I certainly have no preference on the architecture, but would really like to be able to install some software on the host os, which would protect all the guest VM's without needing to install individual protection in each, which multiplies cpu overhead.

What is the recommended way to achieve this (at a cost effective level)?

Thnx.

I'm not sure what is recommended, this is pretty new technology to me. I would think the network appliance would be better off so that you could cover more servers, physical and virtual.

I can see the benefit of not installing all of those different protection pieces within each os. However, I don't like installing extra software in the ESX server console. But that's just my preference.

What is the Best of Breed for a perimeter security appliance? I am leaning towards the Sonicwall products with deep packet inspection. Anything better or cheaper???

What is the Best of Breed for a perimeter security appliance?

as always it depends

To achieve the highest level of security you should choose some type of application level firewall. There aren't that many products available.

To me deep packet inspection is only a security compromise between IP filtering (which every product does) and application level filtering.

Deep packet inspection / stateful inspection has performance benefits.

My personal choice: Sidewinder from Secure Computing

Another interesting option is EpiForce[/url]from Apani.[/url] It provides policy-based application/network security. The fact that it's policy based makes it easier to manage.

Looks like a nice add-on to achieve internal security; although I personally avoid installing additional agents to achieve security if I can achieve the same goal without doing it.

But that's just a personal preference.

It protects VMs by correcting/fixing any traffic aimed at known vulnerabilities

So this is nothing more than a stupid pattern based virtualized IDS.

It corrects only the traffic in violation of a vendor security patch.

This would mean that we have to trust, that there's a patch known to a problem?

This is bull.... from a security point of view.

You might try visiting the BlueLane site. InfoWorld doesn't hand out Technologies of the Year in Security very easily. They are also a Gartner Cool Vendor in Security. I don't think anyone would be impressed with Blue Lane if they were what you're claiming they are.

Here is a recent interview from Virtual Security Mag: http://www.virtual-strategy.com/article/articleview/1996/1/64/

I think Scoble also interviewed them recently.

Might want to keep an open mind...

I already read the stuff available.

To be honest I don't give a ... about Gartner Cool Vendors or Products of the Year.

I don't think anyone would be impressed with Blue Lane if they were what you're claiming they are.

Only my opinion

As far as application security goes.

It's nice and good (and required) to protect anything at the application level but relying on a protection based on vendor security patches IMHO is wrong.

There's a good reason for application level firewalls / circuit proxies / whatever you call them.

Why checking for known flaws based on patches when you are able to analyze and sanitize the whole traffic?

Again only me 0.02€

Message was edited by:

oreeh

BTW: there's a nice paper from Marcus J. Ranum available, titled "Dude! You say I need an Application Layer Firewall?"

Not a big fan of all my VMs running their network traffic through another singular vm. I like the Checkpoint SmartDefense product.

Blue Lane is now a finalist in Best of Interop - Security.

http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/05-07-2007/0004582215&EDATE=

If you don't believe in applying security patches then I don't know what to tell you. If you do and its easy then you wouldn't need a Blue Lane. But if you're managing a complex data center (with multiple OSs or older systems) and you don't want to take on extra availability risk concomitant with rushing to patch Blue Lane has a very neat approach. When it comes to virtualized data centers in production if patching is easy for you (or unnecessary) then you're likely not managing a very large (or complex) production environment. The Virtualshield isn't necessarily for everybody who virtualizes... just those who want to have app and protocol decoding (vs signatures) security enforced in the hypervisor layer... which means faster security against known vulnerabilities without the availability risk. You using IPS to protect VMs instead, or are you purely devtest?

I don't say that I don't believe in applying security patches.

I say that grounding your security basically / solely on applying patches is wrong.

You using IPS to protect VMs instead, or are you purely devtest?

Not really

IPS are nice - but they are dumb.

My personal preference in perimeter(!) security is the following:

\- simple stupid IP filter (only to filter out the unwanted stuff like netbios,...)

