pszilard
Contributor
Contributor

BlueLane VirtualShield

Disclaimer[/b]: I have no association with BlueLane.

I came across a news item about BlueLane's VirtualShield product for VMWare protection. See http://www.bluelane.com/products/

This looks very useful, labeit pricey for my "one-man" show. I was wondering;

1) Any knowledgeable reader aware of a similar "hypervisor layer" protection product, especially one that is not so expensive?

2) Anyone able to comment on BlueLane's offering?

3) Any recommendations on how best to protect a bunch of VMs running on one host, without wasting cpu on having firewall/anti-virus/anti-spy on every guest OS?

Apologies if this has already been discussed - I am a newbie. Just give me some links, if that is more appropriate.

Thanks.

0 Kudos
23 Replies
Ken_Cline
Champion
Champion

I've not played with it, but there's a virtual appliance posting here[/url]that you might want to check out.

Ken Cline VMware vExpert 2009 VMware Communities User Moderator Blogging at: http://KensVirtualReality.wordpress.com/
0 Kudos
bretti
Expert
Expert

I'm curious what the advantage is for running this at the hypervisor layer vs. a network appliance? Their explanation didn't do much to convince me.

0 Kudos
pszilard
Contributor
Contributor

I certainly have no preference on the architecture, but would really like to be able to install some software on the host os, which would protect all the guest VM's without needing to install individual protection in each, which multiplies cpu overhead.

What is the recommended way to achieve this (at a cost effective level)?

Thnx.

0 Kudos
bretti
Expert
Expert

I'm not sure what is recommended, this is pretty new technology to me. I would think the network appliance would be better off so that you could cover more servers, physical and virtual.

I can see the benefit of not installing all of those different protection pieces within each os. However, I don't like installing extra software in the ESX server console. But that's just my preference.

0 Kudos
pszilard
Contributor
Contributor

What is the Best of Breed for a perimeter security appliance? I am leaning towards the Sonicwall products with deep packet inspection. Anything better or cheaper???

0 Kudos
oreeh
Immortal
Immortal

What is the Best of Breed for a perimeter security appliance?

as always it depends

To achieve the highest level of security you should choose some type of application level firewall. There aren't that many products available.

To me deep packet inspection is only a security compromise between IP filtering (which every product does) and application level filtering.

Deep packet inspection / stateful inspection has performance benefits.

My personal choice: Sidewinder from Secure Computing

0 Kudos
Ken_Cline
Champion
Champion

Another interesting option is EpiForce[/url]from Apani.[/url] It provides policy-based application/network security. The fact that it's policy based makes it easier to manage.

Ken Cline VMware vExpert 2009 VMware Communities User Moderator Blogging at: http://KensVirtualReality.wordpress.com/
0 Kudos
oreeh
Immortal
Immortal

Looks like a nice add-on to achieve internal security; although I personally avoid installing additional agents to achieve security if I can achieve the same goal without doing it.

But that's just a personal preference.

0 Kudos
jrr001
Enthusiast
Enthusiast

I have been testing both the Virtual and Physical solutions Blue Lane provides, and I have been very impressed. We put in in place on some very "dirty" segments and now we know what is attacking our systems. Also eases some of the burden of Microsoft's patch tuesday!

On the virtual side, you do have to have all vms you want to protect go through a single VM though...the Gatekeeper if you will.

0 Kudos
SecurityJunkie
Contributor
Contributor

Blue Lane's Virtual Shield is $599/year per 2 processor ESX. That includes the shield plug-in, manager, support and updates. That is relatively inexpensive for a security product.

It protects VMs by correcting/fixing any traffic aimed at known vulnerabilities. It takes up less than 5% of hypervisor real estate and has less than router hop latency. The Blue Lane appliance was reviewed last fall by InfoWorld and it recieved a Product of the Year award for 2007.

As I understand it, it doesn't use static signature matching/blocking for traffic enforcement. Instead it operates at layers 4-7 and is application and protocol aware. It corrects only the traffic in violation of a vendor security patch. That allows it to be highly accurate and avoid tying up processor cycles (versus low stack traffic/signature matching which usually requires significant hardware assist).

