Karl Triebes has served as F5 Networks‘ CTO and executive vice president of product development for just over a decade. We recently sat down with Triebes in midtown Manhattan, where the Seattle-based exec was visiting for F5’s annual analyst and investor meeting. In a wide-ranging interview, Triebes discussed the biggest security threats of the moment, the competitive landscape for security virtualization, and his predictions for SDN.
What are the biggest specific security threats that you’re seeing lately?
Triebes: Well, DDoS attacks are a big problem. It’s so pervasive. I found out I was getting DoS’ed on my home account, because my kids were playing these online games, and we have really good bandwidth. I have 100 megs of bandwidth, and so these kids figure out who’s got the high bandwidth and they’ll go attack. The way they get these attacks, they can dial it up over at Amazon, or you get a Bitcoin or do something like that, and bang. So I saw on my router I was getting DoS’ed.
So that would be a paid third-party attack?
Triebes: It is, or sometimes they’re just for free.
That a 13-year-old kid can just buy online?
Triebes: Yeah, that’s how pervasive it is. It’s so easy to get these nets that are doing this stuff. So I actually detected it on the router, and I shut it down. I was getting a SYN flood attack, so it’s a basic one.
Did you deploy F5 to fix it?
Triebes: I have run our solutions in my network at home, but not right now. My wife got mad because I had one of our big boxes in there and it was making so much noise. I’m like, “All right…”
But at any rate, DDoS, it’s pervasive. DDoS, and all these vulnerabilities in open source. That’s a big one. Just look at the impact like Heartbleed had, or Shellshock. What was interesting is we actually are in a good spot to help protect against all of these. Because, for example, for Heartbleed, now that we have this Silverline service, it’s real easy for us to go stand up specific functions that could block the problems, and you don’t even have to be an F5 customer with gear onsite. You just subscribe with the service. So for Heartbleed we could cleanse the connection. What was it that it would send?
Well, it was that connection maintenance ping, and the server would return a string of random-memory data.
Triebes: Right, so it could pull a block of memory. Yeah, I couldn’t remember exactly the specifics with the protocol. But we could actually prevent that from happening. We could just block it until they had enough time to delete.
Without even fixing the server code that created the issue?
Triebes: Exactly. We just wouldn’t allow the request to ever get to it. We could just redirect it. So that’s just one example. The same thing with Shellshock — our web application firewall blocked it. We can set policies to do this, because it’s all app-level policies. That’s what happening with these attacks. They’ve all moved up the chain. It’s no longer just about basic network style attacks. It’s all these application-specific attacks. Those are the most insidious, but they’re also the highest value because what they’re trying to do is get information or data or customer credit cards out of the application itself.
As you mentioned, these were both high profile vulnerabilities with open source code. Do you see a backlash coming against open source?
Triebes: No, I think open source is here to stay. It’s just too pervasive, and what’s happening is, it’s evolving. You’re seeing new standards pop up. The problem with any kind of code is that unless you’re constantly going back and re-grooming it and cleaning it up, you’re going to wind up with these holes in it.
That’s just going to be life, and so the strategy has to be around, “How do I secure it?” Because people who write the applications often don’t understand security; they’re trying to implement business logic. And that goes for open source as well. So the opportunity there is, for a lot of customers who leverage open source, find a way to protect them from those issues that come up if they’re exposed from the open source, or quickly remediate.
You’ve mentioned a few fairly easily solved security challenges. What are the biggest security threats that we just don’t have good answers for right now?
Triebes: Malware. That’s one of the biggest ones we have. There are various attempts in trying to deal with it, behavioral analysis, and things like that. There’s signature-based and things like that. We’re working on some technologies to help identify it in your network, and then remediate it automatically. Like I said, we already have policies that deal with things at the app tier and detect other bad behaviors.
There’s not any one magic bullet, so you have to have this defense-in-depth strategy in some ways where you’re looking at things like risk. You have a risk profile based upon the users and what’s coming in. You have to have a fingerprint to understand who bad actors are and then put together a blacklist/whitelist. Then you’ve got to look for behaviors of things that are connected. Like, “Hey, why’s the IP address coming from Russia?”
