Home > Citrix, De-Perimeterization, Security Innovation & Imagination, Take5, Virtualization, VMware, Vulnerability Assessment / Vulnerability Management > Take5 (Episode #5) – Five Questions for Allwyn Sequeira, SVP of Product Operations, Blue Lane

Take5 (Episode #5) – Five Questions for Allwyn Sequeira, SVP of Product Operations, Blue Lane

This fifth episode of Take5 interviews Allwyn Sequeira, SVP of Product Operations for Blue Lane.  

First a little background on the victim:

Allwyn
Allwyn Sequeira is Senior Vice President of Product Operations at Blue
Lane Technologies, responsible for managing the overall product life
cycle, from concept through research, development and test, to delivery
and support. He was previously the Senior Vice President of Technology
and Operations at netVmg, an intelligent route control company acquired
by InterNap in 2003, where he was responsible for the architecture,
development and deployment of the industry-leading flow control
platform. Prior to netVmg, he was founder, Chief Technology Officer and
Executive Vice President of Products and Operations at First Virtual
Corporation (FVC), a multi-service networking company that had a
successful IPO in 1998. Prior to FVC, he was Director of the Network
Management Business Unit at Ungermann-Bass, the first independent local
area network company. Mr. Sequeira has previously served as a Director
on the boards of FVC and netVmg.


Mr. Sequeira started his career as a software developer at HP in the
Information Networks Division, working on the development of TCP/IP
protocols. During the early 1980’s, he worked on the CSNET project, an
early realization of the Internet concept. Mr. Sequeira is a recognized
expert in data networking, with twenty five years of experience in the
industry, and has been a featured speaker at industry leading forums
like Networld+Interop, Next Generation Networks, ISP Con and RSA
Conference.

Mr. Sequeira holds a Bachelor of Technology degree in Computer
Science from the Indian Institute of Technology, Bombay, and a Master
of Science in Computer Science from the University of Wisconsin,
Madison.   

Allwyn, despite all this good schoolin’ forgot to send me a picture, so he gets what he deserves 😉
(Ed: Yes, those of you quick enough were smart enough to detect that the previous picture was of Brad Pitt and not Allwyn.  I apologize for the unnecessary froth-factor.)

 Questions:

1) Blue Lane has two distinct product lines, VirtualShield and PatchPoint.  The former is a software-based solution which provides protection for VMware Infrastructure 3 virtual servers as an ESX VM plug-in whilst the latter offers a network appliance-based solution for physical servers.  How are these products different than either virtual switch IPS’ like Virtual Iron or in-line network-based IPS’s?

IPS technologies have been charged with the incredible mission of trying to protect everything from anything.  Overall they’ve done well, considering how much the perimeter of the network has changed and how sophisticated hackers have become. Much of their core technology, however, was relevant and useful when hackers could be easily identified by their signatures. As many have proclaimed, those days are coming to an end.

A defense department official recently quipped, "If you offer the same protection for your toothbrushes and your diamonds you are bound to lose fewer toothbrushes and more diamonds."  We think that data center security similarly demands specialized solutions.  The concept of an enterprise network has become so ambiguous when it comes to endpoints and devices and supply chain partners, etc. we think its time to think more realistically in terms of trusted, yet highly available zones within the data center.

It seems clear at this point that different parts of the network need very different security capabilities.  Servers, for example need highly accurate solutions that do not block or impede good traffic and can correct bad traffic, especially when it comes to closing network-facing vulnerability windows.  They need to maintain availability with minimal latency for starters; and that has been a sort of Achilles heel for signature-based approaches.  Of course, signatures also bring considerable management burdens over and beyond their security capabilities.

No one is advocating turning off the IPS, but rather approaching servers with more specialized capabilities.  We started focusing on servers years ago and established very sophisticated application and protocol intelligence, which has allowed us to correct traffic inline without the noise, suspense and delay that general purpose network security appliance users have come to expect.

