Word has quickly spread that a serious weakness has been discovered in the Secure Sockets Layer (SSL) protocol that allows attackers to silently decrypt data that’s passing between a web server and an end-user browser.
All reports indicate that this vulnerability affects the SSL protocol itself and is not specific to any operating system, browser or software/hardware product. This is an information disclosure vulnerability that allows the decryption of encrypted SSL 3.0 and TLS 1.0 traffic. It primarily impacts HTTPS web traffic, since the browser is the primary attack method.
SSL and TLS are two of the industry standard technologies that Ipswitch File Transfer solutions use to encrypt data while in-transit. Additional technologies such as AES transport encryption, PGP file encryption, and the encrypted FTPS and SFTP protocols are also used to secure data. As always, we recommend a defense-in-depth approach for protecting sensitive data.
At this point the vulnerability is not considered a high risk. Ipswitch is closely monitoring the situation closely and will implement recommendations and provide updates if this turns into a serious threat. We agree with Microsoft’s recommendation to prioritize the RC4 cipher suite and to enable TLS 1.1 in client and server. And given the choice, use the unaffected FTPS and SFTP protocols (and not HTTPS) until this vulnerability investigation is complete. Microsoft has also issued a fix fix that enables support for TLS 1.1 in Internet Explorer on Windows 7 and Windows 2008.
Before you ask: yes, we’re skipping version 13. We’re not an especially superstitious bunch, but it just seems like version 13 might be a bad idea. So we’re on to version 14–which will get its first public exposure with a Technical Preview release in April. If you want to test drive the latest and greatest in network management, go apply to be a part of the Technical Preview Program now.
Over the next few weeks, I’ll give you a sneak peek at some of the new features and innovations in WhatsUp Gold v14. First up is a response to the single most common feature request we’ve received from our customers.
Critical Active Monitors
Critical active monitors finally give you the ability to set dependencies on the active monitors that are applied to a device. In the past, if you wanted to monitor a Web server, for example, you might have applied several active monitors:
- A Ping monitor to tell you if the device was unreachable on the network.
- An HTTP monitor to tell you if the Web site was accessible.
- An HTTP content monitor to tell you if the content of the Web site changed.
- An HTTPS monitor to tell you if the Web site was accessible over an SSL-encrypted connection.
To get meaningful details about down monitors in your notifications, you would attach a custom action to each monitor.
That all worked fine–until your Web server crashed and WhatsUp Gold spammed you with four separate messages. In this example, four messages is not that big a deal, but imagine if you were monitoring dozens of aspects of a device: you could end up with a full inbox fast when a device went completely offline.
Critical active monitors fix that. Now, you can specify a monitor as a “critical” monitor. When a critical monitor fails, WhatsUp Gold stops trying to poll all of the non-critical monitors applied on the device. You get one message telling you what you care most about knowing.
Sign up for the WhatsUp Gold v14 Technical Preview Program
Curious to learn more about Critical Active Monitors and the other new features in WhatsUp Gold v14? You can learn more about the innovations in the new version on the Ipswitch Technical Preview site. Sign up for the technical preview program now and you’ll find out as soon as a technical preview release is available.
Questions? Ask them in the comments!