Security patches are a big worry: they come out at odd times, they suck up your bandwidth, and just occasionally they break things. We look at patch management packages to ease the burden.
| |||||
There are a few problems, however: the main one being that there are so many patches and just not enough time to test and deploy them. Enterprises need to be given a large window of time to test patches before deploying them on their machines ââ,¬" and as we know you can't just push patches out to machines ââ,¬" as there may be issues with particular applications which can leave you in an even worse situation.
Stepping back a little, patches do very little if your systems are not secure in the first place. Most of the time security problems don't involve flaws in the software but more to do with employees using weak passwords, machines that are not configured properly, machines that are left unattended, and employees opening e-mail attachments and running untrustworthy applications.
There is also the idea that the most effective patch is the one you don't have to apply. In other words, you should turn off the services you don't intend to use and only run the ones you need. Even if there are vulnerabilities, they won't make a difference if the service isn't running.
This has been a long-running problem with Microsoft's operating systems (among others), that services most people didn't use -- and could lead to security problems -- were turned on in the out-of-the-box installation. Microsoft has now turned off over 20 services in Windows 2003 Server by default. This is one of the steps they have taken to reduce the "attack surface" as Linux distributions have been doing this for years.
Administrators have been expressing concerns about the frequency of patches Microsoft has been releasing. Other concerns have been to do with too many different patch installers, the large size of patches, the need to restart machines after patching, and the abundance of patch management products that overlap in terms of features -- yet there isn't a single complete end-to-end patch management package. Microsoft has been working hard to iron out these issues by placing severity ratings next to patches, improving the way patches are tested, providing consistent installers, modifying the size of patches, and minimising restarts.
In this review we look at Prism Deploy from New Boundary, HfNetChk Pro from Shavlik Technologies, Radia Patch Manager from Novadigm, and LANGuard Network Security Scanner from GFI. These products only deploy patches for Microsoft operating systems, Internet Explorer, Exchange Server, SQL Server, IIS, Media Player, DirectX, MDAC, Outlook, and Office.
We also invited Altiris and IBM to submit products: Altiris is currently awaiting the release of the next version and couldn't get us a preview copy in time, and IBM was unable to submit a product. Patches for non-Microsoft products can also be deployed using some of these products however you would need to have the executable. If you're running Macs or Linux-based systems you will have to wait. Some of these vendors are working on it, so hopefully it won't be too far away.
We also looked at a product that would be of interest in this area but doesn't actually deploy patches: the Network VirusWall from TrendMicro. We also had a quick look at Microsoft's SMS which does both software distribution and asset management.
GFI LanGuard
This GFI product runs on Windows 2000/ 2003 family operating systems as well as Windows XP. You need to make sure the systems being scanned don't have personal firewall software running as it may block the scanner.
The scanner has a "New Scan" button which enables you to scan a single computer or whole a domain for missing patches. It actually goes beyond this by giving you the option to scan TCP/ UDP ports, CGI, and force patch updates.
It also has a number of handy tools like enumerate computers and users which basically gives you a list of all the computers running on your network and the operating systems running (including Linux). There's also a function to deploy custom patches providing you have the executable. You can create custom scripts that run through specific network checks.
The general layout of the Web-based GUI was very good. It's hard to think you could get confused using this software. The product can also generate reports based on users or groups with high and medium vulnerabilities or you can simply generate a full report that will display everything. This is a great package that does a bit more than just simple patching. This product was also the least expensive.
| Product | GFI LanGuard |
| Price | 1-50 users AU$649; unlimited users AU$1639 |
| Vendor | GFI |
| Phone | 1800 225 543 |
| Web | www.gfi.com |
| Interoperability | |
| Runs on Windows machines. | |
| Futureproofing | |
| Features network scanning tools that others don't. | |
| ROI | |
| Well priced for what it does. | |
| Service | |
| First three months free support and upgrades, ongoing support at 20 percent of list price per year. | |
| Rating | |
| |||||
This product comes from the UK.
Setup was a little tricky. There are a few components of the installer you have to understand how to install. A typical installation includes the console, the master agent, and the agent installer. You also don't have to manually install agents on client machines.
The minimum software requirements to run Patch Manager are Windows NT 4.0, Windows 2000, or Windows XP Professional and Windows Server family operating systems. Clients PCs can run on Windows 2000 and 2003 Server operating systems.
Machines are discovered using Microsoft's Active Directory. There were a few things we had to do beforehand, like enter a domain to search as well as give administrator access to the master agent, which does all the interrogating. When a machine is discovered you have to allow it to be managed which will then allow you to query the machine. Querying the machine means checking to see what patches need to be installed; this was pretty simple. The format in which this information is displayed was excellent. Across the top of the application running horizontally you can tab across the various windows products and check to see which patches you're missing.
The front end is somewhat busier than the Shavlik interface. There was a lot more information displayed on the screen but it was laid out very well and didn't cause any major confusion.
The Prism Manager has a bit more functionality than the Shavlik solution, such as a research pane that allows you to find out what updates are available. The reports it can generate were also more advanced.
