Ever wish there was a way to tear down the absolute power granted to Domain Admins or Root users? Do you wish that there was a way that with even these godlike users, you could prevent them from accessing highly-secured security log data, or restrict their access to applications, or even prevent them from peering into financial information they shouldn't have access to?

It is possible, but not with Microsoft's native tools. I wrote a series of white papers for CA called the Cost of Doing Nothing series. In this series I talk about some of the problems with Identity and Access Management, and how not incorporating enterprise-quality tools can actually be a cost to the organization.

Only now is the first of these being released to the public. From this first paper, titled Superuser Containment, learn a bit about the problems of containing those nasty superusers and why you should care about their access:

What Are Superuser Privileges and Why Should You Care?

The idea of "superuser privileges" encompasses those with the highest level of access in the network OS. For individual Microsoft Windows systems, that user is Administrator. For Microsoft Windows systems connected into an Active Directory (AD) domain, the Domain Administrator account is added to the list. For many Linux and UNIX systems, the user is root.

One of the biggest problems with these accounts is with their native architecture. In the UNIX world, the only user with default superuser privileges is the root account. To complete a system-level task in UNIX, the operator must login with their standard credentials and elevate themselves to root. This means that the root user along with its password is often shared among all administrators performing administrative duties. A similar problem is true in Microsoft Windows where Windows administrators use their Domain Administrator-level permissions as their standard login.

The sharing of these top-level accesses is in violation of the computing principle of least privilege, which is "the computing concept of access or functionality within an operating system whereby a user or program is granted minimum possible privileges to permit an action. In doing so, the operating system as a whole is not exposed to unwarranted or excessive actions that may cause damage or promote further negative actions"( Source: http://en.wikipedia.org/wiki/Least_privilege). The native architecture of these OSs provides complete and total access to the superuser. The superuser can effectively perform any action on any data object within that superuser's scope of management. Thus, sensitive, classified, or inappropriate information housed within the superuser's network is automatically and always available to the superuser--whether they should have access to that information or not.

The rest of the paper continues on with the problem and identifies why not incorporating the right solutions can really hurt your organization. Get your copy here (registration required).

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

The WSUS Team announces that the Windows Update Agent (WUA), commonly known as the "WSUS Client" will see an update starting some time around the end of July. When WSUS clients attempt to contact WSUS servers or Microsoft's equivalent Microsoft Update servers, they always check to see if there are self-updates ready for deployment.

Depending on how you've configured your download and installation settings via Group Policy, the client may self-update before your usual scheduled time. Or, it may occur as part of your regularly scheduled updates. More information on how your settings impact when you'll see the upgrade can be found at the WSUS Team blog here.

What can you expect from the new update? No changes in the user interfaces, but some improvements to its core engine. From the WSUS Team Blog:

So what are we doing this time? Well, this particular update won't really change the way the client looks or feels to you, but you may notice some improvements in the length of time it takes Windows Update to scan for updates and how quickly you'll receive signature updates. For example, in this update, we've invested heavily in reducing the amount of time it takes the Windows Update agent to scan to see if new updates are available. In this case, we've seen some instances of the scan times on some machines decreasing almost 20 percent.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

Offline virtual machines are a big security headache for organizations. Because virtually all security patching and updating tools assume (and require) that machines are turned on for them to successfully do their work, your libraries of virtual machine templates aren't getting updated as they should.

Today I was poking around Microsoft beta site and discovered that they are working on an Offline Virtual Machine Servicing Tool. The product is yet in beta, and I don't know much more than its name and what I assume it intends to do. But its worth mentioning here, because this problem is a stealth killer in pretty much all organizations that use virtual machines to any extend.

You can sign up for the demo program at this site. If you're using virtual machines at all, consider keeping up on this topic, because the security of your powered off VMs can come to bite you at some point in the future.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

In the same MyITForum.com newsletter where I got this other tantalizing piece of IE info, I also read a pass-through post where Robert Hensing deconstructs some misinformation posted by the USA Today. Specifically, he finds that in reading through the lists of vulnerabilities by browser edition, IE7 on Windows Vista has shown significantly fewer vulnerabilities than Firefox. For 2007, IE7 had 40 unique vulnerabilities, while Firefox had 67. For 2008, IE7 has seen 3 vulnerabilties so far, while Firefox has seen 24.

