Virtual Patching Explained

Image credit: iStockphoto/olando_o

From the time a vulnerability is announced, a race starts between developing, testing, releasing, and installing the patches to fix it; and the attackers developing their exploits to take advantage.

Virtual Patching aims to deploy early patches 'virtually.' Sometimes on the affected devices themselves, but more often at the gateway, before formal patches can be released or installed, and before the attackers can compromise protected systems.

Understanding the science

Virtual patches target network tra­ffic attempting to exploit a known vulnerability. They often start with signatures to detect the vulnerability or exploit behaviors and then actively interrupt the tra­ffic and block it before it affects the target system.

To put it into context, Virtual Patching is a 'quick-and-dirty' solution to a complex problem, as they can usually be deployed without reboot or interruption to services. Due to limitations inherent in the technology, they are often only short-term stopgaps, gaining time for formal patches to be deployed.

Think of the vulnerability akin to a leaky pipe, the exploit being the resulting flood, and the virtual patch being a temporary tape to fix the leak. The permanent solution would be to replace that part of the broken pipe, but the virtual patch gains you time and avoids the damage that a flood would cause. It is undoubtedly better than having to turn off the water.

Virtual Patching allows the user to maintain their own patching cycle, not dependent on the various manufacturers of equipment, systems, and applications that they run. They are much simpler to deploy, as they are typically installed at just a few centralized/gateway locations, rather than on every potentially affected device.

Understanding the limitations

The virtual patch must be deployed between the attacker and the attacked device or service.

For it to be effective, this protection must be inline or at least able to block malicious tra­ffic with very little latency. Encrypted tra­ffic may need special handling to be accurately analyzed for exploits.

  • A virtual patch must be accurate. It must detect exploits of the vulnerability without affecting legitimate traffi­c while being broad and comprehensive enough to detect new emerging variants of exploits (not just an initial specific one). In cases where the exploit is non-trivial and, in particular, where it involves multiple requests in a network tra­ffic session, this may not be possible, and the virtual patch only partially effective.
  • False positives may be a problem. As the virtual patches need to be deployed quickly, there may not be adequate time for testing. Depending on the severity and impact of the vulnerability, this may be considered an acceptable risk to the alternative of shutting down all services until formal patches can be deployed. Deployment of manufacturer patches is also not without risk.

Virtual Patching is not a perfect solution and cannot protect every vulnerability from every possible exploit. However, it is a good solution that is effective in most cases, particularly those identified as high severity. The technology does provide a comprehensive and effective first line of defense against network-based exploits and is valuable as one tool of many in your arsenal.

Mark Webb-Johnson is the co-founder and chief technology officer of Network Box. He received the Lord Hailsham Prize for Computer Science.

The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends Image credit: iStockphoto/olando_o