By operating in the clear text stream between the hypervisor and the VMs Blue Lane can secure even vmotioned VMs, according to the company. As soon as VMs are brought online they are recognized and protected, regardless of their actual patch level.

I think Reflex also has a good product. It was first to market. As I understand it... it is a signature-based IPS that also works on XenSource, etc hypervisors. I think it comes in at about $2k.

Reflex has a very similar story to Blue Lane, but their core legacies and technologies seem quite different.

0 Kudos
oreeh
Immortal
Immortal

It protects VMs by correcting/fixing any traffic aimed at known vulnerabilities

So this is nothing more than a stupid pattern based virtualized IDS.

It corrects only the traffic in violation of a vendor security patch.

This would mean that we have to trust, that there's a patch known to a problem?

This is bull.... from a security point of view.

0 Kudos
SecurityJunkie
Contributor
Contributor

You might try visiting the BlueLane site. InfoWorld doesn't hand out Technologies of the Year in Security very easily. They are also a Gartner Cool Vendor in Security. I don't think anyone would be impressed with Blue Lane if they were what you're claiming they are.

Here is a recent interview from Virtual Security Mag: http://www.virtual-strategy.com/article/articleview/1996/1/64/

I think Scoble also interviewed them recently.

Might want to keep an open mind...

0 Kudos
oreeh
Immortal
Immortal

I already read the stuff available.

To be honest I don't give a ... about Gartner Cool Vendors or Products of the Year.

I don't think anyone would be impressed with Blue Lane if they were what you're claiming they are.

Only my opinion Smiley Wink

As far as application security goes.

It's nice and good (and required) to protect anything at the application level but relying on a protection based on vendor security patches IMHO is wrong.

There's a good reason for application level firewalls / circuit proxies / whatever you call them.

Why checking for known flaws based on patches when you are able to analyze and sanitize the whole traffic?

Again only me 0.02€

Message was edited by:

oreeh

BTW: there's a nice paper from Marcus J. Ranum available, titled "Dude! You say I need an Application Layer Firewall?"

0 Kudos
murreyaw
Enthusiast
Enthusiast

Not a big fan of all my VMs running their network traffic through another singular vm. I like the Checkpoint SmartDefense product.

0 Kudos
SecurityJunkie
Contributor
Contributor

Blue Lane is now a finalist in Best of Interop - Security.

http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/05-07-2007/0004582215&EDATE=

If you don't believe in applying security patches then I don't know what to tell you. If you do and its easy then you wouldn't need a Blue Lane. But if you're managing a complex data center (with multiple OSs or older systems) and you don't want to take on extra availability risk concomitant with rushing to patch Blue Lane has a very neat approach. When it comes to virtualized data centers in production if patching is easy for you (or unnecessary) then you're likely not managing a very large (or complex) production environment. The Virtualshield isn't necessarily for everybody who virtualizes... just those who want to have app and protocol decoding (vs signatures) security enforced in the hypervisor layer... which means faster security against known vulnerabilities without the availability risk. You using IPS to protect VMs instead, or are you purely devtest?

0 Kudos
oreeh
Immortal
Immortal

I don't say that I don't believe in applying security patches.

I say that grounding your security basically / solely on applying patches is wrong.

You using IPS to protect VMs instead, or are you purely devtest?

Not really Smiley Wink

IPS are nice - but they are dumb.

My personal preference in perimeter(!) security is the following:

\- simple stupid IP filter (only to filter out the unwanted stuff like netbios,...)

\- application level firewall (preferably one that understands most of the high level protocols used)

\- IPS (just in case the two above fail)

\- solid patch management

\- IPS (for the internal stuff)

\- ongoing audits

\- ongoing evaluation of the security and the security policy

A nice addon regarding internal security (unfortunately not usable for virtualization) are NICs with builtin IP filters (3COM used to built them - don't know if they are still available)

Message was edited by:

oreeh

The BlueLane website states the following:

VirtualShield protects by performing a discovery of

virtual servers, including the applications, ports and

protocols. Based on the discovery, VirtualShield

determines and provisions the relevant,

application-specific protection for unpatched applications.