IPS solutions depend on deep packet inspection typically at the perimeter based on regexp pattern matching for exploits.  Emerging challenges with this approach have made alert and block modes absolutely necessary as most IPS solutions aren’t accurate enough to be trusted in full library block. 

Blue Lane uses a vastly different approach.  We call it deep flow inspection/correction for known server vulnerabilities based on stateful decoding up to layer 7.  We can alert, block and correct, but most of are deployments are in correct mode, with our full capabilities enabled. From an operational standpoint we have substantially different impacts.

A typical IPS may have 10K signatures while experts recommend turning on just a few hundred.  That kind of marketing shell game (find out what really works) means that there will be plenty of false alarms, false positives and negatives and plenty of tuning.  With polymorphic attacks signature libraries can increase exponentially while not delivering meaningful improvements in protection. 

Blue Lane supports about 1000 inline security patches across dozens of very specific server vulnerabilities, applications and operating systems.  We generate very few false alarms and minimal latency.  We don’t require ANY tuning.  Our customers run our solution in automated, correct mode.

The traditional static signature IPS category has evolved into an ASIC war between some very capable players for the reasons we just discussed.Exploding variations of exploits and vectors means that exploit-centric approaches will require more processing power.

Virtualization is pulling the data center into an entirely different direction, driven by commodity processors.  So of course our VirtualShield solution was a much cleaner setup with a hypervisor; we can plug into the hypervisor layer and run on top of existing hardware, again with minimal latency and footprint.

You don’t have to be a Metasploit genius to evade IPS signatures.  Our higher layer 7 stateful decoding is much more resilient. 

2) With zero-days on the rise, pay-for-play vulnerability research and now Zero-Bay (WabiSabiLabi) vulnerability auctions and the like, do you see an uptake in customer demand for vulnerability shielding solutions?

Exploit-signature technologies are meaningless in the face of evanescent, polymorphic threats, resulting in 0-day exploits. Slight modifications to signatures can bypass IPSes, even against known vulnerabilities.  Blue Lane technology provides 0-day protection for any variant of an exploit against known vulnerabilities.  No technology can provide ultimate protection against 0-day exploits based on 0-day vulnerabilities. However, this requires a different class of hacker.

3) As large companies start to put their virtualization strategies in play, how do you see customers addressing securing their virtualized infrastructure?  Do they try to adapt existing layered security methodologies and where do these fall down in a virtualized world?

I’ve explored this topic in depth at the Next Generation Data Center conference last week. Also, your readers might be interested in listening to a recent podcast: The Myths and Realities of Virtualization Security: An Interview. 

To summarize, there are a few things that change with virtualization, that folks need to be aware of.  It represents a new architecture.  The hypervisor layer represents the un-tethering and clustering of VMs, and centralized control.  It introduces a new virtual network layer.  There are entirely new states of servers, not anticipated by traditional static security approaches (like instant create, destroy, clone, suspend, snapshot and revert to snapshot). 

Then you’ll see unprecedented levels of mobility and new virtual appliances and black boxing of complex stacks including embedded databases.  Organizations will have to work out who is responsible for securing this very fluid environment.  We’ll also see unprecedented scalability with Infiniband cores attaching LAN/SAN out to 100’s of ESX hypervisors and thousands of VMs.

Organizations will need the capability to shield these complex, fluid environments; because trying to keep track of individual VMs, states, patch levels, locations will make tuning an IPS for polymorphic attacks look like childs play in comparison.   Effective solutions will need to be highly accurate, low latency solutions deployed in correct mode. Gone will be the days of man-to-man blocking and tuning.  Here to stay are the days of zone defense.

4) VMware just purchased Determina and intends to integrate their memory firewall IPS product as an ESX VM plug-in.  Given your early partnership with VMware, are you surprised by this move?  Doesn’t this directly compete with the VirtualSheild offering?

I wouldn’t read too much into this. Determina hit the wall on sales, primarily because it’s original memory wall technology was too intrusive, and fell short of handling new vulnerabilities/exploits.

