In the Wake of Heartbleed Part 3: How NetCloud Manager Gave Customers an Advantage over Heartbleed

As the old saying goes, when you’re being chased by a bear, you don’t have to run faster than the bear. You just have to run faster than the people you’re with. The same is true when it comes to data security.

With any malware or virus or bug, there are always exploits intruders can string together to defeat even the highest levels of security. But the fact of the matter is that if you erect decent security measures, intruders are typically going to move on in search of easier targets.

Hackers are out there scanning IP addresses for listening and responding ports, thereby potentially exposing weaknesses. Cradlepoint uses and recommends Five Strategies to protect your servers and devices from intruders:

  • Strategy 1: Default Configuration. On each of our router devices is a configuration setting to enable or disable remote web-based administration. We disable that setting by default. It would have to be turned “On” for an intruder to be able to even attempt to log in and administer the device from the Internet.
  • Strategy 2: Access Control Lists. If a customer does enable web-based administration, the second strategy is an access control list. This list specifies what other systems and IP addresses should be granted access to do remote web-based administration. Both of these things would effectively prevent someone from using the Heartbleed vulnerability.
  • Strategy 3: Non-standard Web Ports. Our security strategy for NetCloud Manager is to not use standard web port 80 or 443. It uses different ports.
  • Strategy 4: Bypass Web-Based Admin. If you are using the NetCloud Manager, you don't need to have the remote web-based administration turned on or enabled to be able to remotely manage the device. NetCloud Manager provides an interface that looks almost exactly like what you would see if you were on one of our router’s web interfaces. All of the configurations you create are inside the NetCloud Manager environment and are then automatically pushed down to the actual router device when you hit apply.
  • Strategy 5: TLS. There are a number of different encryption and communication protocols in the background of NetCloud Manager that push configurations and pull data from the Cradlepoint to the NetCloud Manager server.  We use TLS (transport layered security) for that encryption. The way NetCloud Manager works is it is only administers the Cradlepoint, so none of the customer data that flows through the device is ever seen by NetCloud Manager.

I know from personal experience what it’s like trying to manage technology in thousands of locations at the same time. Without something like NetCloud Manager, you have to remotely go into each router through the web interface (assuming you have that turned on) or through a telnet/ssh session. In either scenario, you’d have to determine the correct firmware, download it, and only then execute the upgrade.

Needless to say, if you wanted to upload new firmware to neutralize Heartbleed—and if you have 100's or 1000's of devices to upgrade – that could take a significant amount of time and resources. With NetCloud Manager, devices are grouped together for configuration and firmware upgrades. You simply select the new firmware version from a drop-down box in the group configuration. NetCloud Manager then automatically pushes the firmware down to the group, without having to go into each device individually. It’s as simple as that.

NetCloud Manager also gives you status and reporting updates so you know what firmware version all your devices are on, and what devices may still need an upgrade. If a device was offline when you initiated the firmware upgrade, as soon as it comes back up, NetCloud Manager senses that device and automatically pushes down the firmware upgrade.

Finally, I just wanted to point out while NetCloud Manager is a paid service, we gave customers who don’t pay for this service the opportunity to get a 30-day NetCloud Manager account for no charge so they could use it to update their devices as quickly as possible. I guess you could call that Strategy #6.

In the Wake of Heartbleed Series:

Part 1: Three Observations
Part 2: All Hands on Deck
Part 3: How NetCloud Manager Gave Customers an Advantage Over Heartbleed