Dell SonicWall Heartbleed follow-up and additional information

Dmitriy Ayrapetov

Director, Product Management – Network Security

I would like to follow up on Heartbleed and the information that is available for your use.

First, on the product side, you all should be aware of the following:

a.       Firewalls:  not vulnerable and have been providing protection against Heartbleed since April 8^th (for more info, click on the blog and read the rest of the email)

b.      Email Security: not vulnerable

c.       SRA/SSL VPN: vulnerable, patches and information available in the bulletin below.

d.      GMS: UMA/VM are not vulnerable, Windows install is vulnerable, patches and information are available in the bulletin below.

We posted a product bulletin on the support section of the site for the affected products.  For your reference, here’s the direct link to the bulletin:

http://www.sonicwall.com/us/shared/download/ell_SonicWALL_-_Support_Bulletin_-_CVE-20140-1016_OpenSSL_Large_Heartbeat_Response_Vulnerability.pdf

Additionally, today we posted a blog that outlines our protection efforts over the past two weeks against HeartBleed along with some recommendations.  Please share it and use it as a resource when asked about what Dell SonicWALL firewalls can do and have done for protection.  You can find it at the following link:

http://en.community.dell.com/techcenter/b/techcenter/archive/2014/04/24/dell-sonicwall-next-generation-firewall-protection-against-heartbleed-cve-2014-0160.aspx

I received some questions asking why the firewalls were not vulnerable –whether it was IPS that protected our firewalls or is it because we do not use OpenSSL. This question came up a few times so I think it’s important to address it and for you to understand.   The firewalls DO use OpenSSL, but are inherently not vulnerable.  That means that whether or not you have IPS enabled, the firewall is not vulnerable to the attack. 

Why?

While we use OpenSSL in our products, remember that just having OpenSSL does *not* make you automatically vulnerable. What opens up a vulnerability in the product is having a version of OpenSSL (1.0.1 versions) in which the Heartbeat feature is present. We can get more granular:  What makes products vulnerable is having OpenSSL with Heartbeat feature enabled.  Without disclosing too much, I assure you that our firewalls do not fall into either one of those categories – whether for the management interface or for SSL VPN. 

All affected customers have been contacted.  Additionally, we’re looking at creating a webinar on the topic and you should see a partner communication soon as well.

Post 1

Almost everyone has two things: buttholes and excuses...

I have both. I feel sorry for you, if your missing a hole...

So in my free time I have taken my step-son to basketball practice, I have worked on the lawn, and worked on my golf game. It is just way too beautiful outside. My excuses started out sweet then turned sinister. April is the best time of year to be outside.

Been a busy week trying to close down some large opps before cut off date next Wednesday. My negotiation skills have been tested a lot this quarter.

I have had a slow down in busy work load, but there has been an increase in strategic communications that require me to not shoot from the hip as much. I still do sometimes though and afterward ask myself, "Was that smart?"

Sometimes I find I have to work harder after honestly answering this question...

Introduction

The idea for this blog is to hold myself accountable to the personal IT deadlines I set for myself.

Unfortunately life has a way of derailing the things you ought to do.

I have a list of technical knowledge I would like to work on but I find that I get distracted after a couple of weeks. This public blog is to help hold me accountable to produce a weekly article of what I have learned in the past week.

If I did not work towards a goal for a week, it will be glaringly obvious.

Well this is a short post, so here is a couple pictures of my dogs...