We were generally quite pleased with this product, but disappointed that it only manages Windows installations.
Prism Patch Manager is licensed on a 12-month subscription basis. Twelve-month renewals are available at the rate of 25 percent of the published license fees.
| Product | New Boundary Prism Patch Manager 6.1 |
| Price | 1-50 users AU$1144; 751-1000 users AU$12,592 |
| Vendor | Pacen |
| Phone | 02 9816 1294 |
| Web | www.pacen.com.au |
| Interoperability | |
| Runs on Windows machines. | |
| Futureproofing | |
| Scans and deploys but doesn't manage. | |
| ROI | |
| Can get expensive, there is also a 12-month renewal at 25 percent of list price. | |
| Service | |
| 24x7 support part of 12-month subscription; second level support via Manchester (UK). | |
| Rating | |
| |||||
It's a relatively large package and possibly the most complex we looked at. We were informed that this product is suited to environments with over 1000 machines and can be installed on Windows NT/2000 Server and Windows Server 2003 and clients running Windows 95, 98, NT, 2000, and XP. As for UNIX and Linux support, Novadigm has advised us it is currently working on this one. At the moment it only supports Microsoft operating systems and applications. However you can push out third-party software as executables that can run on client machines.
We were surprised that the Patch Manager has to install an agent prior to running any vulnerability assessments so the main software can better manage the client machines. The installation of agents was quite messy and can be time consuming.
The user interface was also a little primitive. The design would have been greatly improved if all the features could be accessed from one window. We had constantly switch windows to run the other components. Navigating within the applications was simple enough, but the information could have been displayed better. We had to scroll down long pages, which can make you forget what options are available at the start of the page. We are advised Novadigm is currently working on this.
On a better note, the product does an excellent job managing the full life cycle of patches from acquiring, testing, assessing, deploying, applying, reporting, and maintaining patches. In particular, the way the product does patch testing is quite useful. You can use the Application Analyzer to test to see whether there will be any conflicts between two or more applications or machine resources. Also, this product can open up a patch executable from Microsoft and reveal to you files that are of concern. Most other packages don't give you that level of detail.
To some extent this product also does asset management. It can give you a list of machines found on your network as well as what hardware components they are running.
This package doesn't do port scanning or virus scanning like some of the products we looked at, however out of all the dedicated patch management packages, this one seemed to be the most complete in terms of controlling and deploying patches. We wish Novadigm had made the interface more usable and made it an agentless solution. This product is quite often compared with Altiris Client Management software as both packages do more than just patch, however Altitis wasn't able to supply a product for us to review as the new version wasn't ready yet.
This package was well priced considering it does end-to-end patch management. Telephone and e-mail support doesn't come free, however, it will cost you 18 percent of the list price.
| Product | Novadigm Radia Patch Manager |
| Price | Appox. US$100 per server; US$35 per desktop |
| Vendor | Extended Enterprise Solutions |
| Phone | 02 9956 8555 |
| Web | www.ees.net.au |
| Interoperability | |
| Runs on Windows machines. | |
| Futureproofing | |
| Offers end-to-end patch management. | |
| ROI | |
| Affordably priced and does more than any of the others. | |
| Service | |
| 24x7 support for 18 percent of list price per year. Onsite support and training available. | |
| Rating | |
| |||||
It can run on Windows 2000 SP3 or later, XP Professional, and Windows Server 2003 Family. As for clients, it supports Windows NT, 2000, and 2003 Server operating systems. Other prerequisites are MDAC, XML, and Jet.
The great thing about this software is that it doesn't use an agent. This speeds up set up time dramatically. This HFNetChk engine uses CAB files that Microsoft maintains to check whether client machines are missing patches. It can scan up to 64 machines simultaneously and if you need to scan more, you can schedule another scan once the first one has finished.
This tool was the easiest package to use. The front end is very clean and within seconds the software would discover our machines and run a scan on them. It was just as easy to deploy the fixes. There were a few different ways in which you can scan and deploy fixes they were either by IP address, domain, or a group of machines. All in all a very intuitive product but it only deploys Microsoft patches.
Shavlik has two Australian resellers, Commander and New Wave Technologies. The price per licensed user also seems high compared to the other products in this review.
| Product | Shavlik HFNetChkPro |
| Price | 1-50 users + 1 console US$1,040; 1-1000 users + 5 consoles US $14,600 |
| Vendor | Shavlik |
| Phone | +1 612 331 6737 |
| Web | www.shavlik.com |
| Interoperability | |
| Runs on Windows machines | |
| Futureproofing | |
| Scans and deploys but doesn't manage. | |
| ROI | |
| Very good for what it does but very expensive. | |
| Service | |
| Local support may be hard to find. | |
| Rating | |
| |||||
| ||||
Which operating systems does the software run on and which ones does it manage?
Futureproofing
What upgrade features are available? How extensive are its management features?
ROI
What will the software cost and what do you get for your money?