This necessitated the LiveShield product, which required ongoing updates, destroying the value proposition of not having to touch servers, once installed. So, this is a technology/people acquisition, not a product line/customer-base acquisition.

VMware was smart to get a very bright set of folks, with deep memory/paging/OS, and a core technology that would do well to be integrated into the hypervisor for the purpose of hypervisor hardening, and interVM isolation. I don’t see VMware entering the security content business soon (A/V, vulnerabilities, etc.). I see Blue Lane’s VirtualShield technology integrated into the virtual networking layer (vSwitch), as a perfect complement to anything that will come out of the Determina acquisition.

5) Citrix just acquired XenSource.  Do you have plans to offer VirtualShield for Xen? 

A smart move on Citrix’s part to get back into the game. Temporary market caps don’t matter. Virtualization matters. If Citrix can make this a two or three horse race, it will keep the VMware, Citrix, Microsoft triumvirate on their toes, delivering better products, and net good for the customer.

Regarding BlueLane, and Citrix/Xensource, we will continue to pay attention to what customers are buying as they virtualize their data centers. For now, this is a one horse show 🙂

  1. August 21st, 2007 at 20:04 | #1

    Wow, I SWEAR that was Brad Pitt when I first opened this article!
    Yeah, I can rationalize both sides of the work/social life argument as well, but today I was caught being a bit cynical about the whole issue, for various reasons.
    But you're absolutely correct. Work is work, and one can leave and find another job. There's tons of jobs! That's really the long and short of it, the rest is just foreplay.

  2. Kyle C. Quest
    August 22nd, 2007 at 10:08 | #2

    Chris, please stop helping BlueLane to spread their propaganda that somehow they have a technology that's totally different than what's done in IPS systems. Allwyn keeps spreading the misconception that "IPS = signature matching systems". This is completely inaccurate. Sure, there are IPS systems that use signatures, but there are many IPS vendors that do NOT use regex or other string based signatures. Even in Snort they have protocol misuse based filters that don't use signatures. Another misconception is that somehow BlueLane was the first company who ever thought about using vulnerability-based detection methods and virtual patches. This is completely NOT true. Looking at ISS Xforce website can quickly show you the opposite.

  3. August 22nd, 2007 at 10:35 | #3

    Kyle:
    Here are a few links to get you caught up with Blue Lane: http://www.networkcomputing.com/galleries/showImahttp://www.infoworld.com/slideshow/2007/01/30-200http://www.networkcomputing.com/showArticle.jhtmlhttp://www.microsoft.com/presspass/press/2007/aug
    Chris Hoff was a Blue Lane customer. CMP, IDG and Microsoft have also had hands-on experience with our technology and similarly have no dark conspiracy to spread untruths. The links above will take you to their perspectives.
    Greg

  4. August 22nd, 2007 at 10:40 | #4

    Kyle:
    Firstly, if you're going to leave a comment, can you leave a way of contacting you so we can have a conversation? I've seen you post over on Matasano's site and fulldisclosure, but I'm not convinced I have the right contact details for you.
    I get the feeling you're implying that I have some sort of agenda as a marketing shrew for BL. I'm not going to take that personally because I suppose asking questions and posting them outright without edits comes with that potential stigma. Oh well.
    Secondly, I asked the question about how what they do is different from IPS technologies. The point is to invite discourse and debate on the topic. I'm not offering anything to Blue Lane that I wouldn't offer to anyone else. If you have a differing opinion, step up and we'll do a front page blog post about it.
    Lastly, the format of the Take5's is based off an emailed set of five questions I send the person I am interested in hearing from. They're not particularly hard hitting, but they're not intended to be pure marketing drivel, either. I expect that if people have questions/comments regarding the post, they'll pipe up.
    You have, and I appreciate it. However, using generalizations to counter generalizations that you're allergic to doesn't do much to provoke intelligent debate. It's tit for tat.
    I like Blue Lane's products. It solves some business problems that other products FOR NOW do not solve as elegantly — and they do so in a way that is operationally more cost beneficial in an analysis I did when I bought their product.
    If you want to talk about this more, you can email me…
    /Hoff

