Companies faced with the threat posed by networking equipment that contains the notorious Heartbleed bug have few security options beyond working closely with affected vendors, most notably Cisco Systems and Juniper Networks.
Both vendors were working with customers Friday to help them patch products that contain the vulnerability found in OpenSSL, the open-source implementation of the widely used Secure Sockets Layer protocol for encrypting data traveling through corporate networks.
The U.S. government has warned that hackers are trying to exploit the bug to steal usernames, passwords and other sensitive information.
Many companies use Cisco or Juniper routers, switches, firewalls or virtual private networks (VPNs), all of which could contain the bug.
Cisco has identified at least 16 products that were vulnerable and was investigating 65 others. Juniper has found eight products containing the flaw and was investigating one more.
On Friday, a Cisco spokesman said the company "was definitely making progress, remediating some products, working through the products that haven't been classified, and adding product-specific information for our customers."
"Our advice to them is to stay connected to this information and consider any implications for their network," he said.
Juniper said in a statement that the flaw affected a "subset" of its products, including versions of the company's SSL VPN software, "which presents the most critical concern for customers."
"The company issued a patch for its SSL VPN product on Tuesday and is working around the clock to provide patched versions of code for our other affected products," Juniper said.
"We encourage our customers to contact Juniper's Customer Support Center for detailed advisories and product updates."
Working closely with the vendors is the best option for companies with vulnerable networks, said Gary McGraw, chief technology officer for consulting firm Cigital, which specializes in software security.
Networking gear cannot be easily replaced or taken offline without causing major disruptions to business operations.
Until patches are released, CSOs and security pros should zero in on identifying where the most sensitive information is traveling on the network and the equipment that touches that data.
"May be you can change what you're sending, may be you can take your highest risk traffic and reroute it," McGraw said. "It's going to be on a case-by-case basis."
Companies also have the option of using the administration tools used to manage routers and firewalls and restrict access to the IP addresses of computers known to be safe, Jake Williams a certified instructor and computer vulnerability analyst with the SANS Institute, said. That way, a hacker coming in from a rogue device would be blocked.
Sign up for Computerworld eNewsletters.