Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


F5 Guru Panel - Heartbleed

Introductions and Discussion: About Heartbleed and the Security Industry – A Changing Landscape

Here is a list of the questions asked by the community and answered by the panelists:

  1. What is Heartbleed?
  2. Why is Heartbleed a big deal?
  3. What is the impact overall?
  4. How does this impact businesses?
  5. What is the certificate revocation impact?
  6. So, if SSL is terminated on LTM, no iRules are required?
  7. Is the irule universal or or https only?
  8. So the reason it is not vulnerable w/SSL termination is because it ignores the hearbeat request?
  9. This is a dumb question, but ... we are decrypting and re-encrypting HTTPS traffic on the F5... is this as safe as SSL termination or are we at risk?
  10. Is there a vulnerability for IIS servers with say a Verisign SSL installed locally where the F5 is not terminating the SSL?
  11. Once the block is in place; dont you also have to renew the certificates and change passwords; you may habeen hacked already.
  12. Does TomCat use OpenSSL?
  13. Heartbleed doesn’t seem to be “in the news” quite as much this week…does that mean it’s all good now and I don’t need to worry?
  14. Is there a tool we can use to test a site before we log into the site if we are not sure if there Vulnerable to the OpenSSL?
  15. Is the solution to the MASSIVE CRLs to revoke all the intermediate CAs?
  16. Due to browsers not handling CRLs consistently, is it possible for us to revoke a certificate and reissue a new one, but still be vulnerable to a MITM attack? Especially from mobile clients.
  17. From your experts view, what is your opinion on services like Logmein and the impact on users?
  18. Chrome appears to not check revocation by default (speed improvement)... can we check for Chrome or something specific within Chrome on the F5 before allowing a user to authenticate?
  19. Do you anticipate any other major issues with OpenSSL, and what should I do as a business to mitigate these upcoming problems?
  20. I have the BIG-IP and use the COMPAT cipher today (and it’s vulnerable), so what can I do to mitigate this risk?
  21. IIS is not an issue the WAF sitting in front of it may be?
  22. For bigip 11.4.1 HF3 is necessary to apply the irule to protect the system?
  23. My company keeps its openssl up2date but just was wondering if suggestions are being made on how to automate this fix..
  24. I use the BIG-IP to do simple layer 4 load balancing to a pool of HTTPS servers…what solutions does F5 have to help protect against Heartbleed?
  25. Where you mitigate Heartbleed matters: it could happen 1) at the client, 2) on request, or 3) on response. Why does F5 recommend mitigation “on request”?
  26. (Twitter follower question) Some people rely on two-factor authentication for mitigating Heartbleed credential theft. But, they don’t consider that session hijacking is still vulnerable. What ideas/suggestions would you give to these users and how could they implement a more robust security solution?
  27. (DevCentral user question) Why would it matter what is done in network perimeter with F5 iRules when the real threat is worms that are spread via emails? A worm will find ways to internal networks where they will port scan vulnerable targets and backdoor them for botnets.
  28. (DevCentral user question) What is the best way to enforce Native cipher usage in LTM?
  29. (DevCentral user question) What algorithms does F5 use for offloading SSL? Solution article!
  30. How concerned should we be if we use a CDN that may have been vulnerable, but our origin servers were not?
  31. Has anyone seen any performance issues with applying the heartbleed irules on Virtual Servers?
  32. I'm on version 11.4.1 which I understand was not vulnerable, so I have not applied the irule.
  33. Most of the information we've read around Heartbleed is focused on server-side vulnerabilities. Recently there's been additional info around client-side attacks, referred to as "reverse heartbleed". How can F5 help with client-side/reverse heartbleed?
  34. If we were to remove RC4 from our stack, I think we would lose compatibility with older browsers (like IE9 on Win7). Is there anyway to mitigate this and remain compatible with older browsers?
  35. How is Heartbleed related to SDN/NFV networks, esp. in data center?
  36. Some WAFs sit between the client and the f5, in that case can you still use a DH cipher for SSL traffic?
  37. Given that F5 SSL stack is closed-source, how confident are we that a similar vulnerability is not exposed in the F5 SSL stack?