  5. August 22nd, 2007 at 10:58 | #5

    Kyle:
    Not sure which IPS vendor you represent, but here are a few comments:
    1. Firstly, if you truly stand behind your comments, then I challenge you to turn ON ALL signatures (or whatever you wish to call them) in BLOCK mode. Afterall, that is what the evolution from IDS to IPS was supposed to represent. Once the dust settles on the havoc you create in an enterprise turning on all signatures, please feel free to send me a note.
    2. If these are not exploit-chasing signatures, then why do we have 10,000 or more of them. Last time I checked, there are far fewer vulnerabilities.
    3. Why do we even have the notion of "High Fidelity" signatures, or "Confidence rating" on signatures. Does that mean the rest are "Low Fidelity", or that the vendor has low confidence in the rest. If that's so, why pass that burden on to the customer? Why does the customer have to "tune" signatures – shouldn't that be the responsibility of the vendor?
    All we're saying is that the right way to go about protecting SERVERS is not exploit-centric signatures that rely on hardware-assist for regexp processing and deep packet inspection, but rather to truly understand client-server flows and process them all the way up the stack, including things like RPC/DCOM fragmentation & re-assembly, for example.
    There is a time and place for signatures – it is great perimeter defense for known exploits. Server protection places additional onus on the vendor.
    /Allwyn

  6. Zoran Tedehur
    August 22nd, 2007 at 11:20 | #6

    Kyle,
    Regarding the statement about ISS, I would like to add that I respect the great work provided by the X-Force but ISS never used vendor patch behaviours to developp their signatures (could they be regex-based or "protocol anomaly" based… Perhaps you think ISS is doing something similar to Blue Lane because you saw the words "virtual patching" everywhere in ISS marketing propaganda. Even if Allwyn oversimplifies a little bit when he says that all IPS signatures are based on regexp (which is true in probably more than 80% of the cases…), the thing is that the more you go away from regexp, the more you're prone to false positives and the more you use regexp, the more easyly can the signatures be evaded… Not a simple dilemna as you can see…
    Blue Lane approach is different as they use the vendor patch behaviours to code their signatures, thus reducing dramatically the number of false positives (Zero FP's in theory but I'm not a big fan of 0% or 100% statements 😉
    /Zoran

  7. Kyle C. Quest
    August 22nd, 2007 at 14:23 | #7

    Chris, I didn't mean to imply that you were "on it". I know that you like their product and you believe in its usefulness. I remember our talk about BlueLane when I visited Crossbeam 🙂 And I'm not saying it's not a useful product. It is. What I wanted to point out is that virtual patches and vulnerability-based detection are not concepts that BlueLane invented. Those concept have existed before BlueLane and they have been implemented in some shape or form before BlueLane's product.
    Allwyn, I don't represent any IPS vendor. I'm the Principal Security Architect for Vericept, a Data Leak Prevention company.
    However, my background is in firewalls,IPS,UTM,application firewalls and a whole bunch of other security technology. I just hand to speak up. It's not uncommon for competing vendors to put down the products and technologies by other vendors. The most common put down I remember hearing (when I did work for an IPS vendor) was about Snort… and that all it does is just simple stateless string matching on raw data. I always spoke up pointing out that it might have been true when Snort was originally created, but now it does so much more. It decodes some of the protocols, has protocol misuse detection plugins, has many ways to write stateful rules, has generic data analysis instruction to skip over data and then interpret a data chunk as a specific type of data and perform logical operations on it, etc. (And no, I didn't work for SourceFire… I'm not even a big fan of Snort).
    The point is that this is a clear case of marketology.
    BlueLane guys might even believe it it themselves, but
    it doesn't make it true (back in the middle ages people
    believe that the world was flat… but we all know
    what happened there :-)).
    Chris, you asked for examples… I'll use TopLayer
    (which is actually the company I used to work for).
    There are more than just a couple of cases
    where their filters were designed to perform checks
    based on the Microsoft patches (e.g., a buffer
    length check in some field).
    Overall Allwyn's comments indicate he doesn't really
    understand the IPS and related technologies…
    how they work… and what they are trying to solve…
    and the approaches that they've taken and why.
    And that's ok… He didn't come from a security
    world and he had to learn on the job. And that's
    probably one of the reasons why he's making
    these statements. I've been putting off publishing
    a book on this topic for quite some time. Maybe
    after a few more encounters like that I'll
    finally do it 🙂 That way maybe people will
    have a better understanding of the technologies
    used and the reasons behind that.
    Greg,
    I remember you promised a review of your product,
    but the discussions we had didn't result in anything.
    You didn't deliver on any of your promises.
    Chris, this blog thing does ask for a email,
    so I assumed that you have access to it.
    Either way, my contacts are
    kyle.quest@vericept.com or kquest@unital.com

