Security Advisories

1
Oct

Outside lab tests IpTL appliances and finds no vulnerabilities for both internal and external PCI DSS 3.2 compliance scans.

When part of a PCI DSS 3.2 compliant system IpTL’s appliances add to the security of all data-in-transit.


Click here for a Free copy of the Lab report
and our Security #1 Whitepaper Bundle


IP Technology Labs, the leading provider of 4th Generation VPN connectivity, WAN/SD-WAN, and IoT secure networking appliances, today announces that it has been independently verified to pass all PCI DSS 3.2 elements without indicating any vulnerabilities.

The Payment Card Industry (“PCI”) Standards Council sets forth the Data Security Standards (“DSS”) for all entities involved in payment card processing. Recognizing the increase in threats, breaches, and exploits compliance with the PCI DSS helps to alleviate these vulnerabilities and protect cardholder data. PCI DSS 3.2 compliance is required for merchants, devices, and applications within the Cardholder Data Environment (“CDE”) for payment processing. PCI DSS 3.2 updates and obsoletes version 3.1 and takes effect in October, 2016.

“Security is more than just protecting data.” said Scott Whittle, President of IP Technology Labs. “IpTL has always led with the system in mind. With zero security vulnerabilities, our customers can deploy and audit to PCI 3.2 DSS levels with confidence. As always, we have consistently lead the industry with the best connectivity, privacy, and security. Now, confirmation from an independent lab assessment continues to strengthen what our customers already know and trust.”

One significant PCI DSS 3.2 update is the requirement to move towards better security for data-in-transit protocol standards. IpTL has had TLSv1.2 in all its appliances since it was available and has never used vulnerable SSL. Using Tenable’s Nessus™ vulnerability scanner shows that IpTL has zero critical, high, medium, or low vulnerabilities for PCI DSS 3.2 elements. A copy of the report is available here at IpTL’s website.

image

As the World’s Longest Ethernet Cable™ IpTL FastLane solutions are the 4th Generation of VPN placing your LAN securely anywhere in the world while integrating all your wireless and wired devices seamlessly. Using any Internet connection an enterprise can create its own virtualized, private, and secure LAN network. IpTL appliances work especially well in network environments VPN, WAN, and IoT applications where NAT, Nested-NAT, or Dynamic-IP/DHCP is present on both ends of a link.

Contact marketing@IpTechnologyLabs.com for additional information and opportunities to cooperate with IpTL.

About IP Technology Labs LLC. (iptechnologylabs.com)

IP Technology Labs is the worldwide designer and manufacturer of the FastLane™ IP and Ethernet network appliances for plug-and-play VPN, SD-WAN/WAN, and IoT connectivity. Solving challenges imposed by infrastructure limitations for telecommunications and information technology users; IpTL simplifies, lowers the cost, and enables the connection of network devices and services over any LAN or WAN infrastructure. With products made in the USA, IpTL offers solutions for every network.

IP Technology Labs, IpTL, BroadLane, and FastLane, The World’s Longest Ethernet Cable are trademarks of IP Technology Labs, LLC. in the United States and other countries. The IP Technology Labs logos are trademarks of IP Technology Labs, LLC. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Category : Corporate | News | Security Advisories | Blog
2
Mar

SECURITY: IpTL Immune to OpenSSL DROWN Attack

Posted by Comments Off on SECURITY: IpTL Immune to OpenSSL DROWN Attack

Today it was announced that OpenSSL has another security defect called Decrypting RSA with Obsolete and Weakened eNcryption or “DROWN.” DROWN is a cross-protocol attack which leverages a specific weaknesses in certain OpenSSL SSLv2 implementationsPrimarily a Man-in-the-Middle (MitM) attack, DROWN can allow decryption of a TLS connection by using sending specially crafted SSLv2 malicious packets and open decryption tools.

The primary vulnerability in the marketplace are poorly configured HTTPS webservers which still permit SSLv2 to be negotiated.  IpTL only uses TLSv1.2, for tunnel transport and encryption, and does not have any option to negotiate SSLv2.  As we always have security at the forefront we are not vulnerable to this attack. 

Here are some key points which are standard in any IpTL solution:

  • IpTL secure links do not use SSL or HTTPS. We are built on TLSv1.2 and use AES 256 encryption default.

  • There are no weak export ciphers in our system.

  • We use 2,048 bit RSA asymmetric keys.

  • IpTL is a closed symmetric system with our appliances or virtual machines are on both ends of the link and not point-security solution.

    Thus, we can guarantee AES 256 encryption on your data and no one can force a downgrade to another encryption level which can be broken.   If the cipher spec is altered then no connection will take place and no data leaked.

  • With our Tunnel Authentication passphrase you can input a 64 character passcode which locks even the initial TLS communications between the endpoints.  Note: this is not the encryption pre-shared key (we don’t offer preshared keys!) 

