networks are under siege. With battalions of hackers toiling night and
day to find entry points for attack, systems managers have only hours
to close security holes before an invisible enemy tries to exploit
New-found vulnerabilities must be sealed promptly with
software patches, a task which is hard enough within the LAN (local
area network), and which becomes more challenging the farther computing
devices are from headquarters. Yet under competitive pressure to make
the sale and improve service at the front lines, companies are pushing
more and more technology beyond the firewall into the field.
Executives carry laptops around the globe; sales reps and field
technicians rely on handheld devices or dashboard-mounted Win32
machines; and retail and restaurant clerks use increasingly complex
store systems designed to increase customer service and cut operational
In the unpredictable environment outside the corporate firewall, where
each device is a potential target, efficient patch distribution is
essential. Nevertheless, sad experience has shown that simply rolling
out patches to the field doesn't provide adequate protection. Patch
management must be combined with full-featured systems management tools
in order to ensure the security of remote and mobile devices.
Facing the realities
The frontlines are typically made up of both static and mobile machines
-- devices connected to the headquarters in a bandwidth constrained
environment. Mobile devices are by their nature more vulnerable to
attack than LAN PCs. The fact that laptops, handhelds and smart phones
are carried on airplanes, tucked in purses or clipped onto belt loops
makes it easier for them to -- quite literally -- fall into the wrong
The more common danger, however, is that devices carried on one's
person are more likely to be used for personal business. Forgetting
that the device on which they practice chess can double as a hacker's
pawn, users blithely change configuration settings, install unapproved
software, and connect to virus-infected home computers. As a result,
each time they dial in to the corporate LAN, they put the entire
corporate network at risk.
Securing mobile devices is further complicated by the fact that
the frontline environment is fundamentally different from the LAN
environment. For one thing, mobile devices are only intermittently
connected to a server, which makes it more difficult to schedule
automated patch downloads. In addition, field-to-LAN connections often
take place over low-speed, third-party networks with limited bandwidth,
and are often interrupted without warning.
Store-based PCs, while not subject to problems associated with
portability, share this challenge of a low-bandwidth environment. And
because most tasks performed on store-based PCs are mission-critical
(including credit card authorisations and other financial transactions)
bandwidth bottlenecks can strangulate corporate efficiency. As the
lifeblood of retail companies, point-of-sale systems must be available
and functioning at all times.
No matter how critical their activities, users of store-based, as well
as mobile systems, can't step down a hallway to get help if something
goes wrong during a transmission. Neither can they be relied on to
carry out system maintenance tasks, including urgent patch
installations, even if this were a good idea (which it definitely is
not). As a result, mobile and store-based devices often remain an open
door for the first virus or hacker that happens along.
Faced with imminent security threats, systems administrators'
first impulse is to rush software patches to the field. However,
securing your mobile and remote systems through patch distribution
cannot be effective if not supported by robust frontline management
Companies should look for frontline management solutions that
incorporate both security and general management functions that are
optimised for operating beyond the corporate firewall so that
administrators needn't cobble together two or more solutions to cover
all their bases.
If patch distribution is to adequately protect frontline devices,
corporations must be able to: 1) compensate for the limitations of the
frontline environment; 2) lay the groundwork for efficient, automated
patch deployment; and 3) keep a vigilant eye on mobile and store-based
devices during and after patch distribution.
Compensating for conditions
Some companies have attempted to solve the frontline patch management
dilemma using a LAN oriented solution. They have found, however, that
patch management systems designed for high speed, continuous
connections perform far less efficiently when bandwidth is limited and,
in the case of mobile devices, connections are short-lived. A
comprehensive frontline management solution compensates for these
The ability to perform opportunistic downloads is critical in the
mobile environment. Because machines connect to the LAN on an
unpredictable basis, a good frontline management solution should allow
patches to be downloaded whenever a connection is available. For
instance, a software patch can be downloaded in the background when the
user of a handheld connects to the corporate network to retrieve email
or upload daily sales figures.
"Dynamic bandwidth throttling" is also vital in the frontline
environment, for both mobile and point-of-service devices. This
capability allows automated tasks to use only free bandwidth rather
than gobbling all available resources.
