Feb
25
2021
--

Why F5 spent $2.2B on 3 companies to focus on cloud native applications

It’s essential for older companies to recognize changes in the marketplace or face the brutal reality of being left in the dust. F5 is an old-school company that launched back in the 90s, yet has been able to transform a number of times in its history to avoid major disruption. Over the last two years, the company has continued that process of redefining itself, this time using a trio of acquisitions — NGINX, Shape Security and Volterra — totaling $2.2 billion to push in a new direction.

While F5 has been associated with applications management for some time, it recognized that the way companies developed and managed applications was changing in a big way with the shift to Kubernetes, microservices and containerization. At the same time, applications have been increasingly moving to the edge, closer to the user. The company understood that it needed to up its game in these areas if it was going to keep up with customers.

Taken separately, it would be easy to miss that there was a game plan behind the three acquisitions, but together they show a company with a clear opinion of where they want to go next. We spoke to F5 president and CEO François Locoh-Donou to learn why he bought these companies and to figure out the method in his company’s acquisition spree madness.

Looking back, looking forward

F5, which was founded in 1996, has found itself at a number of crossroads in its long history, times where it needed to reassess its position in the market. A few years ago it found itself at one such juncture. The company had successfully navigated the shift from physical appliance to virtual, and from data center to cloud. But it also saw the shift to cloud native on the horizon and it knew it had to be there to survive and thrive long term.

“We moved from just keeping applications performing to actually keeping them performing and secure. Over the years, we have become an application delivery and security company. And that’s really how F5 grew over the last 15 years,” said Locoh-Donou.

Today the company has over 18,000 customers centered in enterprise verticals like financial services, healthcare, government, technology and telecom. He says that the focus of the company has always been on applications and how to deliver and secure them, but as they looked ahead, they wanted to be able to do that in a modern context, and that’s where the acquisitions came into play.

As F5 saw it, applications were becoming central to their customers’ success and their IT departments were expending too many resources connecting applications to the cloud and keeping them secure. So part of the goal for these three acquisitions was to bring a level of automation to this whole process of managing modern applications.

“Our view is you fast forward five or 10 years, we are going to move to a world where applications will become adaptive, which essentially means that we are going to bring automation to the security and delivery and performance of applications, so that a lot of that stuff gets done in a more native and automated way,” Locoh-Donou said.

As part of this shift, the company saw customers increasingly using microservices architecture in their applications. This means instead of delivering a large monolithic application, developers were delivering them in smaller pieces inside containers, making it easier to manage, deploy and update.

At the same time, it saw companies needing a new way to secure these applications as they shifted from data center to cloud to the edge. And finally, that shift to the edge would require a new way to manage applications.

Jun
20
2018
--

Nginx lands $43 million Series C to fuel expansion

Nginx, the commercial company behind the open source web server, announced a $43 million Series C investment today led by Goldman Sachs Growth Equity.

NEA, which has been on board as an early investor is also participating. As part of the deal, David Campbell, managing director at Goldman Sachs’ Merchant Banking Division will join the Nginx board. Today’s investment brings the total raised to $103 million, according to the company.

The company was not willing to discuss valuation for this round.

Nginx’s open source approach is already well established running 400 million websites including some of the biggest in the world. Meanwhile, the commercial side of the business has 1,500 paying customers, giving those customers not just support, but additional functionality such as load balancing, an API gateway and analytics.

Nginx CEO Gus Robertson was pleased to get the backing of such prestigious investors. “NEA is one of the largest venture capitalists in Silicon Valley and Goldman Sachs is one of the largest investment banks in the world. And so to have both of those parceled together to lead this round is a great testament to the company and the technology and the team,” he said.

The company already has plans to expand its core commercial product, Nginx Plus in the coming weeks. “We need to continue to innovate and build products that help our customers alleviate the complexity of delivery of distributed or micro service based applications. So you’ll see us release a new product in the coming weeks called Controller. Controller is the control plane on top of Nginx Plus,” Robertson explained. (Controller was launched in Beta last fall.)

But with $43 million in the bank, they want to look to build out Nginx Plus even more in the next 12-18 months. They will also be opening new offices globally to add to its international presence, while expanding its partners ecosystem. All of this means an ambitious goal to increase the current staff of 220 to 300 by the end of the year.

The open source product was originally created by Igor Sysoev back in 2002. He introduced the commercial company on top of the open source project in 2011. Robertson came on board as CEO a year later. The company has been growing 100 percent year over year since 2013 and expects to continue that trajectory through 2019.