The main reason for this, as I've mentioned before, has to do with the incorporation of integrity levels within the Vista core OS. Robert writes:

Finally let us not forget that IE7 on Vista runs at LOW integrity preventing write access to the majority of the file system and registry so standard off the shelf exploits written for IE7 that assume the user has write access to various ASEPs will fail to install persistent malicious software on Vista whereas that's not the case with FF 2.x and 3.x which run at Medium IL and therefore have write access to the per-user ASEPs on the system allowing exploits to quite easily backdoor a users profile.

So not only is IE7 less likely to have a security defect than FireFox - it's also a safer browser to run on Vista. IMHO this is probably one of the biggest reasons Vista is so much less likely to have malware on it when compared to even XPSP2.

Taking this info to the next level, in this "argument" over at Concentrated Technology I discuss the virtues of security as a major (though terribly un-sexy) justification for the upgrade to Vista. I argue that improved security :: reduced downtime :: improved worker productivity :: positive impact on the corporate bottom line. The lines in this argument, I'll admit, are thin. But, there is important value in recognizing that when workers aren't forced to regularly fix or re-image their workstations because of exploits, they spend more time working and less time waiting for help desk technicians to assist.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

Rod Trent reports in yesterday's MyITForum.com newsletter that he's been experimenting around with Firefox v3.0 and IE7. In his testing, he's found visible evidence that disabling Microsoft's Phishing filter in IE7 actually improves the speed of IE7 up to the legendary levels seen by Firefox v3.0.

I personally have been running with the Phishing filter disabled since shortly after IE7's release. My own testing found it to be...well...less than useful. But, I'm not the type to surf towards most classes of quasi-legitimate websites anyway (seriously).

Have you seen similar behavior? I know that the Phishing filter requires every click to go through an additional HTTP lookup to a MIcrosoft clearinghouse, which can effectively double the amount of time required to render each page after a click.

Do you feel that turning off the filter for the speed boost is worth the loss of protection. I would tend to think so. What are your thoughts?

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (3) | TrackBacks (0)

The excepted text below was taken from Chapter 8 of Creating the Secured Managed Desktop: Using Group Policy, SoftGrid, Microsoft Deployment Toolkit, and Other Management Tools, written by Jeremy Moskowitz and contributed to by Greg Shields. Get your copy on Amazon here, or from Jeremy's web site here.

...today's excerpt concludes our series from the book on WSUS and finishes our discussion on the two (actually, three) types of targeting that are possible with WSUS...

Server Side Targeting

Server Side Targeting is really a fancy way to say, "Let me just drop my machines into the groups myself within the WSUS management console." When doing this, ensure that the Enable Client Side Targeting setting is disabled and the radio button is set to "Use the Update Services console." New computers will be automatically positioned in the Unassigned Computers group within the WSUS console and must manually be moved to the correct group by an administrator.

Client Side Targeting
In the "Computer Configuration Settings" section, we discussed the Enable Client Side Targeting setting. Enabling that setting also allows you to enter the name of a group for the machines that are assigned the Group Policy Object. When this setting is enabled, the setting in WSUS should be set to "Use Group Policy or registry settings on computers."

When the OU structure for the domain mimics the group structure you wish your WUA clients to follow, Client Side Targeting is an effective tool to automatically drop clients into the proper groups based on their OU membership. However, when the OU structure is much different than the desired WSUS structure, Server Side Targeting should be used.

Multiple Targeting
When using Client Side Targeting in WSUS 3.0, it is possible to assign machines into multiple groups by separating group names with a semicolon when configuring the Group Policy Object. Once the GPOs have been embraced by the client and clients have contacted the WSUS server, they will appear in multiple locations within the WSUS console as targeted within Group Policy. This is handy for clients that may play multiple roles or that operate as both production as well as patch-testing machines.

