Netflix Open Connect

Appliance Security

Source Code Provenance

Open Connect Appliance (OCA) software includes the FreeBSD operating system and the NGINX web server, licensed by BSD. Both of these products have active security teams. In addition, the commercial body nginx.com provides us with pre-announcements of security issues and patches to fix any vulnerabilities. As FreeBSD committers and Security Officers with extensive background in third-party packaging, the Netflix OCA development team is on trusted mailing lists and pre-announcement groups for security and take a proactive role in security protection and assurance.

For third party software packages, the team receives notices of vulnerabilities in advance by monitoring various pre-announcement lists, including oss-security and other trusted vendor-based sources.

In practice, security vulnerabilities are usually identified and fixed prior to being made public. We release firmware updates approximately every 5 weeks - however, if we need to fix a serious security bug, we can roll out a new firmware version within an hour.

Access to Open Connect Appliances (OCAs)

There is no ISP or third-party login access to the Netflix OCAs.

Content

Various intrusion detection methods are used, including a lightweight Static Intrusion Detection System that runs regularly on the OCAs to identify abnormal activity in the file systems and report it to the control plane.


Back to top

© 2016, 2017 Netflix, Inc. All rights reserved.