How F5 Networks countered the Heartbleed bug

F5’s iRules proved critical in the fight against Heartbleed, enabling the company to issue a patch within hours of the bug’s discovery.

Over the last few weeks, the security industry has been rocked by the Heartbleed bug, which impacted OpenSSL-based websites. Heartbleed takes advantage of an OpenSSL feature called heartbeat, which exchanges data between the user’s computer and the webserver. Heartbleed causes the web server to send back a massive amount of data, rather than only the data it’s supposed to, including sensitive, private customer information. The bug caused many companies and vendors to scramble to develop a fix to prevent any further leakage of data.

However, F5 customers were protected from the bug if they were running the security module. F5’s cipher stack customers were not affected as the bogus requests were identified and dealt with before they could get to the web server. It actually makes a strong case for running SSL offload in the application delivery controller (ADC) as a matter of standard practice.

So, that’s great for customers who use SSL offload, but what about customers who do not? Well, for that F5 actually created an iRule within a couple of hours of heartbleed being discovered. Customers could then apply the iRule to the F5 ADC and be protected from it.

For those not familiar with iRules, it is F5’s Tcl-based scripting language that gives customers programmatic access to the traffic flowing through the ADC. Customers can use iRules to build custom features to inspect, analyze, modify, discard, mirror or manipulate traffic any way they would like. I remember interviewing F5 about iRules years ago and the concept back then was simply to let its customers do cool stuff with F5 products. Customers certainly have embraced it, and there are literally hundreds of thousands of iRules today, many of which are just a few lines long.

Over the years, F5’s competitors have been critical of iRules and claimed that the company is offloading feature development onto its customers. While that is technically accurate, the fact is that no ADC vendor could possibly build every possible feature for every possible scenario. Heartbleed is a great example of this. No one could have predicted a hole in OpenSSL, but when the flaw was discovered, an iRule was quickly created to secure the infrastructure.

While iRules provide the mechanism to build the scripts, the real power behind it is the DevCentral community. DevCentral is a portal for F5 administrators to share iRules and interact with one another. There are currently over 100,000 subscribers to DevCentral to interact, providing an enormous online community. Some administrators have told me that they’ve posted a request for an iRule to handle a certain scenario and received replies within hours.

The size of DevCentral allows F5 to see more business issues that can be handled through the development of a new iRule or two on a daily basis that all other competitors combined see in a month. Today it’s Heartbleed, but tomorrow it could be something else, and whether F5 writes the iRule or not, someone is bound to.

F5’s position in the market has come under fire recently as the popularity of software-only solutions or low-cost open source alternatives have become more available. To customers considering these alternatives, they’re certainly viable solutions today, but remember - you don’t get what you don’t pay for. So as you’re considering your next ADC purchase, look past the ADC itself and consider the size of community supporting it and the agility to customize the solution in your specific environment.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.