It ensures that a patch download (or other system maintenance task)
initiated at headquarters doesn't interfere with users'
mission-critical activities, such as authorising credit card
transactions or retrieving information needed for a quote. Without
bandwidth throttling, users become frustrated by frequent slowdowns and
interruptions, which leads to lower morale and reduced productivity.
Patch management at the front lines also must take into account that
mobile connections are often severed without warning. While a LAN-based
solution usually retransmits an entire file if a download is
interrupted, a solution for the front lines should remember where a
cut-off occurred, and restart transmission at that point the next time
a connection is established. With bandwidth at a premium on the front
lines, this type of efficiency is essential. Companies that fail to
compensate for real conditions in the field will never adequately
address security needs at the far edges of the enterprise.
Laying the groundwork
Efficient patch distribution involves much more than automating
deployment. In fact, for many corporations the first step is
recognising that their front line can't be the computing equivalent of
the Wild West. Because a patch must be tested against all system and
software configurations used in the field, some level of conformity is
required. Corporations must define and enforce configuration standards
for field devices, just as they do for LAN PCs.
Policy management is therefore an integral part of effective patch
management. By limiting device applications to those required for
business, and by setting configuration standards, corporations are able
to minimise delays in patch distribution when time is of the essence.
Quality assurance tests can be automated and patches can be
disseminated within minutes or hours, rather than days or weeks.
Before a patch is deployed, administrators must be able to
automatically inventory each intended device, determining which
applications are currently installed, whether they are appropriately
configured, and when they were last updated. The ability to review
device "patch levels" prevents redundant downloads and assures that the
correct patches are applied.
This kind of preemptive checking is just as important in reverse:
before a remote or mobile device is allowed to connect to a corporate
server, its last virus scan should be reviewed, its security settings
checked, and the presence of the latest software patches verified. Such
automatic checks go a long way in protecting the corporate network from
hostile infiltration. If a check reveals that a device no longer
conforms to secure configuration standards (whether by accident or on
purpose), the device can be automatically reconfigured by the frontline
Neither an IT technician nor the user needs to lay a finger on it. For
an organisation with hundreds or even thousands of devices in the
field, this capability is essential. Without it, misconfigured devices
remain an easy target for hackers, despite the "successful"
distribution of a software patch.
There is no such thing as security without system visibility. Field
devices must be fully visible, or administrators have no way of knowing
whether security measures are working as expected or required. Prompt
dissemination of software patches is simply not enough.
Ideally, administrators should view and interact with mobile and
store-based devices from a single console at headquarters. After
patches have been installed, each device must be automatically audited
to verify that the patch was installed correctly. This kind of
roundtrip reporting is critical: it's the only way to know which
patches were successfully installed and which were not. If an
application "breaks" after a patch is implemented, administrators must
be able to roll back the patch at once, without involving the user. Any
organisation that neglects post-rollout audits can plan on a nasty
surprise down the road, when they're hit hard in a spot they thought
was fortified against exploitation.
In addition, administrators must be able to run ad hoc scans to check
device patch levels, registry settings and configuration compliance.
They also should be able to routinely upload antivirus scan logs from
devices, or view device connection records. This kind of ongoing system
monitoring is proactive, while patch management is essentially
reactive. By combining both approaches, corporations are far better
equipped to withstand the enemies arrayed against them.
Patch management is not enough
The security risks beyond the firewall are real, but corporations
recognise that they can't afford not to equip personnel on the front
lines -- those who make the sales and serve the customer -- with the
cutting-edge technology they need to do their jobs faster and better.
Companies must therefore find ways to keep frontline devices as safe as
They can do this by first making it clear to anyone using computing
devices in the field -- from technicians to executives -- that portable
devices are not personal playthings. They must then follow through by
enforcing security policies using a frontline management solution,
managing both mobile and point-of-service devices as closely as
headquarters PCs. Second, companies must define and enforce
configuration standards for frontline devices so that security holes
can be closed fast, with confidence that the patches will not bring the
systems down. Third, each device in the field must remain constantly
visible to systems administrators, including its software inventory and
patch levels, configuration status, and user activity. This kind of
ongoing visibility is the bedrock of network security.
Clearly, patch management can only be effective in conjunction with a
complete array of systems management tools that are designed
specifically for the front lines. Without such integration, deploying
patches to the field is a lot like shooting in the dark.
Joseph Owen is chief technology officer and vice president of Product Strategy at XcelleNet.