigate Heartbleed, MITM and other OpenSSL Bugs

Written by  Paul Andersen

Weeks ago, when Heartbleed hit, some companies were at greater risk of attack while others had nothing to fear. Those spared were likely immune to the bug because their networking gear did not rely on OpenSSL to secure production traffic.

While Heartbleed was not Internet security’s finest hour, it did create an opportunity to discuss why proprietary SSL implementations offer significant advantages over open source solutions. Developing a proprietary SSL stack is not easy. However, once the work is done, the security and performance advantages of proprietary SSL implementations are significant.

Most often, proprietary SSL is found on application delivery controllers (ADCs), the new breed of advanced load balancers that front-end servers to optimize application availability, performance and security. To gain the performance and scalability to support SSL encryption for large enterprises, Web properties and cloud service providers, SSL functions must be executed in the kernel – and doing so requires creating a streamlined SSL stack devoid of the extraneous protocols and features common to OpenSSL.

While no solution can ever be fully secure, a proprietary SSL stack has another significant security advantage. Unlike open source solutions, proprietary SSL stacks are not publicly available, and do not give hackers the time and access needed to work out an exploit. In the event that a company finds a bug in its proprietary SSL stack, it can be remediated and fixed without the general public being made aware of the vulnerability.

In the case of both Heartbleed and MITM vulnerabilities, businesses that used ADCs and selected ADCs with a proprietary SSL stack – were largely unaffected.

As shown below, using servers for SSL leaves businesses vulnerable, hinders performance and complicates remediation due to multiple OpenSSL versions. While a load balancer can improve performance, most rely on multiple versions of the OpenSSL standard and remain vulnerable to bugs such as Heartbleed and MITM. In contrast, top-tier ADCs with proprietary SSL stacks significantly reduce exposure to vulnerabilities and at the same time substantially reduce effort required for remediation. While it is said that security often comes at the expense of performance, in the case of proprietary SSL, businesses simultaneously gain superior security and superior performance.

 

 

SSL Stack

SSL Versions

Performance

Servers
Using OpenSSL

Vulnerable

Many Versions - Complex Remediation

Software SSL -
Poor

Server Load Balancers
Using OpenSSL

Vulnerable

Multiple Versions - Harder Remediation

Hardware SSL -
Good

Top-Tier ADCs
Using Proprietary SSL

Not Vulnerable

One Version -
Simpler Remediation

Optimized HW SSL - Superior

 

About the Author

Andersen-PaulPaul Andersen is the director of marketing at Array Networks (www.arraynetworks.com). He has more than 15 years of experience in networking and has served in various marketing capacities for Cisco Systems, Tasman Networks and Sun Microsystems. Andersen holds a bachelor’s degree in marketing from San Jose State University.