If you've enjoyed this series and want to learn more about how you can control your desktops through tools like Group Policy, SoftGrid, and the Microsoft Deployment Toolkit, as well as WSUS and MBSA, grab your own copy from Amazon at this URL: http://www.amazon.com/Creating-Secure-Managed-Desktop-Deployment/dp/0470277645.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

The excepted text below was taken from Chapter 8 of Creating the Secured Managed Desktop: Using Group Policy, SoftGrid, Microsoft Deployment Toolkit, and Other Management Tools, written by Jeremy Moskowitz and contributed to by Greg Shields. Get your copy on Amazon here, or from Jeremy's web site here.

...In today's excerpt we'll shift the conversation to a talk about the two different ways that you can target your clients for update distribution...

As we talked about earlier in this chapter, WSUS has its own internal groups that can be used to separate clients. But you should be aware that WSUS groups are not Windows-style Active Directory groups.

They are used only within WSUS to separate clients. This is most often done to provide for multiple patch schedules or to separate out approvals. Since some groups will likely require some patches and others will not, dividing clients into multiple groups can be helpful in approving only the necessary updates for each type of client.

There are two different ways [Client Side Targeting and Server Side Targeting] in which clients can be added into groups in WSUS. Depending on the processes and procedures of the IT department, the structure of Organizational Units in the domain, and the desire of administrators, either type of targeting can be used.

Client targeting is configured in two places, in the WSUS console and also within Group Policy. The configuration must match between the two locations for targeting to work properly. First, from within the WSUS console, click Options | Computers.

There, you can select the option "Use the Update Services console" or "Use Group Policy or registry settings on computers." Using the console to assign clients into groups is called Server Side Targeting, while using Group Policy to assign clients is called Client Side Targeting.

On Friday we'll conclude this series and go into greater detail about these two types of client targeting on your WSUS server...

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

The excepted text below was taken from Chapter 8 of Creating the Secured Managed Desktop: Using Group Policy, SoftGrid, Microsoft Deployment Toolkit, and Other Management Tools, written by Jeremy Moskowitz and contributed to by Greg Shields. Get your copy on Amazon here, or from Jeremy's web site here.

...in this post we continue the topic of Microsoft patch management with a discussion on the Windows Update Agent and how it goes far into unifying Microsoft's previously separate tools for managing updates...

What is especially brilliant is the use of the Windows Update Agent by all these server-side tools. The Windows Update Agent is a small piece of client code installed to each managed computer, whether that computer is on, say, Windows XP or Windows Vista Desktop, an instance of Windows Server 2003, or Windows Server 2008. That code handles the interrogation of the machine to identify which patches are installed and which are yet needed. It also handles the installation of software as requested by any of these tools just listed.

There's a huge benefit to unifying the technology under a single client tool. As an example, consider how installations were done (and in some cases still are done) before the industry came to embrace Windows Installer: apps in many cases needed to build their own installation routines. The command line switches needed to install one piece of software were often very different than the ones used to install another. Unifying software installation under a single client tool now means that software installations are more predictable and easy to use. The same holds true for patch management. Whereas Windows Installer eased the software installation process, the Windows Update Agent eases the process of managing patches.

Better yet, you can start out with a free tool, like WSUS, and then later move up the pay-scale to SCE and SCCM with ease. That's because each of those products relies on the same underlying, already-installed client tools. As an example, if your environment has long used Microsoft Update as the tool for patching machines and you later want to implement WSUS, it's likely that you already have the necessary client pieces installed on your machines.

In tomorrow's post we'll talk about the two different ways that you can, with a WSUS infrastructure, target your clients for update distribution...

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

The excepted text below was taken from Chapter 8 of Creating the Secured Managed Desktop: Using Group Policy, SoftGrid, Microsoft Deployment Toolkit, and Other Management Tools, written by Jeremy Moskowitz and contributed to by Greg Shields. Get your copy on Amazon here, or from Jeremy's web site here.

...continuing from yesterday's discussion on the components that make up patch management...