As new security patches are released by software

application vendors, VirtualShield automatically downloads

the appropriate inline patches from Blue Lane. Updates may

be applied dynamically without requiring any reboots or

reconfigurations of the virtual servers, the hypervisor,

or VirtualShield.

This leads (me) to the following assumption:

They try to detect malicious traffic based on existing vendor security patches.

If I install all patches I don't need BlueLane?

If there's no patch available BlueLane doesn't recognioze the threat?

If the above are true (I haven't tested it yet) I don't need this product.

Decoding at the application layer is one of the things application layer firewalls where built for.

Simple example.

Suppose there's a problem in the SMTP implementation on top of a mail server.

This can be exploited by using a manipulated (otherwise valid) SMTP command.

If I have a firewall which knows the SMTP protocol this isn't a thread since the firewall knows that the issued SMTP command is invalid and therefore drops the connection.

An even better approach is if I'm additionally able to configure which SMTPs command are allowed and which are not.

And nobody prevents me from doing this in a VM (maybe multiple VMs) and route my VM traffic through these virtualized firewalls.

I hope I clarified my thoughts on this.

0 Kudos
VirtualNoitall
Virtuoso
Virtuoso

Do you work at a large company? do you know what kind of change management and testing needs to happen for each and every production server to test a patch/service pack/etc? What if you could filter out the traffic before it hits your servers without needing to patch ithem or at least giving yourself time to adequately test the patch (and schedule the outage for the most convenient time) before putting it on hundreds of servers?

I think you miss the whole point of the product.

What about where you have 100s of virtual machines that get reverted back to a base snapshot on a regular basis ( development, SQA testing, etc ) meaning that they no longer have patches that were applied? Wouldn't it be nice to have them protected until your automated patching system can identify them as out of compliance and fix them up?

Security is made up of a bunch of layers. For the patching layer, especially in the dynamic world of virtual machine, this provides a unique and compelling solution.

0 Kudos
oreeh
Immortal
Immortal

do you know what kind of change management and testing needs to happen for each and every production server to test a patch/service pack/etc?

Yeah I know

>What if you could filter out the traffic before it hits your servers without needing to patch ithem or at least giving yourself time to adequately test the patch (and schedule the outage for the most convenient time) before putting it on hundreds of servers?

As I said above - this is nice but nothing really new

I think you miss the whole point of the product

No - I only try not to overvalue it.

What about where you have 100s of virtual machines that get reverted back to a base snapshot on a regular basis...

Wouldn't it be even better to update the base machines / templates to stay in compliance with the given standards and policies as soon as possible?

To be more precise - if you work in a regulated environment you in fact have to update the base or dump it along with its descendants.

That's one of the problems I see with this - admins could become lazy.

"Hey why should I patch anything - we have VirtualShield?"

Got my point?

0 Kudos
SecurityJunkie
Contributor
Contributor

So... what you're saying is that tuning signatures keeps your team in shape... and if they had a solution that could prevent successful attacks they would get lazy? How much does your team spend on carbon paper?

The app and protocol decoding at the core of the system is very new. Server security without tuning, footprints and reboots (and ASICs) is very new. In 2-3 years those IPSs will need to re-architect to keep up with mutating worms while the Blue Lane shields will be adding new functionality at layer 4-7. Face it... the days of signature-processing/tuning and throwing processor cycles and custom chips at the problem are over. Just ask InfoWorld and now the judges at Interop.

If you patch too fast you have a new set of problems. Unless you have extra people sitting around with nothing to do and love to patch, reboot critical servers that benefit alone is worthwhile.

Then again, maybe Patch Tuesday, etc and reboots give you a sense of purpose... then Blue Lane is definitely not for you. There are some counties in Pennsylvania for instance where there are very few car dealers... because new technology (since the 19th century) is seen as evil. I'm sure across the world of intrusion prevention there are some who think that tuning and adding new sigs keeps them sharp. I heard the same thing from my father about slide rules in the 70s when calculators were being required for math and engineering courses.

I hope this message board exercise about a product that you apparently have no interest in has also helped to keep you sharp and at the top of your game, whatever it is.

0 Kudos