Blue Lane: Patching servers in the network

Company finds gold opportunity in network patching

For managers of enterprise datacenters, the endless stream of security patches from Microsoft, Oracle, and other software vendors (not to mention open source projects) has been a prime source of frustration. For Blue Lane Technologies, it has provided a golden opportunity.

Perhaps IT's least-favorite necessary evil, security patches are disruptive, time-consuming, and risky. They arrive unannounced or on the vendor's timetable, with no respect for your own well-considered change management processes. And like any change, they need testing before deployment. Even if testing goes smoothly, there's always a chance they'll introduce some new problem or other. Thus the need for security is pitted against another datacenter imperative: system availability.

The founders of Blue Lane had a better idea: implement security patches in a network appliance that fronts the servers, and every server could be protected against software vulnerabilities without having to make changes to the servers themselves. IT could install the actual patches later, on its own timetable.

"The idea," according to CEO Jeff Palmer, "was in effect [to] secure servers by delivering the capability of a server patch operating on the client server protocols on the network, with no new code on the server until you're ready." IT shops would reap the benefits of patching without rushing into action and without risking unplanned downtime.

Palmer says the Cupertino-based company "started out with literally a whitepaper... a mathematical analysis demonstrating that you could achieve the same end state by operating on network traffic before the traffic arrived at the server as if you actually made the modification on the server." That led to a prototype and then to funding.

"Our first year was spent looking at all the major vulnerabilities, all the security patches dating back to Jan. 1, 2003," remembers Allwyn Sequeira, Blue Lane's senior vice president of product operations. "We spent a lot of time ensuring that in fact we could fix the underlying vulnerability on the network."

Coming to market in the wake of countless signature-based IPSes, Blue Lane has fought an uphill battle communicating the true nature and novelty of the solution. As CEO Palmer explains, "Sometimes people say, 'Hey, a network appliance in front of the server, trying to protect it. Geez, you must be a signature-based solution.'

"No no no," he pleads. "This is really working on the protocol level, on the root cause to the known vulnerability, and correcting that on the wire. Frankly, it's indifferent to exploits. There's no sense of good traffic or bad traffic. It's just shutting off the loophole much as a vendor security patch would."

Product VP Sequeira notes a number of advantages over signature-based solutions. First, Blue Lane doesn't have to keep up with the enormous volume of exploits, but can focus on the smaller number of vulnerabilities. Second, because the inline patch proxy is not blocking threats, but modifying TCP traffic streams, it is not susceptible to false positives. And third, he says, performance is better than signature-based products.

The efficiency of the software was key to Blue Lane's most recent move, which was to release a version of the patch proxy that runs inside the VMware ESX hypervisor. An early customer, VMware encouraged Blue Lane to bring the technology into the virtualized environment. "The value proposition of shielding servers without introducing any new code or agents on the individual VMs fits hand in glove with the hypervisor model," Palmer says.

Virtualization presents exciting possibilities, agrees Sequeira, who sees a big opportunity for Blue Lane to bring greater visibility and protection to virtualized environments, thanks to its vantage point in examining the traffic flows into and out of the hypervisor and its VMs.

"Just like virtual servers are very quickly getting instantiated and deployed," says Sequeira, "the security ought to follow, and it ought to follow in real time... through policies that are location independent, application- and protocol-aware, and that can migrate with the VMs."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Doug Dineley

InfoWorld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?