If you think about it, patch management is a form of risk management ÃƒÂ¢Ã¢,Â¬" minimising risks from hackers, viruses, and worms. Virus writers are now releasing viruses much faster after the discovery of each new vulnerability. With the window shortening (only 26 days for the Blaster worm to come out) companies should be looking at using a patch management solution to prevent major virus outbreaks or security breaches in their networks.
There are a few problems, however: the main one being that there are so many patches and just not enough time to test and deploy them. Enterprises need to be given a large window of time to test patches before deploying them on their machines ÃƒÂ¢Ã¢,Â¬" and as we know you can't just push patches out to machines ÃƒÂ¢Ã¢,Â¬" as there may be issues with particular applications which can leave you in an even worse situation.
Stepping back a little, patches do very little if your systems are not secure in the first place. Most of the time security problems don't involve flaws in the software but more to do with employees using weak passwords, machines that are not configured properly, machines that are left unattended, and employees opening e-mail attachments and running untrustworthy applications.
There is also the idea that the most effective patch is the one you don't have to apply. In other words, you should turn off the services you don't intend to use and only run the ones you need. Even if there are vulnerabilities, they won't make a difference if the service isn't running.
This has been a long-running problem with Microsoft's operating systems (among others), that services most people didn't use -- and could lead to security problems -- were turned on in the out-of-the-box installation. Microsoft has now turned off over 20 services in Windows 2003 Server by default. This is one of the steps they have taken to reduce the "attack surface" as Linux distributions have been doing this for years.
Administrators have been expressing concerns about the frequency of patches Microsoft has been releasing. Other concerns have been to do with too many different patch installers, the large size of patches, the need to restart machines after patching, and the abundance of patch management products that overlap in terms of features -- yet there isn't a single complete end-to-end patch management package. Microsoft has been working hard to iron out these issues by placing severity ratings next to patches, improving the way patches are tested, providing consistent installers, modifying the size of patches, and minimising restarts.
In this review we look at Prism Deploy from New Boundary, HfNetChk Pro from Shavlik Technologies, Radia Patch Manager from Novadigm, and LANGuard Network Security Scanner from GFI. These products only deploy patches for Microsoft operating systems, Internet Explorer, Exchange Server, SQL Server, IIS, Media Player, DirectX, MDAC, Outlook, and Office.
We also invited Altiris and IBM to submit products: Altiris is currently awaiting the release of the next version and couldn't get us a preview copy in time, and IBM was unable to submit a product.
Patches for non-Microsoft products can also be deployed using some of these products however you would need to have the executable. If you're running Macs or Linux-based systems you will have to wait. Some of these vendors are working on it, so hopefully it won't be too far away.
We also looked at a product that would be of interest in this area but doesn't actually deploy patches: the Network VirusWall from TrendMicro. We also had a quick look at Microsoft's SMS which does both software distribution and asset management.
The GFI Languard Network Security Scanner is a network security solution that not only scans your operating systems and applications for missing patches but also for open ports, open shares, weak passwords, and more.
This GFI product runs on Windows 2000/ 2003 family operating systems as well as Windows XP. You need to make sure the systems being scanned don't have personal firewall software running as it may block the scanner.
The scanner has a "New Scan" button which enables you to scan a single computer or whole a domain for missing patches. It actually goes beyond this by giving you the option to scan TCP/ UDP ports, CGI, and force patch updates.
It also has a number of handy tools like enumerate computers and users which basically gives you a list of all the computers running on your network and the operating systems running (including Linux). There's also a function to deploy custom patches providing you have the executable. You can create custom scripts that run through specific network checks.
The general layout of the Web-based GUI was very good. It's hard to think you could get confused using this software. The product can also generate reports based on users or groups with high and medium vulnerabilities or you can simply generate a full report that will display everything. This is a great package that does a bit more than just simple patching. This product was also the least expensive.
New Boundary Prism Patch Manager
The New Boundary Prism Patch Manager is also a product that only deploys Microsoft patches.
This product comes from the UK.
Setup was a little tricky. There are a few components of the installer you have to understand how to install. A typical installation includes the console, the master agent, and the agent installer. You also don't have to manually install agents on client machines.
The minimum software requirements to run Patch Manager are Windows NT 4.0, Windows 2000, or Windows XP Professional and Windows Server family operating systems. Clients PCs can run on Windows 2000 and 2003 Server operating systems.
Machines are discovered using Microsoft's Active Directory. There were a few things we had to do beforehand, like enter a domain to search as well as give administrator access to the master agent, which does all the interrogating. When a machine is discovered you have to allow it to be managed which will then allow you to query the machine. Querying the machine means checking to see what patches need to be installed; this was pretty simple. The format in which this information is displayed was excellent. Across the top of the application running horizontally you can tab across the various windows products and check to see which patches you're missing.