WSUS (Windows Server Update Services)

Because WU and MU are primarily meant for "individual" users rather than corporate ones, WSUS was implemented as a tool to centralize and localize the download, storage, and assignment of patches. WSUS solves two major problems not available in WU and MU. First, it provides a centralized management to the approval and distribution of patches. This means that you, the administrator, choose which patches to deploy and when. Second, it provides a single place on the local network from which patch code is stored and distributed. If every computer on your network attempted to contact Microsoft Update on a regular basis, the resulting network traffic could be a problem. With WSUS only one computer needs to download patches from locations off the local network. All other computers can then get their update installations from that server using high-speed LAN connections.

SCE and SCCM (System Center Essentials and System Center Configuration Manager)
WSUS alone, however, is only a tool for managing Microsoft patch installation. The only code available for installation via a WSUS instance is that which is provisioned through Microsoft. This means that third-party code and patches not distributed by Microsoft aren't available. For cases like these, other tools are necessary. System Center Essentials and System Center Configuration Manager are two very similar tools that allow for more rich management of individual systems within the IT environment. SCE is designed for smaller environments with less than 30 servers and 500 desktops, while SCCM is designed for larger environments. Though these tools both use the WSUS engine for deploying patches and other code, they also augment WSUS's capabilities with the ability to fully manage essentially all system configurations. This includes the ability to deploy third-party applications, drivers, and patches. I include them here as a counterpoint to WSUS's capabilities. If you expect that you'll need to deploy other types of applications, configuration changes, or non-Microsoft patches to your environment, consider implementing one of these two tools instead of WSUS. One important point is that unlike WSUS, neither of these tools is free.

MBSA (The Microsoft Baseline Security Analyzer)
WSUS alone is an excellent tool for managing the composition of installed and not-installed patches on servers and Desktops. But securing these machines involves more than simply ensuring its patches are up-to-date. Elements like password composition, administrative vulnerabilities, and IIS and SQL configurations are all critical to preventing outside entities from exploiting a machine. MBSA goes a step beyond WSUS in that it provides information about the security configuration on targeted machines. We'll talk more about these elements at the end of this chapter.

Tomorrow, we'll discuss the Windows Update Agent and how Microsoft's unification of patch management under a single agent makes easy the movement between patching utilities...

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

The excepted text below was taken from Chapter 8 of Creating the Secured Managed Desktop: Using Group Policy, SoftGrid, Microsoft Deployment Toolkit, and Other Management Tools, written by Jeremy Moskowitz and contributed to by Greg Shields. Get your copy on Amazon here, or from Jeremy's web site here.

Before we get into the down-and-dirty details of WSUS, we should first take a step back and look at the cast of characters that currently makes up Microsoft's patch-management products. You'll also find that depending on the size and complexity of your environment, options other than WSUS may be preferable. For extremely small environments, WSUS may not even be necessary component. That's because running a WSUS instance will require a server, which can be a premium in very small environments. For larger environments, other tools like System Center Essentials or System Center Configuration Manager may be needed to provide the level of configuration control you need. Let's take a look at each of these tools with an eye toward which one will work best for you:

WU and MU (Windows Update and Microsoft Update)
These two tools, which are often (though incorrectly) used interchangeably, actually describe two different tools used by Microsoft for the distribution of patches to client workstations. Traditionally, Windows Update is and was used for the distribution of patches specific to the Windows operating system. For Windows XP systems and earlier versions, Microsoft Update was an add-on functionality that added support for patching other Microsoft products like Office, SQL, Exchange, and others. With these operating systems, each individual client would go to http://update.microsoft.com to connect to the system and install needed patches.

With Windows Vista, the necessary components are available natively in the OS for connectivity to Microsoft Update. With Vista and Windows Server 2008, clients need only navigate to Start | All Programs | Windows Update to bring forward the Windows Update Control Panel where the same scanning and patch-deployment actions are now completed.

The major benefit of WU and MU is that any administrative user can connect to Microsoft and download patches as necessary to keep their system safe. But relying on individual users to "do the right thing" could be detrimental to your health (or at least the health of the business). MU and WU make available some patches that corporate IT may not want deployed to systems. More than anything, allowing individual systems to download patches independently and over the Internet negatively impacts bandwidth.

Check back tomorrow for more in the Windows Update "cast of characters"...

