Product Details
Product Rating
BigFix Enterprise Suite Patch Manager
Dynamic Network Administration
Ecora Patch Manager
HFNetChkPro
LANDesk Patch Manager
LANGuard Network Security Scanner
Patch Management Solution
PatchLink
Security Update Manager
Service Pack Manager 2000
Best Buy is Ecora Patch Manager because of its professional approach. The information provided and tests performed on the patches add real value. It is also easy to roll out and does show some interest in spreading its support to other systems. Shavlik's HFNetChkPro's only negatives are its hard-to-pronounce name and its Microsoft obsession. However, its close integration with Microsoft and ease of use gains it the Recommended tag. Also worthy of mention are the modules from Altiris and LANDesk. These are the best of the management suite add-ons but have to be seen in that context. They are great if you want to sign up to the program, but a problem if there is already a management suite in use.
Patch management (2004)
An exposed cut takes longer to heal if you do not disinfect and protect it, and exposed machines are equally vulnerable. Eric Doyle reviews quality band-aids
The number of updates, patches and service packs emanating from software vendors has turned the systems manager's job into a nightmare. Keeping up to date with security fixes is labor intensive and the need for testing the effect of the patches before rolling them out makes life even more difficult.
According to Symantec's latest Internet Security Threat Report, there was an average of 220 security vulnerabilities a month between July and December 2003. Of these, 99 were classed as high severity and 70 percent were easy to exploit.
With so much activity, the temptation is to skip patches and focus instead on trying to fix the holes exploited by the latest viruses, worms and Trojan horses. There is an element of chance in this, because the next patch might require the presence of several skipped patches.
Microsoft's answer is Windows Update or Software Update Service (SUS), an in-house version of Windows Update for larger companies. These only cover Microsoft applications but, as most patches seem to come from Microsoft, this is not an unreasonable source.
However, the most secure Microsoft environment is worthless if the other applications are not being patched. As useful as the Microsoft update services might be, they do not answer the needs of a company wanting to ensure full availability of its IT investment. This leaves room for independent products.
The products reviewed handle the key applications covered in Microsoft's Mssecure.cab compressed XML file that details all the patches available for the update services. Some include key applications from other vendors, such as Adobe's Acrobat, or many of the anti-virus vendors' updates. Others go beyond Windows environments to embrace Unix, usually Sun Solaris, Macintosh and various flavors of Linux (especially Red Hat).
To ensure that all systems are kept up to date, an essential product feature is the ability to access clients and servers to create a software inventory. This has to produce a detailed list of operating systems and applications down to the version number and any patches that have already been applied.
Patch management packages fall into two basic groups – those that have agents on every machine, and those that do not use any software running on the client. Agents can change with each major revision of the patch management software and are a pain to implement and maintain. Software without an agent is a dream to install and can be configured in minutes, instead of hours on a moderately-sized network. Both versions exist because agent-based software can be configured to comply with any security policy that requires encrypted data to be passed across a network. Without an agent, the data pulled into the server is unencrypted and vulnerable.
Before patches are applied, an enterprise should review its disaster recovery policy. Many back-up philosophies involve recovering applications, registry settings and data files. This assumes that the operating system does not change and the only way to ensure that the reconstructed platform is stable and secure is to ensure that all patches that were present before have been re-applied. The ability to print or save status reports on every machine in the network is critical and is made easier if the software inventory can be rationalized and standardized into groups of clones.
To maintain this uniformity, there also has to be a facility to detect and remove any unofficial applications downloaded by the user – especially for mobile PCs.
Microsoft's patching is getting better and forcing the independent software vendors to seek new areas to develop. Colin Bartram, product director of Vector, said: "We believe Microsoft has a massive strategic commitment to evolving its SUS architecture into a viable, enterprise-grade tool for managing patches on Windows machines."
Based on this, Vector's next release of PC-Duo will add value by extending the basic SUS capabilities. Others, especially Shavlik with its close relationship with Microsoft, will no doubt follow a similar route. This could mean that support for non-Microsoft applications will increase and some packages might move more heavily into the open source world to support Linux distributions and applications.
The growing impetus towards managed code promises fewer security risks in future applications.The sandboxed architectures will reduce cross-application interference and vulnerabilities. The software will also eliminate insecure programming practices that have led to the hundreds of buffer overrun flaws in current applications. Hopefully, this will reduce the 220 monthly patches to a more manageable figure. However, with new environments come new kinds of vulnerabilities. The need for patching is unlikely to disappear soon.
The threat is against the patching point solution vendors. If the number of patches does decrease appreciably, customers may move to management applications that include patching as a free service. However, this is unlikely to happen during the next four or five years.
