How to Protect Solutions Like F5 BIG-IP from Exploits and How SSH NQX Could Have Helped

In August 2025, F5 disclosed a major security breach — publicly revealed on October 15, 2025 — in which a nation-state actor accessed internal systems and stole BIG-IP source code and vulnerability information. 

The Cybersecurity and Infrastructure Security Agency (CISA) responded with Emergency Directive ED 26-01, warning U.S. agencies of the heightened risk of rapid exploitation. The directive urged organizations to inventory all BIG-IP devices, remove public management exposure, and patch or replace affected systems immediately. 

Subsequent internet scans showed thousands of publicly reachable BIG-IP systems — prime targets for management-plane exploitation. 

While F5’s technology is an essential part of many organizations’ security stack, it also needs protection of its own. A defense-in-depth architecture, using technologies like SSH NQX, could have significantly reduced both the likelihood and impact of such an event. 

1. Management-Plane Isolation — No Public Exposure 

CISA’s first mitigation step was clear: keep management interfaces off the internet. 
 
SSH NQX enforces exactly that. It ensures that management and control traffic are never exposed publicly, permitting connectivity only through authenticated, encrypted, policy-defined links. 

This “air-gap-over-IP” model makes reconnaissance or exploitation of administrative interfaces effectively impossible from outside trusted zones. 

By placing F5 administrative networks behind NQX Layer 2/3 tunnels with strict allow-lists, management access becomes available only via authenticated NQX peers — blocking mass scans and zero-day sprays. 

2. Containment and Lateral-Movement Control 

If an F5 system were compromised, NQX’s micro-segmentation and rule-based forwarding restrict the attacker’s ability to move laterally. 

Compromised devices can communicate only with explicitly permitted destinations, limiting blast radius, and preventing data theft or credential pivoting deeper into the environment. 

3. Independent Data-in-Transit Protection   

While BIG-IP operates at Layers 4–7, NQX safeguards Layers 2–3. That means the confidentiality and integrity of network traffic remain protected even if an application-layer device like F5 is breached. 

Back-end flows — between data centers, application tiers, or cloud segments — remain encrypted and integrity-checked, ensuring attackers can’t observe or tamper with internal data. 

NQX is certified for EU CONFIDENTIAL / Finnish NCSA TL III traffic and is engineered for high-bandwidth, low-latency encryption. 

4. Secured Egress and Exfiltration Prevention 

Compromised devices often become command-and-control gateways. NQX restricts egress to approved update or telemetry endpoints only, over encrypted connections, shutting down beaconing, malware command channels, and unauthorized data exfiltration. 

5. Compliance, Assurance, and Crypto-Resilience

NQX’s certifications (EU, NATO) and quantum-resistant cryptography make it suitable for regulated sectors such as government, energy, and finance. 

It supports compliance with frameworks like NIS2, DORA, ENS, and CISA directives. Even as cryptographic standards evolve, NQX’s forward-looking design ensures long-term resilience — a crucial property for critical infrastructure. 

Complementary, Not Redundant 

Combined, they create true defense-in-depth: even if one layer is compromised, the other maintains protection and visibility. 

In Summary 

Protecting the management plane, securing administrative access, and isolating service networks are fundamental to reducing exposure to modern exploits. 

By integrating our SSH NQX as a secure transport and segmentation layer beneath F5 BIG-IP, organizations can operate critical infrastructure with confidence, resilience, and regulatory assurance — even against nation-state-level threats.