I came across a news item about BlueLane's VirtualShield product for VMWare protection. See http://www.bluelane.com/products/
This looks very useful, labeit pricey for my "one-man" show. I was wondering;
1) Any knowledgeable reader aware of a similar "hypervisor layer" protection product, especially one that is not so expensive?
2) Anyone able to comment on BlueLane's offering?
3) Any recommendations on how best to protect a bunch of VMs running on one host, without wasting cpu on having firewall/anti-virus/anti-spy on every guest OS?
Apologies if this has already been discussed - I am a newbie. Just give me some links, if that is more appropriate.
I certainly have no preference on the architecture, but would really like to be able to install some software on the host os, which would protect all the guest VM's without needing to install individual protection in each, which multiplies cpu overhead.
What is the recommended way to achieve this (at a cost effective level)?
I'm not sure what is recommended, this is pretty new technology to me. I would think the network appliance would be better off so that you could cover more servers, physical and virtual.
I can see the benefit of not installing all of those different protection pieces within each os. However, I don't like installing extra software in the ESX server console. But that's just my preference.
What is the Best of Breed for a perimeter security appliance?
as always it depends
To achieve the highest level of security you should choose some type of application level firewall. There aren't that many products available.
To me deep packet inspection is only a security compromise between IP filtering (which every product does) and application level filtering.
Deep packet inspection / stateful inspection has performance benefits.
My personal choice: Sidewinder from Secure Computing
Looks like a nice add-on to achieve internal security; although I personally avoid installing additional agents to achieve security if I can achieve the same goal without doing it.
But that's just a personal preference.
I have been testing both the Virtual and Physical solutions Blue Lane provides, and I have been very impressed. We put in in place on some very "dirty" segments and now we know what is attacking our systems. Also eases some of the burden of Microsoft's patch tuesday!
On the virtual side, you do have to have all vms you want to protect go through a single VM though...the Gatekeeper if you will.
Blue Lane's Virtual Shield is $599/year per 2 processor ESX. That includes the shield plug-in, manager, support and updates. That is relatively inexpensive for a security product.
It protects VMs by correcting/fixing any traffic aimed at known vulnerabilities. It takes up less than 5% of hypervisor real estate and has less than router hop latency. The Blue Lane appliance was reviewed last fall by InfoWorld and it recieved a Product of the Year award for 2007.
As I understand it, it doesn't use static signature matching/blocking for traffic enforcement. Instead it operates at layers 4-7 and is application and protocol aware. It corrects only the traffic in violation of a vendor security patch. That allows it to be highly accurate and avoid tying up processor cycles (versus low stack traffic/signature matching which usually requires significant hardware assist).
By operating in the clear text stream between the hypervisor and the VMs Blue Lane can secure even vmotioned VMs, according to the company. As soon as VMs are brought online they are recognized and protected, regardless of their actual patch level.
I think Reflex also has a good product. It was first to market. As I understand it... it is a signature-based IPS that also works on XenSource, etc hypervisors. I think it comes in at about $2k.
Reflex has a very similar story to Blue Lane, but their core legacies and technologies seem quite different.
It protects VMs by correcting/fixing any traffic aimed at known vulnerabilities
So this is nothing more than a stupid pattern based virtualized IDS.
It corrects only the traffic in violation of a vendor security patch.
This would mean that we have to trust, that there's a patch known to a problem?
This is bull.... from a security point of view.
You might try visiting the BlueLane site. InfoWorld doesn't hand out Technologies of the Year in Security very easily. They are also a Gartner Cool Vendor in Security. I don't think anyone would be impressed with Blue Lane if they were what you're claiming they are.
Here is a recent interview from Virtual Security Mag: http://www.virtual-strategy.com/article/articleview/1996/1/64/
I think Scoble also interviewed them recently.
Might want to keep an open mind...
I already read the stuff available.
To be honest I don't give a ... about Gartner Cool Vendors or Products of the Year.
I don't think anyone would be impressed with Blue Lane if they were what you're claiming they are.
Only my opinion
As far as application security goes.
It's nice and good (and required) to protect anything at the application level but relying on a protection based on vendor security patches IMHO is wrong.
There's a good reason for application level firewalls / circuit proxies / whatever you call them.
Why checking for known flaws based on patches when you are able to analyze and sanitize the whole traffic?
Again only me 0.02
Message was edited by:
BTW: there's a nice paper from Marcus J. Ranum available, titled "Dude! You say I need an Application Layer Firewall?"
Blue Lane is now a finalist in Best of Interop - Security.
If you don't believe in applying security patches then I don't know what to tell you. If you do and its easy then you wouldn't need a Blue Lane. But if you're managing a complex data center (with multiple OSs or older systems) and you don't want to take on extra availability risk concomitant with rushing to patch Blue Lane has a very neat approach. When it comes to virtualized data centers in production if patching is easy for you (or unnecessary) then you're likely not managing a very large (or complex) production environment. The Virtualshield isn't necessarily for everybody who virtualizes... just those who want to have app and protocol decoding (vs signatures) security enforced in the hypervisor layer... which means faster security against known vulnerabilities without the availability risk. You using IPS to protect VMs instead, or are you purely devtest?