    When using this feature only the appliances sharing the same passphrase can communicate.  Any other connection attempts are ignored…you can’t even get the server to respond to a non-authorized connection to attempt a downgrade.  This is above and beyond our standard ephemeral key exchanges and HMACs of TLS!

  • IpTL offers the elliptical curve AES 256 GCM with SHA 384 as a cipher option for true state-of-the-art confidentiality, standard!

Email us at marketing@iptechnologylabs.com and ask for our Security White Paper for even deeper details on how we connect and secure your network!

Category : Corporate | Security Advisories | Blog
2
Jun

IpTL Provides Security Against LogJam Attack

Posted by Comments Off on IpTL Provides Security Against LogJam Attack

You may have read or heard about concerns recently over various encryption and "secure" VPN methodologies, including the so-called "LogJam Attack".   This attack basically looks to “mess up” the selection of encryption used on a link to force it to a weak link that is crackable.  

The real problem is with poorly configured HTTPS and SSL VPN’s which are trying to support legacy applications.  IpTL has always had security at the forefront of our connectivity and as such we are not vulnerable to this attack. 

Here are some key points which are standard in any IpTL solution:

  • IpTL secure links do not use SSL or HTTPS. We are built on TLSv1.2 and use AES 256 encryption default.

  • There are no weak export ciphers in our system.

  • We use 2,048 bit RSA asymmetric keys.

  • IpTL is a closed symmetric system with our appliances or virtual machines are on both ends of the link and not point-security solution.

    Thus, we can guarantee AES 256 encryption on your data and no one can force a downgrade to another encryption level which can be broken.   If the cipher spec is altered then no connection will take place and no data leaked.

  • With our Tunnel Authentication passphrase you can input a 64 character passcode which locks even the initial TLS communications between the endpoints.  Note: this is not the encryption pre-shared key (we don’t offer preshared keys!) 

    When using this feature only the appliances sharing the same passphrase can communicate.  Any other connection attempts are ignored…you can’t even get the server to respond to a non-authorized connection to attempt a downgrade.  This is above and beyond our standard ephemeral key exchanges and HMACs of TLS!

  • IpTL offers the elliptical curve AES 256 GCM with SHA 384 as a cipher option for true state-of-the-art confidentiality, standard!

Email us at marketing@iptechnologylabs.com and ask for our Security White Paper for even deeper details on how we connect and secure your network!

Category : Corporate | News | Security Advisories | Blog
9
Apr

Heartbleed – OpenSSL Heartbeat Extension Vulnerability in IpTL Appliances

Posted by Comments Off on Heartbleed – OpenSSL Heartbeat Extension Vulnerability in IpTL Appliances

Advisory ID: iptl-20140904-01-rev01
Release 2014 April 9 00:00  UTC (GMT)

General Overview of the Heartbleed Vulnerability

On April 8, 2014 United States Computer Emergency Readiness Team (US-CERT) announced a confirmed vulnerability for systems employing the OpenSSL library crypto-suite.  OpenSSL versions 1.01. through 1.0.1f contain a defect in the TLS heartbeat extension service. 

Using this vulnerability an attacker can retrieve blocks of memory of a server up to 64kb in size. There is no limit on the number of attacks which can be performed and there is no attacker control over which memory region the block is read from. 

Sensitive information that can be obtained is:

  • Primary key material (secret keys)
  • Secondary key material (user names and passwords used by vulnerable services)
  • Protected content (sensitive data used by vulnerable services)
  • Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

 

Heartbleed and IpTL Appliances

All IpTL appliances make use of the OpenSSL crypto library.   Although, all IpTL appliances using firmware versions prior to 3.2.5.1 contains the OpenSSL library defect, IpTL appliances provide unique out-of-the box protection even in light of such a vulnerability.  

The standard features in all IpTL appliances which provide continued protection from this vulnerability are:

  • Perfect Forward Secrecy (PFS)
  • Tunnel Auth passphrase

IpTL appliances operate with Perfect Forward Secrecy (PFS.) PFS operation generates random keys per session for the purposes of key agreement and are not based on any sort of deterministic algorithm or key material.   This means that the compromise of one message cannot lead to the compromise of others, and also that there is not a single secret value which can lead to the compromise of multiple messages.  In relation to Heartbleed, the private keys of an IpTL appliance are never in a position to be exposed. 

Additionally, the Tunnel Auth  feature, under tunnel options, eliminates any ability for an outside attacker to inject, compromise, and obtain data.

Even though vulnerability exists in OpenSSL, IpTL appliances still provide non-compromised protection of your connectivity.

 

Updated Firmware Released

In following with IpTL’s best practices we have released firmware version 3.2.5.1 for its appliances.  This firmware eliminates the Heartbleed bug.   Please email support@IpTechnologyLabs.com for your link to this firmware or contact your integrator.

We encourage all customers to upgrade to stay current with security, operational, and feature updates.  This firmware is free of charge.

 

Links to additional information

https://www.us-cert.gov/ncas/alerts/TA14-098A

http://www.openssl.org/news/secadv_20140407.txt

Category : Security Advisories | Blog