\- application level firewall (preferably one that understands most of the high level protocols used)

\- IPS (just in case the two above fail)

\- solid patch management

\- IPS (for the internal stuff)

\- ongoing audits

\- ongoing evaluation of the security and the security policy

A nice addon regarding internal security (unfortunately not usable for virtualization) are NICs with builtin IP filters (3COM used to built them - don't know if they are still available)

Message was edited by:

oreeh

The BlueLane website states the following:

VirtualShield protects by performing a discovery of

virtual servers, including the applications, ports and

protocols. Based on the discovery, VirtualShield

determines and provisions the relevant,

application-specific protection for unpatched applications.

As new security patches are released by software

application vendors, VirtualShield automatically downloads

the appropriate inline patches from Blue Lane. Updates may

be applied dynamically without requiring any reboots or

reconfigurations of the virtual servers, the hypervisor,

or VirtualShield.

This leads (me) to the following assumption:

They try to detect malicious traffic based on existing vendor security patches.

If I install all patches I don't need BlueLane?

If there's no patch available BlueLane doesn't recognioze the threat?

If the above are true (I haven't tested it yet) I don't need this product.

Decoding at the application layer is one of the things application layer firewalls where built for.

Simple example.

Suppose there's a problem in the SMTP implementation on top of a mail server.

This can be exploited by using a manipulated (otherwise valid) SMTP command.

If I have a firewall which knows the SMTP protocol this isn't a thread since the firewall knows that the issued SMTP command is invalid and therefore drops the connection.

An even better approach is if I'm additionally able to configure which SMTPs command are allowed and which are not.

And nobody prevents me from doing this in a VM (maybe multiple VMs) and route my VM traffic through these virtualized firewalls.

I hope I clarified my thoughts on this.

Do you work at a large company? do you know what kind of change management and testing needs to happen for each and every production server to test a patch/service pack/etc? What if you could filter out the traffic before it hits your servers without needing to patch ithem or at least giving yourself time to adequately test the patch (and schedule the outage for the most convenient time) before putting it on hundreds of servers?

I think you miss the whole point of the product.

What about where you have 100s of virtual machines that get reverted back to a base snapshot on a regular basis ( development, SQA testing, etc ) meaning that they no longer have patches that were applied? Wouldn't it be nice to have them protected until your automated patching system can identify them as out of compliance and fix them up?

Security is made up of a bunch of layers. For the patching layer, especially in the dynamic world of virtual machine, this provides a unique and compelling solution.

do you know what kind of change management and testing needs to happen for each and every production server to test a patch/service pack/etc?

Yeah I know

>What if you could filter out the traffic before it hits your servers without needing to patch ithem or at least giving yourself time to adequately test the patch (and schedule the outage for the most convenient time) before putting it on hundreds of servers?

As I said above - this is nice but nothing really new

I think you miss the whole point of the product

No - I only try not to overvalue it.

What about where you have 100s of virtual machines that get reverted back to a base snapshot on a regular basis...

Wouldn't it be even better to update the base machines / templates to stay in compliance with the given standards and policies as soon as possible?

To be more precise - if you work in a regulated environment you in fact have to update the base or dump it along with its descendants.

That's one of the problems I see with this - admins could become lazy.

"Hey why should I patch anything - we have VirtualShield?"

Got my point?

So... what you're saying is that tuning signatures keeps your team in shape... and if they had a solution that could prevent successful attacks they would get lazy? How much does your team spend on carbon paper?

The app and protocol decoding at the core of the system is very new. Server security without tuning, footprints and reboots (and ASICs) is very new. In 2-3 years those IPSs will need to re-architect to keep up with mutating worms while the Blue Lane shields will be adding new functionality at layer 4-7. Face it... the days of signature-processing/tuning and throwing processor cycles and custom chips at the problem are over. Just ask InfoWorld and now the judges at Interop.

If you patch too fast you have a new set of problems. Unless you have extra people sitting around with nothing to do and love to patch, reboot critical servers that benefit alone is worthwhile.

Then again, maybe Patch Tuesday, etc and reboots give you a sense of purpose... then Blue Lane is definitely not for you. There are some counties in Pennsylvania for instance where there are very few car dealers... because new technology (since the 19th century) is seen as evil. I'm sure across the world of intrusion prevention there are some who think that tuning and adding new sigs keeps them sharp. I heard the same thing from my father about slide rules in the 70s when calculators were being required for math and engineering courses.

I hope this message board exercise about a product that you apparently have no interest in has also helped to keep you sharp and at the top of your game, whatever it is.