The Blue Lane PatchPoint System is the only inline patch proxy for enterprise servers that fixes application-specific vulnerabilities at the root cause by checking for the same conditions and applying the same corrective action as the software vendor security patch.

Provides functional equivalent of software vendor security patch

Eliminates need to hastily install patches on enterprise servers

Requires no code or configuration changes to the servers

Protects up to hundreds of servers instantly

Ensures that assets are protected from both internal and external threats

Simple to deploy and maintain

Patching Dilemma

Software vendors release patches to address security vulnerabilities but deciding when to install the patch on a critical server is difficult. To patch right away will eliminate the security vulnerability, but may put server availability at risk. To postpone patch deployment during testing may preserve server availability, but increase the risk that the vulnerable server is breeched.

Patch Now?

Installing software vendor patches immediately is an admirable goal. The biggest barrier to doing so is the potential for unexpected consequences. Software applications have a considerable number of interdependencies, such as shared files and libraries. An operating system for example frequently shares files with other applications. The applications make slight modifications to these files when they are installed. When the operating system is updated via a new patch, a change in the underlying files can unintentionally break the application.

Tedious and time-consuming steps are required to confidently deploy a patch without fear of breaking critical applications. Unfortunately, as time passes and the confidence of successful deployment rises, the risk of a successful attack on a vulnerable server also rises.

How it works

The PatchPoint Gateway monitors client/server interactions for the existence of an application vulnerability and then emulates the functionality of the patch by manipulating traffic inline. There are three primary components of the PatchPoint architecture that provide its unique capabilities -

ActiveFix
Transparent Application Proxies
Dynamic Transformation Engine

Transparent Application Proxies

Transparent Application Proxies are stateful, end-point aware proxies for critical applications that transparently monitor client/server transactions, verify conditions of application vulnerabilities, and deterministically apply a relevant ActiveFix.

These proxies provide:

Provides network-based application fluency by tracking the precise state of client/server transactions and deterministically verifying whether or not a vulnerability is present in order to apply an appropriate ActiveFix.

Provides application-level end-point awareness to ensure that only relevant transactions are monitored and introduce minimal latency.

Provides additional security by monitoring transactions inline without utilizing an IP or MAC address so that the PatchPoint System is invisible to both client and server.

Dynamic Transformation Engine

The Dynamic Transformation Engine provides the ability to manipulate the data stream inline, within the application protocol, while preserving the connection between client and server.

Provides the ability to intervene at any point within a transaction to truncate overflow data within a string, replace specific characters or convert the encoding of data in accordance with the functionality of a vendor security patch, anywhere inside the application protocol.

Promotes availability of critical applications by preserving the connection between client and server, even when inline data manipulation is required.

ActiveFix

A PatchPoint ActiveFix is the inline, functional equivalent of a software vendor security patch. Each ActiveFix mimics the corrective action of the security patch, no matter how complex, to address the vulnerability at the root cause.

Emulates even complex patch functionality to ensure that applications continue to function properly

Deploys simultaneously across hundreds of servers to provide immediate protection across even the largest server deployments with no code or configuration changes required on any of the servers

Promotes uptime and business continuity by performing corrective action inline with zero footprint on the protected servers, which eliminates the possibility of overwriting shared files or disturbing server configurations

Eliminates any guesswork during deployment and subsequent maintenance through the correlation between an ActiveFix and its corresponding vendor security patch

Provides protection for a wide variety of applications, databases and operating systems.