Over the last few weeks, the security industry has been rocked by the Heartbleed bug, which impacted OpenSSL-based websites. Heartbleed takes advantage of an OpenSSL feature called heartbeat, which exchanges data between the user’s computer and the webserver. Heartbleed causes the web server to send back a massive amount of data, rather than only the data it’s supposed to, including sensitive, private customer information. The bug caused many companies and vendors to scramble to develop a fix to prevent any further leakage of data.
However, F5 customers were protected from the bug if they were running the security module. F5’s cipher stack customers were not affected as the bogus requests were identified and dealt with before they could get to the web server. It actually makes a strong case for running SSL offload in the application delivery controller (ADC) as a matter of standard practice.
So, that’s great for customers who use SSL offload, but what about customers who do not? Well, for that F5 actually created an iRule within a couple of hours of heartbleed being discovered. Customers could then apply the iRule to the F5 ADC and be protected from it.