Blue Lane: Patching servers in the network

Company finds gold opportunity in network patching

For managers of enterprise datacenters, the endless stream of security patches from Microsoft, Oracle, and other software vendors (not to mention open source projects) has been a prime source of frustration. For Blue Lane Technologies, it has provided a golden opportunity.

Perhaps IT's least-favorite necessary evil, security patches are disruptive, time-consuming, and risky. They arrive unannounced or on the vendor's timetable, with no respect for your own well-considered change management processes. And like any change, they need testing before deployment. Even if testing goes smoothly, there's always a chance they'll introduce some new problem or other. Thus the need for security is pitted against another datacenter imperative: system availability.

The founders of Blue Lane had a better idea: implement security patches in a network appliance that fronts the servers, and every server could be protected against software vulnerabilities without having to make changes to the servers themselves. IT could install the actual patches later, on its own timetable.

"The idea," according to CEO Jeff Palmer, "was in effect [to] secure servers by delivering the capability of a server patch operating on the client server protocols on the network, with no new code on the server until you're ready." IT shops would reap the benefits of patching without rushing into action and without risking unplanned downtime.

Palmer says the Cupertino-based company "started out with literally a whitepaper... a mathematical analysis demonstrating that you could achieve the same end state by operating on network traffic before the traffic arrived at the server as if you actually made the modification on the server." That led to a prototype and then to funding.

"Our first year was spent looking at all the major vulnerabilities, all the security patches dating back to Jan. 1, 2003," remembers Allwyn Sequeira, Blue Lane's senior vice president of product operations. "We spent a lot of time ensuring that in fact we could fix the underlying vulnerability on the network."

Coming to market in the wake of countless signature-based IPSes, Blue Lane has fought an uphill battle communicating the true nature and novelty of the solution. As CEO Palmer explains, "Sometimes people say, 'Hey, a network appliance in front of the server, trying to protect it. Geez, you must be a signature-based solution.'

"No no no," he pleads. "This is really working on the protocol level, on the root cause to the known vulnerability, and correcting that on the wire. Frankly, it's indifferent to exploits. There's no sense of good traffic or bad traffic. It's just shutting off the loophole much as a vendor security patch would."

Product VP Sequeira notes a number of advantages over signature-based solutions. First, Blue Lane doesn't have to keep up with the enormous volume of exploits, but can focus on the smaller number of vulnerabilities. Second, because the inline patch proxy is not blocking threats, but modifying TCP traffic streams, it is not susceptible to false positives. And third, he says, performance is better than signature-based products.

The efficiency of the software was key to Blue Lane's most recent move, which was to release a version of the patch proxy that runs inside the VMware ESX hypervisor. An early customer, VMware encouraged Blue Lane to bring the technology into the virtualized environment. "The value proposition of shielding servers without introducing any new code or agents on the individual VMs fits hand in glove with the hypervisor model," Palmer says.

Virtualization presents exciting possibilities, agrees Sequeira, who sees a big opportunity for Blue Lane to bring greater visibility and protection to virtualized environments, thanks to its vantage point in examining the traffic flows into and out of the hypervisor and its VMs.

"Just like virtual servers are very quickly getting instantiated and deployed," says Sequeira, "the security ought to follow, and it ought to follow in real time... through policies that are location independent, application- and protocol-aware, and that can migrate with the VMs."

Join the PC World newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Doug Dineley

InfoWorld

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?