The Top Ten Hardcore F5 Security Features in BIG-IP 12.0
Version 12 of BIG-IP and its glorious cadre of security modules has been released unto the world. It’s a big, big release packed with 194 features. More than half of those are security-related.
Selecting the best of over 100 security features is a daunting task. I had considered using the darts-against-printed-spreadsheets approach, but ultimately just went through them all, one by one, and...
David Holmes Greatest Hits, 2015 Edition
Here's the complete list of everything authored by yours truly in 2015. Except the NC-17 stuff, which I've been told should remain unpromoted. Let me start this list with the Absolute Greatest Hits of 2015 and then we'll move on to stuff that is only kindawesome.
Video: Using Cloud to Fill the Security Gap - DarkReading [2:23]
In an astonishly short amount of...
The 5 David Holmeses More Famous Than Me
I need to change my name. Maybe you can help me choose from my short list.
Part of my job as an evangelist is to grow my brand. Build name recognition. Yet even though I have one of the world’s best PR firms promoting interviews and magazine articles every month, people can’t find me on Google unless they search for a specific term like “David Holmes cryptography” or “David Holmes ...
Implementing Lightweight East-West Firewalls with F5
In 2005, perpetual diva Miss Piggy portrayed all four of the directional witches (North, South, East and West) in Jim Henson’s Muppet’s Wizard of Oz. Despite a vigorous and, occasionally violent, performance, she was snubbed at the Academy Awards, ultimately losing out to Reese Witherspoon (Walk the Line). Maybe the Academy Awards voters understood this key principle that escaped our porcine...
Preparing your F5 for new TLS requirements in Apple iOS 9 and OS X 10.11
Apple is dropping new versions of its popular iOS and OS X operating systems. iOS Version 9 for iPhones, iPod Touches, and iPads arrives Wednesday, September 16, 2015. Version 10.11 of OS X will land about a week later.
Both versions will be promoting a more strict set of cryptographic requirements within their application libraries.
According to this iOS 9.0 technote, by default,...
How much of my traffic is still SSLv3?
When the POODLE vulnerability came out in 2014, it was hailed as the death knell for SSL version 3. In the quarter just prior to POODLE, 98% of Internet sites supported SSLv3, but a year later that support had dropped to just 33%.
Blue: Internet at large. Red: F5 devices.
Even though the POODLE vulnerability was never seen as an exploit against servers in the wild, system...
How to Fix That Sewer Smell in your European Hotel Bathroom in 2 seconds
Looking through the reviews on TripAdvisor you would be tempted to think that the boutique hotels in Paris suffered from some kind of horrible sewage problem.
How does a review like that happen? Suppose an American couple checks into a boutique hotel in gay Paris. Everything is fine the first day. Then the second day they start to notice an unwelcome sewer-y odor in bathroom....
Remediating Logjam: an iRule Countermeasure
Professor Matthew Green of John Hopkins announced a weakness in the SSL Protocol and has given it the name Logjam (see weakdh.org). With Logjam, a malicious attacker can get access to the encrypted content of SSL connections that use ephemeral Diffie-Helman (DH) by tricking the server and client to use the 512-bit ephemeral keys. Some servers support a special export mode that...
My Three Favorite Security Podcasts
It takes effort to stay informed about the information security industry. The #infosec landscape changes incredibly fast. Security researchers and adversarial attackers generate a constant stream of vulnerabilities and other threat vectors. Keeping abreast of it all is a constant challenge.
One great way to stay informed is to listen to a selection of security-themed podcasts. Podcasts keep...
BIG-IP SSL Cipher History
John Hall, the fuzz-master at F5, put together this handy spreadsheet showing the SSL cipher suite support sets for F5 BIG-IP software releases over the years.
At the time of this writing, most BIG-IPs in the wild are somewhere between 11.2 and 11.4. But there are, and probably will always be, customers running versions as old as 10.2.4.
The green arrows indicate support in the NATIVE SSL...
1126 Dev Points