Disaster Recovery

Vulnerability Summary

Since May 13, 2008, it has been widely reported that a vulnerability in the OpenSSL package that was being distributed by the Debian project had crippled the seeding process for generating SSL and SSH keys. As a result, the number of variations of keys became dangerously small—significantly reducing the time needed to compromise the keys. All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc.) between September 2006 and May 13th, 2008 may be affected and should be regenerated and revoked.

What Should Organizations Do?

To address these vulnerabilities organizations need to do the following:

• + Install appropriate patches
• + Identify all certificates and keys at risk
• + Replace all certificates and keys at risk
• + Catalog all certificates and keys within the organization
• + Implement procedures for controlling, managing and measuring the state of your encryption certificates and keys

How Can Venafi Products Help?

With its discovery capabilities, Venafi helps organizations discover SSL* certificates across and throughout their entire infrastructure. The Venafi discovery process provides reports which allow organizations to quickly determine which systems are at risk. (NOTE: Depending upon how Debian is used, other keys may be at risk, so organizations should be sure to understand how OpenSSL on Debian has been used for key generation.)

Next, Venafi can automatically revoke and replace any certificates and keys that are suspect, and configure the applications using them according to company-defined policies. (In this case the Linux operating system and the web server.)

Venafi also eases the processes of ensuring encryption systems are available when there is a need for disaster recovery. Venafi provides a fail-over solution and enables organizations to rapidly respond to, and recover from, disastrous events by rapidly migrating and replacing certificates and keys, as well as automating intermediate root management and maintenance. Because all systems where encryption is used are cataloged and accounted for in the Venafi system, an organization can quickly determine which systems need to be updated and take appropriate action—including instructing the Venafi system to automatically reconfigure systems and provision replacement certificates within minutes after a replacement CA or algorithm is selected. (See the Venafi Business Case, Disaster Recovery section, pg. 8)

Implement Venafi Systems Management for Encryption

Once Venafi has helped discover an organization’s certificates and keys, it can automate the process of maintaining the encryption. The additional automation functions include: lifecycle management, application configuration, and monitoring & reporting. Additionally, Venafi makes it simple and easy to migrate between CAs, automating all interactions with the CA and automatically configuring the necessary applications.

Platform Support

Venafi provides products and solutions to effectively manage encryption across platforms including Debian, as well as Windows, RedHat, SUSE Linux, Solaris, AIX and HP-UX.

How Can Venafi Professional Services Help?

In addition to Enterprise Software, Venafi also has a Professional Services team of experts that help Global 2000 organizations implement effective encryption management solutions. Venafi Professional Services can help organizations address this issue by working with the appropriate staff to:

• + Identify all Debian systems
• + Determine the version of the Debian distribution used
• + Implement tactical remediation using Venafi SEM product to replace the keys and certificates on the affected servers—using the same CA (or a different CA)

With the tactical issue resolved, Venafi Professional Services can also help organizations with their enterprise certificate lifecycle management by:

• + Performing an initial environment assessment to establish a Systems Management for Encryption plan
• + Providing a report outlining discovery results, and reviewing it with customer stakeholders
• + Implementing a holistic Systems Management for Encryption solution

How Do I Contact Venafi

To contact Venafi, call +1.801.676.6900, or send an email to info@venafi.com. You may also contact us by submitting this form.

Additional Resources

• + Venafi Business Case (The Disaster Recovery section on pg. 8 is especially relevant.)
• + TSC Podcast | The Right Way to Address the Debian OpenSSL Vulnerability, hosted by Michael Santarcangelo, featuring Paul Turner, VP, Products and Solutions, Venafi (recorded May 20, 2008)
• + Debian has a testing tool available to help companies confirm whether their certificates are affected. This tool can be found here.

* Currently, Venafi does not assist with the management of SSH keys, which also must be addressed as part of a disaster recovery response to the Debian vulnerability.