An emerging category of network equipment is giving network executives more time to install security patches by keeping servers safe until full-blown fixes can be tested and installed.
So far there are two approaches to the problem: software that runs on the servers being protected and an appliance that sits in front of the servers.
Determina makes the software called LiveShield and Blue Lane makes an appliance running protective software called PatchPoint.
In both cases, software that approximates the patches written by the vendors of the affected applications fixes the vulnerability so attackers cannot exploit it.
“It’s a pretty new type of solution and there may be other vendors we haven’t run into yet,” says Matthew Jaquith, senior analyst with The Yankee Group.
The products allow patches to be scheduled at the convenience of network executives, which translates into cost savings, according to Bruce Fingles, CIO for MicroMuse, which beta tested the PatchPoint appliance.
PatchPoint “saves me a lot of time and money,” Fingles says. “We don’t have to stop everything else we’re working on when we do a patch.” Instead, he installs the Blue Lane fix to an identified vulnerability in the PatchPoint appliance to protect the affected server.
With the server secured, his staff can test the patch issued by the application vendor to check whether it is compatible with other software running on the same server hardware, he says. “Most patches break one application or another. You really have to check them in a test environment.”
Before using the appliance, he considered whether the risk posed by the vulnerability was outweighed by the cost and disruption of installing the patch right away. “We did that kind of risk analysis,” Fingles says.
Determina and Blue Lane’s fixes are reverse engineered from the patches issued by software vendors, and that presents a leap of faith for customers, Yankee Group’s Jaquith says. “Both companies have the same challenge,” he says. “They don’t know everything the software vendors put into the patch. You have to hope their engineers are savvy. I think both vendors would concede that their software isn’t a replacement for a real patch.”
Both vendors limit the applications they support, but seem to be hitting widely used ones, Jaquith says. With its software running directly on servers and able to inject LiveShield code into applications as they are running, Determina seems to have the potential to deliver tighter control over vulnerabilities, Jaquith says. Blue Lane’s PatchPoint, on the other hand, monitors application traffic as it traverses the network and proxies client-server application exchanges to plug security holes, he says.
At a high level, PatchPoint acts like an intrusion-prevention device in that it takes in traffic, inspects it to Layer 7, performs stateful analysis and modifies the output, Jaquith says. Determina charges US$750 per server for its software, while Blue Lane charges either US$18,000 or US$50,000 for its two models.
Customers who try these products will have to consider that they are using very young technology that doesn’t have much track record yet, Jaquith says.
Both of Blue Lane’s appliances are available now. The G/250 costs US$18,000 and supports up to 30 servers. The G/450 costs US$50,000 and supports up to 200 servers. The company also makes a management appliance that can oversee up to 100 gateways and costs US$12,500.