Are you seeing an increase in malware that’s targeted at the data center rather than at end users?
Triebes: Yeah. That’s what happened at Home Depot, for example. They’re going right after the data center, because that’s where all the money is. They want to get access to that. It’s the same thing when they’re targeting people’s accounts. I can get in the account. I can get people’s stuff out of that. They start there, but it winds up in the data center.
So the best thing is to block behavior. If you can sense it, block it, protect that data center. That’s been our focus primarily. But we want to go more fundamental and group that out.
Triebes: Well, first of all we consolidate a lot of the security functionality, Layer 3 to Layer 7, and we’re in 85 percent of the world’s enterprises. So we have a footprint there, and it’s as simple as enabling our functionality, so suddenly now we’re a world-class firewall and we protect on the inbound cases. It doesn’t eliminate the need for a perimeter device.
What’s funny is that Cisco actually is a big partner of ours in the core space, because they used to compete against us head-to-head in the ADC market. Well, they exited that business about two years ago. They just couldn’t keep up, which was good. It’s a good resume item: “Knocked Cisco out…” So they’re a big partner, but they make a traditional firewall, and we actually have a nontraditional firewall.
Juniper is easy because they haven’t been investing in their security footprint, especially in the service provider bubble use case. But we have massive scalability — we can go 640 Gb/s in firewalls in one of our boxes, and so we can replace two racks of Juniper with a quarter of a rack of our gear. So service providers love that, plus then we have all the other functionality as part of that.
So it’s not hard to compete against those guys, let’s put it that way.
What’s coming down the pike at F5?
What we’ll be offering next year is essentially a way to connect the signaling channel between on-prem and off-prem. That can automatically detect when attacks are occurring, and the service can automatically take action based upon that. But it also collects information on the types of attacks that are happening, and then we can be proactive and push out signatures and notify customers and things like that if we see attacks happening in geographies. So we’re trying to build this security model, and this is step one of the services that we’re offering.
We’ll be offering very soon, not just DDoS, but web application firewalling as a service. Then we’ll be expanding our portfolio services so that pretty much all the products we offer will be standalone that can run in software or hardware, and we’ll be offering it as a service. It’s, “Hey, you can consume it any way you want. You can be on-prem, off-prem or take it as a service.”
Who are the biggest customers for that? Where do you see that market opportunity?
Triebes: All across the board. We focus on Global 2000, so it’s big enterprises, and financial vertical, and service providers across the board. I actually think having that as a service will enable customers to get familiar with it and understand what it can do, and then, I think what will ultimately drive sales is people will put it on-prem. I don’t understand why every data center in the world doesn’t have a web application firewall, because we see all these attacks. Remember the Sony attack a couple of years ago when they took them down and they lost a billion dollars in revenue? We would have prevented that attack. If they’d had us online it wouldn’t have happened.
What do you think are the biggest unanswered questions facing the industry?
Triebes: The whole SDN question, because there are all these controllers that are popping up. You’ve got Cisco and their APIC, and you’ve got the NSX, OpenStack, OpenDaylight. I mean there are all these controllers coming up, and the problem with that is that it’s pretty difficult, I think, to render up into all these different controllers all the specific functionality. For us, you can’t render everything up in their whole object model the things that we do. So we have to work side-by-side with these things and so the big question is “Well, what controller do customers want?”
Do you think that eventually a clear winner will emerge and become the dominant controller?
Triebes: I think what’ll happen is that we’ll have to standardize it. There are too many proprietary ones. OpenStack may force some of that.
The biggest problem I’ve wanted to see solved when they start talking about SDN was this notion of configuring your network. “Hey, I’ve VLANs, I’ve got IP addresses, I’ve got routes” — that should all be configured across the board. Everything that plugs into that network should understand that network topology and then have the functionality on top of that.
That’s where I think this is going to go. If you look at what Cisco has, it’s really network-focused. Largely the same thing with NSX; it’s this idea of a network fabric and you plug it into this fabric. To me, that’s a network. So I think that’s where it’s going to head long term.