Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.
Spectre and Meltdown are security vulnerabilities that impact all modern microprocessor vendors and most computing devices. Many enterprise IT teams are running around like crazy trying to get a handle on impact.
So far, most of the early talk about these vulnerabilities has been focused on servers and cloud providers. However, these vulnerabilities impact networking products, particulary L4-7 networking appliances, like Application Delivery Controllers and WAN Optimization Controllers. This represents both a security concern and a potential performance hit. We have in-depth research on this coming soon, with Joe Skorupa leading the networking guidance. That said, we wanted to provide a snippet of the research, including our high-level guidance to networking teams:
First things first, don’t over-react. Your vendors may recommend immediate code upgrades. Don’t upgrade without a clear business need, even if your vendor tells you that patches are available. Dedicated appliances that do not allow you to run 3rd party software are lower-risk. Open virtualized platforms that support 3rd party software (WOCs, ADCs and some data center switches) are at greater risk.
Prioritize upgrades for internet-facing systems. Develop a risk-based roll-out plan for patching open platforms, recognizing that in the short term performance may suffer. Baseline the performance of installed appliances in order to understand how much margin exists in these systems. Be sure to examine historical data to ensure peak load periods are well understood. Pay special attention to devices that already exhibit high-performance thresholds. To deal with performance degradation, work with your procurement organization to develop a strategy to deal with suppliers whose products no longer meet their published specifications. Recognize that their claims were made in good faith.
Finally, this is a moving target. Intel continues to release updates; motherboard providers are updating firmware and OS, and appliance vendors are updating to reduce risk and minimize performance impact. The only certainty is that it will take some number of months for the dust to settle. In the meantime, be prudent. Focus on high risk assets and even then, only upgrade when there is a clear need/benefit. More details will be provided in the upcoming report.
Regards, Andrew (& Joe)
note: I’ll post the full link when the research publishes