  8. August 22nd, 2007 at 14:52 | #8

    Kyle:
    Lets face it… IPS vendors have conceptually claimed everything (even before they could deliver); so from your standpoint everything that can be invented has and there are no tired architectures now hunting for new ASICS. Saying conceptually it is nothing new is a cop out. I can remember back in 2003 some IPS "pioneers" recommending deploying all sigs in blocking… so I guess you'll say that has been conceptually done. The proof is in the pudding. Blue Lane has submitted its solutions to numerous third parties and they have supported our technological differences and our claims.
    We have submitted our product for numerous independent reviews. Asking us to prioritize a security vendor briefing and eval is kind of unreasonable. I did offer it up months ago because at the time we had not been reviewed. You and Allwyn had busy schedules. But now that Infoworld, Network Computing and the Microsoft Interoperability Lab has weighed in, I think there is ample data to suggest that Blue Lane represents genuine innovation when it comes to the unique requirements of server security. Perhaps you can point us in teh direction of the signature-free, tuning free, IPS? By that I don't mean an IPS with sigs turned off.
    Greg

  9. August 22nd, 2007 at 15:23 | #9

    @Kyle:
    Thanks for the email linky. I'll ping you shortly. I didn't put 1 and 1 together on your name, sorry! I also found where the email is logging when it's not linked to the URL within my uber blog console.
    I think that you may have described the perfect departure point in the debate here…perhaps (and I've stated it before) the problem that IPS solutions in general are trying to solve is different than that of Blue Lane's positioning.
    Could this be a case of trying to use the same words to describe different problem spaces/approaches? It's not hard to see how BL ends up comparing to an IPS, but I think (and I've said it before) if you don't get caught up in the religion and look at the business problem, the value is there…
    I think Greg has a point about the priorities of testing/bake-offs, however 😉
    @Greg/Allwyn:
    I think the discussion has fallen into the same trap it often times does; trust me when I tell you that you're not going to change Kyle's mind…however, I think that the IPS vs. BL argument is old and tired and new schtick is needed.
    I can understand where Kyle (and others) are coming from, I'm just not technically articulate enough to defend the arguments properly 🙁
    We've got to find a way to isolate the religion/dogma from the tech.
    Perhaps corner cases and specific examples with a side-by-side approach would work.
    /Hoff

  10. Kyle C. Quest
    August 22nd, 2007 at 16:45 | #10

    Gotta love marketing guys :-)))
    The Microsoft thing… only says that the BlueLane device is an ok proxy that doesn't break the application traffic when it's put in line. It doesn't prove an any kind of innovation…
    The magazine reviews… well, there's not much weight there because they didn't really do anything special to dissect the technology and its capabilities to uncover any kind of holes. Those kind of things are usually semi-scripted and only touch the surface of whatever product that's reviewed. And that applies to most product those guys review. The only decent and somewhat technical magazine reviews have been performed by Joel Snyder in NetworkWorld. He and his team actually took the security devices they tested to the failure points.
    Greg, don't put words in my mouth. I didn't say everything that can be invented has been… I said specifically that there's prior art when it comes to "virtual patching" and "vulnerability-based detection methods". Try googling it 🙂
    Here's a couple of links talking about IBM/ISS technology: http://www.security-express.com/archives/sf/ids/2http://www-935.ibm.com/services/us/index.wss/offe
    As far as IPS systems go they do try to do a lot of thing.
    This is the reason they often try to combine multiple technologies together (the first link is an example of that where ISS is using multiple technologies). However, I do remember seeing products that had no signatures what-so-ever. There's a number of them. I good place to see them are RSA Conferences 🙂