Service
What support is provided as standard and how much will ongoing support end up costing you?
All the software packages were installed on an Acer Altos Server running Windows 2000 Server and SQL Server 2000 SP3a. This server was part of a private network which consisted of another three PCs. Each PC was running Windows 2000 Professional. No service packs, or any kind of fixes were installed on the client PCs prior to testing.
We scanned the client PCs for any missing patches and then deployed the patches to these machines to test the basic functionality of each product.
We focused on ease of installation of both client and admin software, and the overall ease of use including reporting on the patches that were installed on the target machines. We also looked out for any outstanding features that separated some of these packages from each other.
| ||||
The Network Virus Wall from Trend Micro doesn't actually do any patch management. It still however has a place in this area. This device challenges anyone and anything accessing your network. What the VirusWall basically does is prevent virus outbreaks, expose vulnerabilities, and isolate viruses. These are things that firewalls, antivirus, and intrusion detection systems alone can't effectively do.
The VirusWall is a hardware device that sits on a LAN segment and can be managed remotely from the Control Manager using a Web browser.
The VirusWall is made up of three main components, Vulnerability Assessment, Outbreak Prevention, and Damage Cleanup.
The Vulnerability Assessment component discovers vulnerabilities and summarises the potential danger of the vulnerability. It lists the associated software and the potential malware could affect it.
The Outbreak prevention component focuses on preventing and containing viruses. For example, from here you can isolate un-patched machines from infecting other machines. As well as preventing outbreaks it monitors your network. The VirusWall uses smarts that monitor your network flow for anything that may seem irregular, and then notifies you. It scans port numbers, hosts, and connections for any sudden increases in traffic.
Based on this sort of information you can also create policies that will enable you to block or isolate these machines. The Cleanup component cleans and fixes unwanted registry entries and corrupted systems files.
As you can see there is a definite spot for this type of device on your network. In concert with a patch management package, you will have most of your bases covered.
Trend Micro offers phone support from 9am to 5pm and e-mail support 24x7.
Trend Micro Control Manager Version 3.0 is necessary to Control the appliance. If you include the Trend Micro Control Manager, Vulnerability Assessment Service, Damage Cleanup Service, Outbreak Prevention Service, and the Network Virus Wall appliance itself, the price works out to AU$80 per user for 100 users.
| ||||
Systems Management Server is part of the Windows Server system. It does large enterprise software distribution and asset management all in one. It's usually combined with Microsoft's Software Update Services (SUS) to offer a full end-to-end patch management product.
When new patches are available, SMS won't tell you: you would have to use another source (SUS) and then run the patch information against the central database.
If you were a large enterprise and didn't have a patch management system in place, then SMS would be one you should look at. If you have HP OpenView or IBM Tivoli running, then the obvious solution would be to use a suitable OpenView (typically Altiris) or Tivoli component to do your patch management. As you can imagine, it would get quite messy if you were to mix modules and components from differ-ent vendors.
Some of the key features of SMS include:
Application deployment
- Software distribution to targeted assets
- Application usage monitoring
- Software inventory
- Hardware inventory
- Web reporting
- Patch deployment to managed assets
- Stages and test patches prior to installation
- Fine grained control over patches
- Bandwidth awareness (client network connections)
- Checkpoint/restart (downloads to clients continue where they left off)
- Location awareness (mobile users will always receive software updates from the nearest appropriate source)
- Active Directory discovery
Microsoft System Management Server Enterprise Edition 2003 sells for AU$1019, and client access licences are AU$72. System Management Server Enterprise Edition 2003 English sells for AU$2325 and includes a copy of SQL Server 2000 that runs the SMS database.
| ||||
Company: Victorian Loyalty Program Marketing
This company's network administrators are worn out needing to apply patches manually to servers and desktops and want a software solution to automate the process.
Approximate budget: Open.
Requires: Above all, ease of use, and the ability to manage the process centrally is the key concern. The company has servers running a variety of operating systems, so a package that can handle Linux and various flavours of Unix would be grealy appreciated. The ability to test patches before they are deployed would be a big bonus.
Best Solution: The only end-to-end patch management software submitted was Novadigm's Radia Patch Manager, so it's the best option for this company. It did everything we expected of it, however it wasn't the easiest to use.
Look out for...
- Does the software just deploy or actually manage patches?
- Can it patch third-party software applications, not just Microsoft products?
- Which platforms does the admin software run on?
- Which platforms do the client PCs have to be running on?
- What add-ons can be purchased?
- How many users will you have to manage?
- What methods does the software use to test patches?
- Does the software uses client agents?
- Can it do reporting?
This article was first published in Technology & Business magazine.
Click here for subscription information.
Novadigm Radia Patch Manager
If you're looking for one package that wil do everything, Novadigm's Radia Patch Manager has all the tools to manage patches through their entire lifecycle, from acquiring patches through testing to deployment and beyond. On the downside, you'll need to install an agent on all the systems you want to manage, but no other package we looked at gives you the same level of control.
| ||||
| ||||