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

In this month's TechNet Magazine, Jesper Johansson and Roger Grimes take opposite sides of the great IT debate on security through obscurity. They focus much of their attention in the article on the old "should you rename the Administrator account" argument. The article is a great read. Check it out here.

But what's more telling about the argument has only a portion to do with actually renaming the Administrator account. It deals more with the problems of focusing on "stupid security" instead of "important security".

When thinking of this issue, I like to consider the analogy of going through the airport security lines these days. In the old days, airport security personnel were laser focused on making sure you aren't bringing weapons onto an airplane. Weapons in those days were arguably easy to find: Knives look like knives, guns look like guns, and explosives usually have an explosive look to them as well.

But these days, due to decisions made by individuals at certain levels of government, we've got airport security looking for liquids. They're scanning bags to make sure you took your little soap bottles out before sending them through. Their original focus has been diluted away from the "high-risk" threats to a wide spread of "low-risk" ones. If you're like me, you probably wonder how they can keep a focus with that many extraneous things to watch out for.

This analogy holds true in the TechNet article. There are a lot of companies that are excessively concerned about security and baselines that they lose sight of what they're actually attempting to protect. Renaming the Administrator account adds one tiny extra secret for a would-be attacker to find out. But that Administrator account will always have a RID of 500. With most successful attacks involving some form of social hacking, obtaining this information requires very little work.

What it does do is increase the management overhead of managing your systems. If you're spending quantities of time renaming each server's Administrator account to a unique name and password, then you're spending time admnistratively dealing with a low-risk and low-value threat. That time could be better spent towards higher-value risk mitigation. Additionally, when you're adding an overhead of complexity to the network, that reduces your agility in resolving problems when they occur (e.g., when a problem hits that server, you've got to search to find the Administrator username and password just like the hacker).

So, definitely take a look at the article. What I see is necessary in today's IT marketplace is a reconfiguration of what we think of as "security". With so many organizations willing to sell you products, and so many using that "boogeyman" approach to doing so, we've become excessively afraid of low-impact problems and not afraid enough of the high-impact ones (like someone walking in the front door and asking for a password as a means of social hacking).

Sometimes the best security is simply a better-educated workforce. Heck, if you're doing the training yourself, its definitely less expensive than any product on the market.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

Over at MyITForum.com, I see a great video that explains the updates to UAC with arrive with Vista SP1. If you're a UAC hater, check it out and see if this changes your mind: http://www.realtime-windowsserver.com/type/mt.cgi?__mode=view&_type=entry&blog_id=1.

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

Sorry for the last minute on this. In about two hours, I'm on deck with IpSwitch and HIMSS to talk about HIPAA Compliance regulations and their relation to file security. In this presentation, we'll dig deep into the actual compliance regulations and deconstruct them in relation to how you should protect your file-based data in transit and at rest.

Join us in about two hours to hear all about it. The registration link is at the bottom of this post.

From the press release:

LEXINGTON, MA--(Marketwire - May 7, 2008) - Ipswitch File Transfer Division, a developer of secure and managed file transfer solutions, today announced it will host a free Webinar titled, "Six Steps to HIPAA Compliance: Securing Patient Data and Fulfilling Compliance Regulations is Easier Than You Think." Ensuring that IT infrastructures comply with regulations such as HIPAA is often seen as a daunting and complex challenge. Worse, the penalties and other business risks that come with non-compliance can be severe. In this Webinar, Ipswitch will discuss the challenges and hurdles organizations must overcome to achieve and maintain compliance with HIPAA and other regulations. Specifically we will address the requirements placed on healthcare organizations relating to the security of patient data and how these organizations can use technology to successfully fulfill these requirements. The Webinar will include a presentation and question and answer session.

Attend this Webinar to learn:

• How your organization can meet the HIPAA compliance challenges as they relate to patient data security.


• About the categories of security that are required by HIPAA, including confidentiality, integrity, availability and auditing.


• How other healthcare organizations are tackling the issues surrounding patient data security and ensuring their HIPAA compliance.