The front end is somewhat busier than the Shavlik interface. There was a lot more information displayed on the screen but it was laid out very well and didn't cause any major confusion.
The Prism Manager has a bit more functionality than the Shavlik solution, such as a research pane that allows you to find out what updates are available. The reports it can generate were also more advanced.
We were generally quite pleased with this product, but disappointed that it only manages Windows installations.
Prism Patch Manager is licensed on a 12-month subscription basis. Twelve-month renewals are available at the rate of 25 percent of the published license fees.
Novadigm Radia Patch Manager
Radia Patch Manager came in as a late submission. It arrived already pre-installed on a Windows 2000 notebook running SQL Server. The Patch Manager was made up of three components, the Patch Manager, Application Analyzer, and System Explorer.
It's a relatively large package and possibly the most complex we looked at. We were informed that this product is suited to environments with over 1000 machines and can be installed on Windows NT/2000 Server and Windows Server 2003 and clients running Windows 95, 98, NT, 2000, and XP. As for UNIX and Linux support, Novadigm has advised us it is currently working on this one. At the moment it only supports Microsoft operating systems and applications. However you can push out third-party software as executables that can run on client machines.
We were surprised that the Patch Manager has to install an agent prior to running any vulnerability assessments so the main software can better manage the client machines. The installation of agents was quite messy and can be time consuming.
The user interface was also a little primitive. The design would have been greatly improved if all the features could be accessed from one window. We had constantly switch windows to run the other components. Navigating within the applications was simple enough, but the information could have been displayed better. We had to scroll down long pages, which can make you forget what options are available at the start of the page. We are advised Novadigm is currently working on this.
On a better note, the product does an excellent job managing the full life cycle of patches from acquiring, testing, assessing, deploying, applying, reporting, and maintaining patches. In particular, the way the product does patch testing is quite useful. You can use the Application Analyzer to test to see whether there will be any conflicts between two or more applications or machine resources. Also, this product can open up a patch executable from Microsoft and reveal to you files that are of concern. Most other packages don't give you that level of detail.
To some extent this product also does asset management. It can give you a list of machines found on your network as well as what hardware components they are running.
This package doesn't do port scanning or virus scanning like some of the products we looked at, however out of all the dedicated patch management packages, this one seemed to be the most complete in terms of controlling and deploying patches. We wish Novadigm had made the interface more usable and made it an agentless solution. This product is quite often compared with Altiris Client Management software as both packages do more than just patch, however Altitis wasn't able to supply a product for us to review as the new version wasn't ready yet.
This package was well priced considering it does end-to-end patch management. Telephone and e-mail support doesn't come free, however, it will cost you 18 percent of the list price.
Shavlik HFNetChkPro 4
HFNetChkPro 4 is a GUI based patch management tool. It stems from the HFNetChk tool that Microsoft distributes for free. This tool can be set up in only a couple of minutes.
It can run on Windows 2000 SP3 or later, XP Professional, and Windows Server 2003 Family. As for clients, it supports Windows NT, 2000, and 2003 Server operating systems. Other prerequisites are MDAC, XML, and Jet.
The great thing about this software is that it doesn't use an agent. This speeds up set up time dramatically. This HFNetChk engine uses CAB files that Microsoft maintains to check whether client machines are missing patches. It can scan up to 64 machines simultaneously and if you need to scan more, you can schedule another scan once the first one has finished.
This tool was the easiest package to use. The front end is very clean and within seconds the software would discover our machines and run a scan on them. It was just as easy to deploy the fixes. There were a few different ways in which you can scan and deploy fixes they were either by IP address, domain, or a group of machines. All in all a very intuitive product but it only deploys Microsoft patches.
Shavlik has two Australian resellers, Commander and New Wave Technologies. The price per licensed user also seems high compared to the other products in this review.
Which operating systems does the software run on and which ones does it manage? Futureproofing
What upgrade features are available? How extensive are its management features? ROI
What will the software cost and what do you get for your money? Service
What support is provided as standard and how much will ongoing support end up costing you?
All the software packages were installed on an Acer Altos Server running Windows 2000 Server and SQL Server 2000 SP3a. This server was part of a private network which consisted of another three PCs. Each PC was running Windows 2000 Professional. No service packs, or any kind of fixes were installed on the client PCs prior to testing.
We scanned the client PCs for any missing patches and then deployed the patches to these machines to test the basic functionality of each product.
We focused on ease of installation of both client and admin software, and the overall ease of use including reporting on the patches that were installed on the target machines. We also looked out for any outstanding features that separated some of these packages from each other.