  11. August 23rd, 2007 at 08:15 | #11

    Kyle… not disrupting traffic when in line is enough of an innovation that Microsoft invited us into their labs to test. There are some vendors claiming to be the "best IPS" for Microsoft that have yet to cite Microsoft as a proofpoint. When your former employer comes out of the Micorosft Interoperability lab with a press release from Microsoft… to say it is indeed the best IPS for Microsoft I'll be the first to say congrats. If one of your customer's blogs about how great it is, rest assured that I won't have the time to spend refuting it based on my take on the collateral or my "love to tune".
    As for "multipel technologies": If you stir up enough of a cloud of potentials you can be everywhere with nothing. That is an off topic "shell game" (called poor marketing by some of us).
    Signatures are crumbling and many intrusion "protection" appliances have signature-based policies at their core. Allwyn's point was similar to that made at RSA (by Coviello) "signatures are crumbling". You can call that marketing or hype or vendor shill, whatever you want. You can even say that conceptually, all application vulnerabilities have been protected by signatures (virtual patches) for some time, and what Blue Lane does is nothing new. You can even say that based on a cursory review of our datasheets that you know more about our appliance than Infoworld, Network Computing, Interop or Microsoft. The reviewer that you truely and absolutely trust (who -I agree- is actually excellent) wasn't involved so are claims are invalid. You would be wrong on all counts. BTW- it was Network Computing that was among the first to "call BS" on the blocking with signatures myth. Maybe that is what got them off on teh wrong foot with you.
    There are impressive security technologies out there for protecting the network. Considering that they have had to adjust to dramatic changes in attack tactics, tools and virtually open source cooperation on the other side… they've done well. Allwyn's point is that when it comes to servers a new security layer is required; one that delivers very high availability and accuracy without reliance on mere detection or blocking. One that truly emulates the corrective actions of a security patch. In concept everything has been claimed… maybe you're right there. But I don't see many of those claims holding up to independent scrutiny by respected reviewers. And Chris Hoff, who has seen his fair share of these systems, seems to understand enough to take plenty of "you shill" cheap shots when talking about Blue Lane.
    And of course I know that you're way above "mere marketing" and your comments here (based on review of our website and collateral" are merely low layer amusements for you. You certainly don't have a vendor agenda. ANd your disdain with Hoff's interest in our product is merely an objective reaction from an objective technologist. There is absolutely no marketing in your comment that started this dialogue:
    +++"Chris, please stop helping BlueLane to spread their propaganda that somehow they have a technology that's totally different than what's done in IPS systems. Allwyn keeps spreading the misconception that "IPS = signature matching systems". This is completely inaccurate."++++

  12. Kyle C. Quest
    August 23rd, 2007 at 11:52 | #12

    I'll give full reply once I'm back from Europe…
    In the mean time, here are a couple of points:
    I don't care about IPS, UTM, firewall, whatever technology.
    Technology is just a tool, but I do care about misrepresentation,
    which was taking place. I'm not in any shape or form connected with my former employer and I have no interest in making them or any other IPS vendor look better.
    The trend in IPS and UTM is to combine a lot of functionality together. When you throw in vulnerability-fingerprints, with anomaly signatures, and audit signatures you'll end up with a mess because there's no default out of the box. Company X may have certain compliance requirements that Company Y doesn't, so they wouldn't use certain audit signatures, etc. There's just so much there.
    BlueLane's product is a good product that has its use. And you did a good job with it. I always said that. It's really a specialized IPS (but you wouldn't call it that way because you don't want to go head to head with big guns like Cisco and IBM because the customer will go with them; that's a common marketing strategy that a number of UTM companies are also taking). And because it's so specialized it's much easier to have fewer configuration requirements, etc…

