SAN FRANCISCO -- Security pros at RSA Conference 2010 say that virtual patching can be an effective short-term...
fix for network vulnerabilities, but it shouldn't replace the implementation of proper fixes for systems and applications.
During a panel discussion on evolving network security, Peter J. Kunz, manager of infrastructure security for automaker Daimler, lauded the concept of using intrusion prevention systems (IPS) to virtually patch vulnerabilities in applications and systems by blocking potentially malicious network traffic from reaching those network locations.
Kunz said Daimler is considering the use of virtual patching by way of its IPS system, a best-of-breed implementation that combines technology from 3Com Corp.'s TippingPoint unit and Redwood Shores, Calif.-based vendor Qualys Inc.
He said in Daimler's environment, there are many legacy IT assets that can't be easily patched through traditional means, so putting a network-based "patch" in place to prevent a known issue from being exploited can provide effective short-term vulnerability mitigation.
"For us, if you have automated machines using embedded Windows 98 or XP to put together cars," Kunz asked, "why does that automated machine have to talk to the Internet? It only needs access to one source, its controller. So right now we're looking to shut that sort of thing down."
Qualys CTO and panelist Wolfgang Kandek said customers using his company's IPS to inventory their networks often find more problems than expected. While the best recourse would be to patch each system or application individually, he said, many organizations don't have the resources to fix several different issues simultaneously.
"Desktops may make sense to do quickly," Kandek said, "but there might be other problems that are much more painful, where you just can't patch it all quickly. Or you might have a very old software version, and it's not easy to upgrade."
Paul Arceneaux, Austin-based TippingPoint's vice president of product line management, said marshalling development resources from other parts of an organization to fix application flaws can be another challenge that slows down the patch process.
Said Arceneaux, "If you can mitigate that risk by putting a virtual patch on top of it, it's a phenomenal help."
However, Kunz said there's a danger of being seduced by virtual patches, because while they mitigate risks that result from security flaws, they don't truly remediate the flaws. It's easy to "set it and forget it" by implementing a virtual patch and not putting a plan in motion to fix the root problem.
Plus, Kandek said, any sort of change to the topology of the network, or even any minor configuration changes, can render a virtual patch useless, exposing the network all over again.
Yet Kunz noted that it can be politically difficult to rally the resources -- and the backing from management -- to implement a proper fix if a virtual patch seems to be doing the job.
"The challenge is to convey that message to management," Kunz said. "Inherent risks still need to be taken care of in the long term." Just because an IPS network status panel may show a green checkmark once a virtual patch is in place, he added, it's still critical to do the back-end repair work.
"You're buying some time" with virtual patching, Kunz said, "but you're not adding to the security of your environment."