Blue Lane Technologies: Patching servers in the network

For managers of enterprise datacenters, the endless stream of security patches from Microsoft, Oracle, and other software vendors (not to mention open source projects) has been a prime source of frustration. For Blue Lane Technologies, it has provided a golden opportunity.

Perhaps IT's least-favorite necessary evil, security patches are disruptive, time-consuming, and risky. They arrive unannounced or on the vendor's timetable, with no respect for your own well-considered change management processes. And like any change, they need testing before deployment. Even if testing goes smoothly, there's always a chance they'll introduce some new problem or other. Thus the need for security is pitted against another datacenter imperative: system availability.

The founders of Blue Lane had a better idea: implement security patches in a network appliance that fronts the servers, and every server could be protected against software vulnerabilities without having to make changes to the servers themselves. IT could install the actual patches later, on its own timetable. 

"The idea," according to CEO Jeff Palmer, "was in effect [to] secure servers by delivering the capability of a server patch operating on the client server protocols on the network, with no new code on the server until you're ready." IT shops would reap the benefits of patching without rushing into action and without risking unplanned downtime.

Palmer says the Cupertino-based company "started out with literally a whitepaper… a mathematical analysis demonstrating that you could achieve the same end state by operating on network traffic before the traffic arrived at the server as if you actually made the modification on the server." That led to a prototype and then to funding.

"Our first year was spent looking at all the major vulnerabilities, all the security patches dating back to Jan. 1, 2003," remembers Allwyn Sequeira, Blue Lane's senior vice president of product operations. "We spent a lot of time ensuring that in fact we could fix the underlying vulnerability on the network."

Coming to market in the wake of countless signature-based IPSes, Blue Lane has fought an uphill battle communicating the true nature and novelty of the solution. As CEO Palmer explains, "Sometimes people say, 'Hey, a network appliance in front of the server, trying to protect it. Geez, you must be a signature-based solution.'

"No no no," he pleads. "This is really working on the protocol level, on the root cause to the known vulnerability, and correcting that on the wire. Frankly, it's indifferent to exploits. There's no sense of good traffic or bad traffic. It's just shutting off the loophole much as a vendor security patch would."

Product VP Sequeira notes a number of advantages over signature-based solutions. First, Blue Lane doesn't have to keep up with the enormous volume of exploits, but can focus on the smaller number of vulnerabilities. Second, because the inline patch proxy is not blocking threats, but modifying TCP traffic streams, it is not susceptible to false positives. And third, he says, performance is better than signature-based products.

The efficiency of the software was key to Blue Lane's most recent move, which was to release a version of the patch proxy that runs inside the VMware ESX hypervisor. An early customer, VMware encouraged Blue Lane to bring the technology into the virtualized environment. "The value proposition of shielding servers without introducing any new code or agents on the individual VMs fits hand in glove with the hypervisor model," Palmer says.

Virtualization presents exciting possibilities, agrees Sequeira, who sees a big opportunity for Blue Lane to bring greater visibility and protection to virtualized environments, thanks to its vantage point in examining the traffic flows into and out of the hypervisor and its VMs.

"Just like virtual servers are very quickly getting instantiated and deployed," says Sequeira, "the security ought to follow, and it ought to follow in real time… through policies that are location independent, application- and protocol-aware, and that can migrate with the VMs."