Trend Micro Network VirusWall
The Network Virus Wall from Trend Micro doesn't actually do any patch management. It still however has a place in this area. This device challenges anyone and anything accessing your network. What the VirusWall basically does is prevent virus outbreaks, expose vulnerabilities, and isolate viruses. These are things that firewalls, antivirus, and intrusion detection systems alone can't effectively do.
The VirusWall is a hardware device that sits on a LAN segment and can be managed remotely from the Control Manager using a Web browser.
The VirusWall is made up of three main components, Vulnerability Assessment, Outbreak Prevention, and Damage Cleanup.
The Vulnerability Assessment component discovers vulnerabilities and summarises the potential danger of the vulnerability. It lists the associated software and the potential malware could affect it.
The Outbreak prevention component focuses on preventing and containing viruses. For example, from here you can isolate un-patched machines from infecting other machines. As well as preventing outbreaks it monitors your network. The VirusWall uses smarts that monitor your network flow for anything that may seem irregular, and then notifies you. It scans port numbers, hosts, and connections for any sudden increases in traffic.
Based on this sort of information you can also create policies that will enable you to block or isolate these machines. The Cleanup component cleans and fixes unwanted registry entries and corrupted systems files.
As you can see there is a definite spot for this type of device on your network. In concert with a patch management package, you will have most of your bases covered.
Trend Micro offers phone support from 9am to 5pm and e-mail support 24x7.
Trend Micro Control Manager Version 3.0 is necessary to Control the appliance. If you include the Trend Micro Control Manager, Vulnerability Assessment Service, Damage Cleanup Service, Outbreak Prevention Service, and the Network Virus Wall appliance itself, the price works out to AU$80 per user for 100 users.
Micosoft Systems Management Server
Systems Management Server is part of the Windows Server system. It does large enterprise software distribution and asset management all in one. It's usually combined with Microsoft's Software Update Services (SUS) to offer a full end-to-end patch management product.
When new patches are available, SMS won't tell you: you would have to use another source (SUS) and then run the patch information against the central database.
If you were a large enterprise and didn't have a patch management system in place, then SMS would be one you should look at. If you have HP OpenView or IBM Tivoli running, then the obvious solution would be to use a suitable OpenView (typically Altiris) or Tivoli component to do your patch management. As you can imagine, it would get quite messy if you were to mix modules and components from differ-ent vendors.
Some of the key features of SMS include:
Software distribution to targeted assets
Application usage monitoring
Security patch management
Patch deployment to managed assets
Stages and test patches prior to installation
Fine grained control over patches
Bandwidth awareness (client network connections)
Checkpoint/restart (downloads to clients continue where they left off)
Location awareness (mobile users will always receive software updates from the nearest appropriate source)
Windows Management Services Integration
Active Directory discovery
Microsoft System Management Server Enterprise Edition 2003 sells for AU$1019, and client access licences are AU$72. System Management Server Enterprise Edition 2003 English sells for AU$2325 and includes a copy of SQL Server 2000 that runs the SMS database.
Sample Scenario Company: Victorian Loyalty Program Marketing
This company's network administrators are worn out needing to apply patches manually to servers and desktops and want a software solution to automate the process. Approximate budget: Open. Requires: Above all, ease of use, and the ability to manage the process centrally is the key concern. The company has servers running a variety of operating systems, so a package that can handle Linux and various flavours of Unix would be grealy appreciated. The ability to test patches before they are deployed would be a big bonus.
Best Solution: The only end-to-end patch management software submitted was Novadigm's Radia Patch Manager, so it's the best option for this company. It did everything we expected of it, however it wasn't the easiest to use.
Look out for...
Does the software just deploy or actually manage patches?
Can it patch third-party software applications, not just Microsoft products?
Which platforms does the admin software run on?
Which platforms do the client PCs have to be running on?
What add-ons can be purchased?
How many users will you have to manage?
What methods does the software use to test patches?
Does the software uses client agents?
Can it do reporting?
This article was first published in Technology & Business magazine. Click here for subscription information.
Editor's Choice Novadigm Radia Patch Manager
If you're looking for one package that wil do everything, Novadigm's Radia Patch Manager has all the tools to manage patches through their entire lifecycle, from acquiring patches through testing to deployment and beyond. On the downside, you'll need to install an agent on all the systems you want to manage, but no other package we looked at gives you the same level of control.
RMIT IT Test Labs is an independent testing institution based in Melbourne, Victoria, performing IT product testing for clients such as IBM, Coles-Myer, and a wide variety of government bodies. In the Labs' testing for T&B, they are in direct contact with the clients supplying products and the magazine is responsible for the full cost of the testing. The findings are the Labs' own--only the specifications of the products to be tested are provided by the magazine. For more information on RMIT, please contact the Lab Manager, Steven Turvey.