VMware Technology Alliance Partner and startup Blue Lane Technologies Inc. is taking a stab at a nagging security problem that is only getting worse with virtualization: patch management.
In the fluid world of virtualization, the problem with security patches is that virtual machines (VMs) go offline. "They get mothballed," said Jason Young, Blue Lane director of product management. And when they go offline, "they may not get the patches and updates that they need," he said. "It's as if you left them in the trunk of your car for several months."
In an attempt to stem the tide of improperly patched VMs, Blue Lane, based in Cupertino, Calif., launched today a virtualization-aware version of its VirtualShield in-line patch management product that runs as a shim within VMware's ESX hypervisor.
The company boasts a novel approach to patch management. "IT revolves around software security patches -- for example, Microsoft's Patch Tuesday," said Young. Blue Lane's approach to security is to analyze patches and determine what corrective action they take. Then, rather than applying the patch, VirtualShield intercepts network traffic relevant to a given patch and replicates its function. "We don't replace the patch, we just act as a patch proxy," Young said.
Blue Lane's VirtualShield is currently used by two types of customers, Young said. "There are some cases -- a lot more than I thought -- where the customer cannot patch no matter what." Then, "on the other end of the spectrum, there are customers that say, 'Gee, wouldn't it be great if we could go back to the days when we could patch once per quarter?' In that case, we're just buying them some time," he said.
Other than VMware, Blue Lane is a member of the Microsoft SecureIT Alliance, the Oracle PartnerNetwork and the Red Hat Partner community and integrates with Qualys's QualysGuard. VirtualShield protects Microsoft Windows NT, 2000, 2003, Red Hat, Novell SUSE, Solaris and FreeBSD, plus a whole host of enterprise applications, e.g., Oracle, Exchange, Apache and Samba, to name a few. VirtualShield for ESX 3 is priced at $499 per dual-processor ESX Server.
A virtual unknown
In security circles, Blue Lane is practically unknown, but people that have seen it in action are impressed. Jeanne Johnson, principal and co-founder of Server Centric Consulting, a VMware Authorized Consultant (VAC) in Kansas City, told her engineers to "shred" VirtualShield in the lab before she would recommend it to customers. They came back to her and said 'It makes so much sense, it's scary,' she said.
Johnson was particularly impressed with Blue Lane's approach of applying security changes at the network level. "When we realized that all these Patch Tuesdays could have been addressed at the network level for the past three years -- and we didn't know it -- we thought, Holy #$%!'"
But patch management isn't the only security issue faced by virtualization, and Blue Lane isn't the only entity addressing it. Earlier this month, analyst firm Gartner Inc. released a report that predicted that in 2009, 60% of virtual machines will actually be less secure than their physical counterparts. In addition to the patching problem, the report also called out the difficulty intrusion prevention systems (IPSes) have in seeing traffic between VMs on the host, among others.
In fact, IT managers in their rush to virtualize, may be forgetting about fundamental security best practices, the report said.
John Banghart, director of benchmark services at the Center for Internet Security, or CIS, has seen this sort disregard for security before. "The intense interest in virtualization is being driven by cost savings. And in situations like these -- for example, wireless networking -- people drive forward so quickly that security is left behind," he said.
CIS hopes to bring a measure of sanity back to virtualization users next month when it publishes a best practices white paper on securing virtual OSes that will be free for download from its Web site, www.cisecurity.org.
Let us know what you think about the story; e-mail: Alex Barrett, News Director