Over the last five years, a top concern of most organizations, big or small, is security. Much of the attention of late has been focused on public cloud security as enterprises either migrate apps or build cloud-native apps. Many important apps, however, still reside in private data centers and will for the foreseeable future. As a result, enterprises must remain vigilant concerning their owned infrastructure and hardware too.
A recent Bloomberg article brought increased attention to seeded types of supply-chain hacks, where third parties have intercepted networking equipment for the purpose of tampering with, spying on, or otherwise compromising data, and highlights this point.
While tampering with hardware is not typically the entry point for application attacks, it can definitely be a straightforward way to slip under the radar. In short, there is no part of a system today – from hardware to software – that is not subject to some kind of threat, which is why it’s extremely important that enterprises ensure the protection of their systems from every possible angle. What’s more, the increasing use of third-party manufactured subsystems over the past decade increases the possibility of a supply-chain hack that impacts all board-level hardware. Organizations are (and should be) asking the questions: Are hardware vendors relying on their own hardware or someone else’s? And what does that mean for the security of applications?
At this stage, I’ll pause to make two key points:
- At F5, we own 100% of our hardware design and manufacturing test processes, which we tightly control.
- The entire F5 team works tirelessly towards making impactful hardware and software improvements.
Delivering Better Hardware Security During Manufacturing
While F5 is headquartered in Seattle, Washington, every aspect of our hardware design and development takes place at a secure company facility across the state in Spokane. Born out of a desire to develop dedicated hardware to power our BIG-IP platform, this allows us to directly ensure the security of our hardware and protect against seeded attacks. Within the site, F5 keeps a tight control over the manufacturing and test process as well, from initial design in CAD software, through printed circuit board (PCB) fabrication, and finally through printed circuit assemble (PCA), when actual components are soldered onto the PCB.
At F5, one big step we take towards ensuring protection and privacy is that we not only own our product designs and control all aspects of testing at our contract manufacturer facility, but F5’s IT team also owns and manages the infrastructure our tests run on. In order to understand the value of this control over the manufacturing process, we must first talk very quickly about how our hardware is manufactured and developed. Firstly, the design is done in CAD software which generates Gerber Data, a vector image of the board. Next, a printed circuit board (PCB) is fabricated from that data at a supplier other than our contract manufacturer. After that, a printed circuit assemble (PCA) is assembled, whereby the actual components (CPU, memory, ICs, transistors, etc.) are soldered onto the PCB. In addition, we use a combination of validation processes, called AOI (Automated Optical Inspection) and 5DX/ AXI (X-ray) inspection, to find any issues that could impact quality and system integrity. This includes the identification of any element that is not part of the original product design under F5’s control.
Ensuring Hardware Security Through Software
Greater trust and confidence in the security of hardware can be achieved through software innovation as well. One such example is demonstrated in our launch of tamper detection capability: “TPM Chain of Custody.” This is a feature in our hardware that ensures that the firmware installed on F5 hardware is actually manufactured by F5, and hasn’t been tampered with, to better protect against interceded attacks. This feature works by comparing the various layers of firmware “measured” (by a process similar to a checksum in packets) at startup against the known validated values established during the F5 manufacturing process. This system startup comparison is called attestation.
In our previous BIG-IP software release, BIG-IP v14.0, F5 announced TPM-based Local Attestation, which is an automated method to compare the F5-determined values with the current values of the hardware/software as measured at the startup time (during boot). This means that during the BIG-IP boot sequence, local attestation automatically compares the current startup security values of several software stack components with the F5-known values, giving customers high confidence that the system is an untampered version manufactured by F5. This feature relieves our customers from manually performing the action, in turn freeing up resources and time, as well as reducing overall overhead cost.
With the recently released BIG-IP v14.1, F5 enhanced our implementation and are very excited to announce the general availability of Remote Attestation for TPM Chain of Custody. The main differentiating feature is that F5 now can compare the current startup values of F5 firmware with the F5 known values by interfacing with iHealth. iHealth is controlled and secured by F5 centrally, making it better than validating locally. Once the iHealth platform checks the equipment values on its register, it gets back to the BIG-IP system on whether the TPM is valid or not, providing customers with validation on the authenticity of their F5 device to prevent hardware and firmware-based attacks.
Recap
To summarize, the TPM-equipped F5 system now comes with functionality to aid in attestation and confirmation of chain of custody for the device locally and remotely, and without the need of doing it manually. This functionality verifies that the correct F5 software is running on the BIG-IP hardware and gives our customers the assurance their hardware has not been tampered with. With F5’s BIG-IP hardware, customers have one less security concern to worry about and can better focus on securing their apps and app data.
For additional information on F5’s hardware platforms, please visit https://www.f5.com/products/big-ip-services/iseries-appliance, and for information on how F5 enhances your organization’s application security, please visit https://www.f5.com/solutions/application-security.
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...