  13. August 23rd, 2007 at 13:55 | #13

    You two wanna get a room? 😉
    Let's find a more constructive forum for this discussion.
    We need an IPS vs. BL smackdown…objective, of course…
    I still maintain that y'all are arguing semantics and that the
    language is what is at odds with the context here.
    I'll think of a way to take this excellent debate to a different
    level (literally.)
    /Hoff

  14. August 23rd, 2007 at 18:01 | #14

    It doesn't matter if Chris is a Blue Lane crony. Things happen in industry. But Allwyn is one of the most energetic, passionate and aggressive professionals I have ever known!

  15. August 23rd, 2007 at 20:08 | #15

    HA! Crony!
    To be a crony, don't I have to be on the take or something!?
    I must have done it wrong, because I paid *them* for the privilege of all this needling and abuse since I purchased their product and used it. 😉
    I simply *must* get better nefarious industry backroom skills!
    Can we discuss the efficacy of the product now instead of playing a game of personality "tag, you're it!"…
    /Hoff

  16. Kyle C. Quest
    August 23rd, 2007 at 23:31 | #16

    While I'm waiting for my plane in Amsterdam I'll mention a couple of things I didn't have time to say in my last post…
    1. What does my former employer have to do with this?
    Was I promoting them? Was I ever saying they are great?
    Was I even promoting IPS for that matter? I have no
    relationship with my former employer and I don't speak
    for them or for their product. Just like any implementation
    they have a lot of areas that need work and that are
    not so great. I also never said that the traditional
    IPS products on the market were great. For some reason
    you want to throw me into that "IPS guys" market,
    so it's easier for you to attack me and dismiss
    the points I was making.
    2. Yes, I do know more about your appliance than
    Infoworld and Network Computing when it comes
    it its security capabilities. And it's because
    I actually know the science of vulnerabilities,
    exploits, and protection mechanisms. And just
    like with the laws of physics there are laws
    in those fields where 2 plus 2 is 4 and no matter
    how much your marketing tries to claim that its
    5 it doesn't make it so. Just a simple analogy….
    This is actually referring that magic approach
    you mention where you "truely emulate the corrective
    actions of a security patch". Yes, it is possible
    to do it for simple cases, but for more complex
    applications it's just not going to work. Ask
    any security technology heavyweight about this
    (Matasano guys are good example, or NGSSoftware
    guys, or BreakingPoint guys, etc) and they'll
    tear you to pieces on this. Luckily for you
    you deal mostly with simple cases protecting
    only servers…
    I'm done on this topic.
    Once again… you seem to miss my comments about your product being a good and useful product and keep thinking that I'm putting down the product. That's not the case… I was simply trying to correct the misrepresentation of other technologies and some of the concepts you utilize.