Webinar Details:

• Topic: Six Steps to HIPAA Compliance: Securing Patient Data and Fulfilling Compliance Regulations is Easier than You Think


• Date: Thursday, May 8, 2008


• Time: 2:00 p.m. EDT

Speakers:

Greg Shields, Resident Editor, Realtime Windows Server Community,
and Contributing Editor, Redmond Magazine and Virtualization
Review Magazine

Kelly Brady
Manager, Technical Services
Greater Rochester Independent Practice Association (GRIPA)

Kevin Gillis
Vice President of Product Management
Ipswitch, Inc. File Transfer Division

Registration: http://www.himss.org/asp/ContentRedirector.asp?ContentId=67905&cetID=200

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

At the recent Interop conference, Joshua Corman from IBM laid out the truth on the table about the scare jobs you're probably experiencing from today's security companies. The reality is quite a bit more scary than what you probably perceive, namely that "the goal of the security vendor is not to secure, it's to make money."

But we all really knew that, didn't we?

Joshua goes on to talk about the specific seven secrets. I'll list them here, but you should read the full article to learn more about why they exist. From InfoWorld:

1. Antivirus certifications are misleading
2. There is no perimeter
3. Risk analysis threatens vendors
4. There is more to risk than just weak software
5. Compliance threatens security
6. Vendor blind spots allowed the Storm worm outbreak to happen
7. Security has grown well past do-it-yourself

Read the full article at:
http://www.infoworld.com/article/08/05/01/7-dirty-secrets-of-the-security-industry_1.html?source=NLC-SEC&cgd=2008-05-05

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

Microsoft has even come out on the record saying that UAC was meant more for "annoyance" than actual improvements in security. Hence, User Account Control's probematic implementation. For virtually all environments, my personal suggestion is to simply disable it.

BeyondTrust is a company that has been working with Microsoft for an extended period of time on a solution that works great both on paper as well as in implementation. I actually interviewed John Moyer from BeyondTrust a while ago about their Privilege Manager product. If you haven't yet listened to the podcast, you should. We go into great detail why Privilege Manager is the solution that UAC never was.

Officially announced today, I received a press release from BeyondTrust talking about their Privilege Manager 4.0 release. This tool manages privileges (and now integrity levels) the way UAC was supposed to, without all the annoying prompts. From the press release:

At the RSA Conference 2008 in April, Microsoft said it included User Account Control in the Windows Vista operating system to "annoy" users and pressure software vendors to create products that run without requiring users to have administrator rights. BeyondTrust Privilege Manager 4.0 enables enterprises to eliminate administrator rights while allowing users to run all authorized applications by transparently granting administrative privileges to the specified applications that require them. This makes systems more secure by giving users only the minimal rights they need to do their jobs. Privilege Manager 4.0 makes the transition to a Least Privilege environment even easier with new policy rules to simplify the process of granting elevated privileges.

So, if you're still interested in the security that UAC intends to offer, but can't stand how it works, give a strong look to Privilege Manager.

Click past the fold for the full press release.

 
Continue reading Sick of UAC? Use a Better Solution...like Privilege Manager......

Digg it!

Sphere it!

Del.icio.us

Reddit!

Newsvine

Posted by Greg Shields | Permalink | Comments (0) | TrackBacks (0)

Its been a while since I've blogged about BlueLane's neat concept in virtual security. So, when last week I received a press release about their v4.2 upgrade, I checked out the new feature set.

What I found was a great image, shown above that explains well how BlueLane's concept goes far in protecting virtual machines against security threats. Think about the "eggs in one basket" problem you have when you consolidate virtual machines onto smaller numbers of hosts. Doing this means an attack has fewer touchpoints, any of which can cause greater levels of damage. But, with a security screen in place like BlueLane, monitoring and protecting those fewer touchpoints can actually improve overall security.

You can see from the image above where BlueLane positions itself directly above the hypervisor. It scans traffic in and out of machines and strips away any known problems. This is particularly useful in virtualization environments that host older OSs or applications that may no longer have good levels of patching available by the manufacturer.

Check it out. BlueLane's 4.2 upgrade includes an app firewall in addition to its traditional scanning abilities. You can read more about the update at this site: http