Sep
06
2017
--

Nginx goes beyond its server roots and launches its application platform

 Nginx, in its commercial and open source forms, is one of the most popular load balancers, proxies, web and application servers on the internet today. But Nginx Inc, the company behind the project, wants to cast a wider net, especially now that the way developers are writing and deploying their applications is quickly changing. As the company announced at its developer conference in… Read More

Aug
23
2016
--

NGINX Plus’s latest release puts the focus on security

R10-blog-modsecurity-ddos NGINX, the company behind the popular open-source NGINX server, launched the latest version (R10) of its NGINX Plus commercial offering today. Like similar open-source companies, NGINX offers its core product for free, but then charges for more advanced features and services. Today marks the tenth major update to NGINX Plus and, as the company’s CMO Peter Guagenti and technical… Read More

Jun
22
2016
--

NGINX’s Amplify monitoring tool is now in public beta

graphs-screen NGINX today launched Amplify, its new application monitoring tool, out of private beta. While the cloud-based tool is still officially in beta, it’s now available to all NGINX users — both those who run the paid NGINX Plus edition or the free open-source version. As NGINX CEO Gus Robertson and CMO Peter Guagenti told me, the company’s users told the team that they wanted to… Read More

Sep
16
2015
--

NGINX Brings HTTP/2 Support To Its Commercial Release

server NGINX, the well-funded and increasingly popular web and application server company, today announced that it now supports HTTP/2, the next generation of the HTTP standard, in its latest commercial release. The company, which already offered some HTTP/2 support in its free open source product, today released NGINX Plus R7 to its customers. While HTTP/2 support is definitely the highlight of… Read More

Oct
15
2014
--

How to close POODLE SSLv3 security flaw (CVE-2014-3566)

Padding Oracle On Downgraded Legacy Encryption

POODLE security flaw disables SSLv3 secure browsing (CVE-2014-3566)First off, the naming “convention” as of late for security issues has been terrible. The newest vulnerability (CVE­-2014-3566) is nicknamed POODLE, which at least is an acronym and as per the header above has some meaning.

The summary of this issue is that it is much the same as the earlier B.E.A.S.T (Browser Exploit Against SSL TLS), however there’s no known mitigation method in this case – other than entirely disabling SSLv3 support, in short, an attacker has a vector by which they can retrieve the plaintext form your encrypted streams.

So let’s talk mitigation, the Mozilla Security Wiki Serverside TLS has for some time made strict recommendations of ciphers and protocols; and is certainly worth your attention.

Apache

Disable SSLv2 and SSLv3 in your ssh apache configuration by setting:
SSLProtocol all -SSLv2 -SSLv3

Nginx

Allow support only for TLS in Nginx with the following:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

MySQL

This is where things get far more interesting; unlike Apache and Nginx there’s no way to allow / disallow entire protocols of the SSL / TLS spec within mysql; there is however the ability to specify the cipher spec to be used in SSL communication.

As such to remove SSLv3 support from MySQL you need only ensure that none of the SSLv3 ciphers are in use wihtin your configuration.

As per information in this bug you can find a list of SSLv3 ciphers by simply
openssl ciphers -v 'DEFAULT' | awk '/SSLv3 Kx=(RSA|DH|DH(512))/ { print $1 }'
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA
AES256-SHA
CAMELLIA256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
DHE-RSA-SEED-SHA
DHE-DSS-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
RC4-SHA
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

Removing the above form your ssl-cipher configuration should disable SSLv3 support; of course ensuring your MySQL service is NOT generally accessible is by far one of the most important steps you can take in securing your MySQL deployment against CVE-2014-3566.

You can read more about POODLE here.

The following script will help to identify support for any none SSLv3 ciphers; unfortunately in my limited testing I have yet to have found a supported none SSLv3 cipher.

Formatting is an issue for the script as such please see the Github gist

 

UPDATE 2014-10-16: openssl updates are now becoming available with patches against this issue

AMI Linux: openssl-1.0.1j-1.80.amzn1 “add patch for CVE-2014-3566 (Padding Oracle On Downgraded Legacy Encryption attack)”

RedHat: no update is yet available

 

The post How to close POODLE SSLv3 security flaw (CVE-2014-3566) appeared first on MySQL Performance Blog.

Powered by WordPress | Theme: Aeros 2.0 by TheBuckmaker.com