  17. Doug Louis
    August 24th, 2007 at 07:23 | #17

    I was keeping myself out of this until now. Here are some points. Before that some disclaimer: I am a Bluelane customer. And before them, had IPS systems from couple of vendors. I have enough clout to throw any system out of my IT dept if it doesn't work, so will not try to justify my purchase any day.
    Two years ago I hired a couple of consultants for 6 months to tune my IPS system. Finally got the systems in a shape where they were working reasonably well. But every time there was a signature update released with recommended state as "OFF" I had to get back to the tuning part. And believe it or not even for highly critical vulnerabilities such as MS06-040 that was the scenario. I have Bluelane for over a year now.
    Kyle, when you say that "Luckily for you you deal mostly with simple cases protecting only servers…" – I dont understand where you are coming from. BLuelane does advertise in Black and White that they protect only servers. They do not do clients – period. So I dont see them misrepresenting their product in any way. If all server vulnerabilities happen to be the simplest of cases then Voila – what does they have to got to do with it. If Server vulnerabilities are simple and easy to fix, then they must be easy to exploit too. Well then BLuelane is targeting the right market segment. In the past one year I havent seen them not releasing an inline patch for a remote server vulnerability. And they go back and cover all patches for last 3-4 years. They will cover all remote server vulnerabilities. How much more data point do u need?
    Now lets come to the how part of the technology and the quality. They do not have 5000 inline patches. They have only about 500 inline patches for the applications they support. If it was as easy for them to add patches ("I hate to call them signatures") what would stop them from adding another 5000 patches and claim protection for everything that IPS also can. The bottom-line is they cant, at least not while keeping their current claims of no false +ves and no false -ves which BTW is perfectly correct. I have enough MSFT savvy folks in my group. When we were trying out the product we did not throw all known exploits to the system. Our guy started with one vendor patch to validate their claims. Using Metasploit3, we tried all possible ways to attack the server through BLuelane. Each time we saw one alert on their system, specifying the vendor patch id that detected the attack. No bypass, No doubts. I tried the same on my IPS. It did stop many of the attacks, not all though. And here's the interesting part, for some of the variants it could not exactly identify the vulnerability. My guy is telling me that those were the cases when the packets were fragmented at application level. Unless you mimic the application behavior on your inline system I do not see any way of achieving what Bluelane has done. It just has to be a perfect implementation of the server to get to that level. No number of signatures can model 10,000 lines of Windows code.
    Lets talk about the false +ve. 365 days and counting – I have not seen a single false alarm in their system. If Microsoft ran 3K test cases substantiating this I wont be surprised. I know and all of us know that No IPS system (with their signatures turned ON :-)) will ever survive that.
    Both IPS and Bluelane might be trying to do the same job in the end, protecting against vulnerabilities, but I don’t see IPS's coming close to it in terms of accuracy. Yes Bluelane specializes in server only, but thats their forte. I wouldnt expect them to handle client vulnerabilities which are spread all over the map. They wouldnt be able to do their job right then. Try it out. You will love them. Next on my agenda is their VirtualShield…
    Have a wonderful weekend. I am outta here..
    -DL.

  18. August 27th, 2007 at 14:10 | #18

    Kyle:
    If you can glean more from website content about the capabilities of a server security appliance (than teams of independent testers for leading pubs and software) than let me give you a tip o the hat. That is clearly why I'm still in marketing.
    My initial interest here came when you suggested that Chris may be a shill for "spreading propoganda" about Blue Lane. When I responded you were quick (no pun intended) for playing on my marketing background. I'll give you another tip o the hat. Chris invited us to answer some questions about the category and our differences.
    The netsec category has been stirred up with more FUD than perhaps any other category. I wish I had a share of VMW for every analyst briefing that starts out with what sigs we use to protect servers. That hasn't come from us, its nowhere on our site (but you knew that already).
    I don't see an esteemed technologist saying that "there is nothing new conceptually" based on a website content review as contributing to the discussion. I didn't see your post to Chris as an interest in discussion or in addressing the challenges of pattern matching attacks in front of critical servers (which we both know is a key capability for many IPS systems).
    It would have been one thing if this was my blog and I was babbling about endpoint security and the power of SNORT; that was Chris, his blog and our vendor legacy with him. I would have been more deferential to your accomplishments if you had said that you actually tested or deployed our product.
    But I was frankly floored by your very fast critique of our claims (based on a very cursory review), which others have substantiated. But then I've never been able to truly judge a book by the cover only. So maybe thats why I'm still in marketing.
    Maybe at an upcoming event you Chris and I can sip some single malt… and after a few drinks I too will be in awe. I'm just not there yet. But I'll raise a glass to you're ample right to disagree and even hunt down our customer's blogs (telling the world we're different) and suggest they're shillin' for BL. Chris isn't the only one by the way.
    Anyway… nexyt time you're in town (and schedules permit) I'll invite Allwyn to join us. If you make us feel guilty enough (for the back and forth) we'll pay the tab. Deal?

  1. No trackbacks yet.