The posts on this blog are provided 'as is' with no warranties and confer no rights. The opinions expressed on this site are those of the authors and do not necessarily represent those of any employer or other organization.
The 'Heartbleed' vulnerability (CVE-2014-0160) has put the spotlight on the ramifications of zero day vulnerabilities. As news of the vulnerability broke and a patch became available, sysadmins around the globe were scrambling to patch or upgrade their servers. At the same time, security experts were also rushing to determine both how to detect and filter based on the signature of an Heartbleed attack and also the extent to which an attacked server may have been compromised .
These investigations even resorted to crowd-sourcing, for example, Cloudflare hosted an open competition to encourage hackers to answer the question, "can a site's private SSL keys be compromised?". Initially it was thought not, but unfortunately later the answer turned out to be affirmative.
Since the Heartbleed issue struck at the core of the web infra-structure, a library linked against Internet facing applications, the upgrade process itself was non-trivial for Ops teams to accomplish. It was required to take a position on version compatibility and application validation of often mission critical applications and possible service disruption weighed against the security risk of prolonged exposure. In many cases, the answer would have been to upgrade early without the normal testing that would usually be made when introducing an OS or library change into a production environment.
The recently launched SolarSecure product operates on every server within the data center and provides an additional layer to protect applications from Internet threats in addition to the standard Operating System mechanisms. Once the Heartbleed vulnerability rules were added to SolarSecure, it was able to protect each server immediately and without requiring application or library upgrades, patches or significant compatibility testing. Further, after upgrading, Solarsecure is able to offload such attacks from applications and can block Heartbleed and other attacks with little or no impact to application performance.
In summary, Heartbleed was a zero day vulnerability which required immediate action. Using SolarSecure enables such action to be effected very quickly accross the Enterprise.
Thanks are due to many people who campaigned to right the wrong - arguably achieved in 2009 when the UK govermnent issued an aplogy to Alan Turing. But more importantly, this pardon and the apology both directly acknowledge the tremendous impact of Turing's work. Among his many other achievements we should credit his code breaking activities as saving significant numbers of lives of the Western Allies during the Second World War.
John Graham Cumming was amongst the campaingers for the 2009 apology. One of his other interesting projects is to build the Babbage Analytical Engine. Not sure how the fund raising is going, but it's a very good cause and ground-breaking in many ways - not a reconstruction, but a first build of the machine that was never made.
From failed Ethernet Adapter Company - marketing department:
"Ah (sorry I can't do the accent) our product is so awful. We have PCI reliability issues, customers keep needing to reboot their machines, you can't accelerate TCP and UDP at the same time, in fact there are so many features we're missing over Solarflare .. and our raw performance even isn't as good.
I know (bing - idea), lets cook up a whitepaper with flawed methodology and compare ourselves against Solarflare. People will believe any old bullshit we publish and we'll maybe survive another 6 months .. who cares that we violate their EULA.
Brilliant ... lets put it on the front of our web site as well!
Hmm nice try, but customers are not that dumb.
1. A single x86 core processes lets say 4-5Mpps. When you present a user-space descriptor ring with a line rate flow of 15Mpps then it will exhaust the ring very quickly. The exact number of frames delivered before a drop occurs depends almost entirely on the configured ring size. "Oh lets set up a very large ring for ourselves and a very small ring for Solarflare" ..
2. Solarflare adapters have been routinely used in environments > 2Mpps for a very long time now. I've reproduced the performance section of this paper and it isn't pretty (for the other guy).
Feel free to contact me directly for more information. After spending 3 days getting their shockingly awful software to work and almost countless reboots (I would not wish this on anyone), I have a fair comparison to share.