Tuesday, September 20, 2005

Virtual Patching takes off

The Zotob outbreak showed us that the exploit window is shrinking rapidly from weeks to days and confirmed suspicions that IT managers are losing the "patch race" with Windows. Patch management also consistantly shows up in the top five "headaches" and priorities for customers in many recent surveys.

Many of our customers have deployed network IPS technology in front of server farms to "buy time" during windows of vulnerability, whilst they evaluate, test and deploy patches. Some interesting alternatives to IPS are starting to surface however. An emerging category of network equipment is giving network executives more time to install security patches by keeping servers safe until full-blown fixes can be tested and installed. So far there are two approaches to the problem: software that runs on the servers being protected and an appliance that sits in front of the servers.

Determina makes the software called LiveShield (story here ) and Blue Lane makes an appliance running protective software called PatchPoint. Blue Lane Technologies Inc., a start-up in Cupertino, Calif., last week introduced a security appliance called PatchPoint, and termed a world-first "inline patch proxy", that addresses specific vulnerabilities in Windows and other products. But instead of requiring users to install software on their systems, PatchPoint sits in front of servers and mimics the full functionality of vendor-issued patches. The approach is designed to let IT staffs "hold down the fort" until they're ready to apply the actual patches. PatchPoint pricing starts at $30,500 and has already picked up some impressive customer wins, testimonials and case studies

Now if we could just find a similar approach for the client operating systems.... but seriously, one often wonders with this type of technology if clients won't start suffering from a false sense of security and slack off on their server patching altogether... I'll keep a close watch on this one and try and illicit some feedback from the IPS vendors.

UPDATE : Christopher Hoff describes some interesting testing they did of this product at his Rational Security blog. His comments are that the device works extremely well. He observes of the IPS approach to do the same thing : "Ah," you say, "but any old NIPS/HIPS/AV/Firewall can do that!" Er, not so, Sparky. The notion here is that rather than simply dump an entire session, the actual active streams are "corrected" allowing good traffic to flow while preventing "bad" traffic from getting through -- on a per flow basis. It doesn't just send a RST and that $50M wire transfer to /dev/null, it actually allows legitimate business traffic to continue unimpeded."

CATEGORIES: 1patching, 1hips, 1endpoint security, 1ips,1vendors, 1first
Rate this post: (Provided by NewsGator)


Anonymous Dominic White said...

I must disagree with you on this. From where I am sitting an IPS would look far more effective. I have done a write-up of why virtual patching is intrinsically flawed, and responded to the post at rational security:


Thursday, January 19, 2006 3:51:00 PM  

Post a Comment

Links to this post:

Create a Link

<< Home