I don't say that I don't believe in applying security patches.
I say that grounding your security basically / solely on applying patches is wrong.
You using IPS to protect VMs instead, or are you purely devtest?
IPS are nice - but they are dumb.
My personal preference in perimeter(!) security is the following:
\- simple stupid IP filter (only to filter out the unwanted stuff like netbios,...)
\- application level firewall (preferably one that understands most of the high level protocols used)
\- IPS (just in case the two above fail)
\- solid patch management
\- IPS (for the internal stuff)
\- ongoing audits
\- ongoing evaluation of the security and the security policy
A nice addon regarding internal security (unfortunately not usable for virtualization) are NICs with builtin IP filters (3COM used to built them - don't know if they are still available)
Message was edited by:
The BlueLane website states the following:
VirtualShield protects by performing a discovery of
virtual servers, including the applications, ports and
protocols. Based on the discovery, VirtualShield
determines and provisions the relevant,
application-specific protection for unpatched applications.
As new security patches are released by software
application vendors, VirtualShield automatically downloads
the appropriate inline patches from Blue Lane. Updates may
be applied dynamically without requiring any reboots or
reconfigurations of the virtual servers, the hypervisor,
This leads (me) to the following assumption:
They try to detect malicious traffic based on existing vendor security patches.
If I install all patches I don't need BlueLane?
If there's no patch available BlueLane doesn't recognioze the threat?
If the above are true (I haven't tested it yet) I don't need this product.
Decoding at the application layer is one of the things application layer firewalls where built for.
Suppose there's a problem in the SMTP implementation on top of a mail server.
This can be exploited by using a manipulated (otherwise valid) SMTP command.
If I have a firewall which knows the SMTP protocol this isn't a thread since the firewall knows that the issued SMTP command is invalid and therefore drops the connection.
An even better approach is if I'm additionally able to configure which SMTPs command are allowed and which are not.
And nobody prevents me from doing this in a VM (maybe multiple VMs) and route my VM traffic through these virtualized firewalls.
I hope I clarified my thoughts on this.
Do you work at a large company? do you know what kind of change management and testing needs to happen for each and every production server to test a patch/service pack/etc? What if you could filter out the traffic before it hits your servers without needing to patch ithem or at least giving yourself time to adequately test the patch (and schedule the outage for the most convenient time) before putting it on hundreds of servers?
I think you miss the whole point of the product.
What about where you have 100s of virtual machines that get reverted back to a base snapshot on a regular basis ( development, SQA testing, etc ) meaning that they no longer have patches that were applied? Wouldn't it be nice to have them protected until your automated patching system can identify them as out of compliance and fix them up?
Security is made up of a bunch of layers. For the patching layer, especially in the dynamic world of virtual machine, this provides a unique and compelling solution.
do you know what kind of change management and testing needs to happen for each and every production server to test a patch/service pack/etc?
Yeah I know
>What if you could filter out the traffic before it hits your servers without needing to patch ithem or at least giving yourself time to adequately test the patch (and schedule the outage for the most convenient time) before putting it on hundreds of servers?
As I said above - this is nice but nothing really new
I think you miss the whole point of the product
No - I only try not to overvalue it.
What about where you have 100s of virtual machines that get reverted back to a base snapshot on a regular basis...
Wouldn't it be even better to update the base machines / templates to stay in compliance with the given standards and policies as soon as possible?
To be more precise - if you work in a regulated environment you in fact have to update the base or dump it along with its descendants.
That's one of the problems I see with this - admins could become lazy.
"Hey why should I patch anything - we have VirtualShield?"
Got my point?
So... what you're saying is that tuning signatures keeps your team in shape... and if they had a solution that could prevent successful attacks they would get lazy? How much does your team spend on carbon paper?
The app and protocol decoding at the core of the system is very new. Server security without tuning, footprints and reboots (and ASICs) is very new. In 2-3 years those IPSs will need to re-architect to keep up with mutating worms while the Blue Lane shields will be adding new functionality at layer 4-7. Face it... the days of signature-processing/tuning and throwing processor cycles and custom chips at the problem are over. Just ask InfoWorld and now the judges at Interop.
If you patch too fast you have a new set of problems. Unless you have extra people sitting around with nothing to do and love to patch, reboot critical servers that benefit alone is worthwhile.
Then again, maybe Patch Tuesday, etc and reboots give you a sense of purpose... then Blue Lane is definitely not for you. There are some counties in Pennsylvania for instance where there are very few car dealers... because new technology (since the 19th century) is seen as evil. I'm sure across the world of intrusion prevention there are some who think that tuning and adding new sigs keeps them sharp. I heard the same thing from my father about slide rules in the 70s when calculators were being required for math and engineering courses.
I hope this message board exercise about a product that you apparently have no interest in has also helped to keep you sharp and at the top of your game, whatever it is.