This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Performance impact assessment on NetWitness HW appliances with new kernel patch (CVE-2017-5753, CVE-2017-5754, CVE-2017-5715)

someone
Contributor
Contributor

‎2018-02-14 10:11 AM

Now that RSA have released the Red Hat kernel patches for side-channel analysis attacks (also known as Meltdown and Spectre), I would like to know the performance impact that these kernel changes could potentially have.

 

This is regarding Netwitness for Logs & packets (Security Analytics 10.6.x)  on physical appliances.

There are plenty indications and evidence that some patches for these vulnerabilities can cause CPU performance degradation and/or unexpected reboots. So my main question is whether this has been tested against and what would be the remediation should we discover that the hardware appliances are not fit for purpose anymore, after installing the kernel patch?

 

For example, both Series 4S and 5 physical Log Decoder can handle 30K EPS sustained and much higher peaks with minimal parsers&feeds enabled. What are the figures post-patching?

I'm looking for some technical feedback and not a link to DSA-2018-027: RSA Security Analytics Security Update for multiple embedded component vulnerabilities   that I'm querying about.

2 REPLIES 2

BrianDunphy
Employee
Employee

‎2018-02-14 04:44 PM

Since RSA NetWitness Suite (Logs / Packets) is a singe, root-user-only appliance, the reported vulnerabilities do not introduce any additional security risk to our solution or the customer's environment because a root level user already has full access to all information on the system.    Full impact statements for all RSA's products can be found at: https://community.rsa.com/docs/DOC-85418

 

Regardless, we did include the kernel patches for these vulnerabilities in the 10.6.5.1 patch update and these updates will be available shortly in 11.0.0.3.   Our testing has not shown any negative impact to the performance of the solution.

 

The kernel patches do not fully address Spectre (Variant 2), CVE-2017-5715 as this also requires a firmware update.   As you state, the 1st round of firmware updates were reported to cause performance and stability issues and these were recalled by Dell as a result.   Once updated firmware is available, we will be testing to understand what (if any) impact these cause to the performance of the RSA NetWitness Suite and providing additional guidance to customers.   

someone
Contributor
Contributor
In response to BrianDunphy

‎2018-02-23 04:37 AM

Thanks for the feedback. 

 

I would prefer to avoid having a political debate regarding the NW hardware appliances being affected when there are 30+ non-root users and no restriction of any kind from RSA to have additional non-root users for administration of the system. 

 

Security professionals, pen-testers and auditors can make their own judgement based on the available evidence, from RSA and through open-intel channels. 

 

Thanks for the confirmation regarding the performance impact, I will continue testing this on both virtual and physical and report back should I find anything different from what you have claimed.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.