This article can also be found in the Premium Editorial Download "Information Security magazine: With SSL VPNs on the offense, will IPSec VPNs eventually be benched?."

Download it now to read this article plus other related content.

A Pitch for Patching

    Requires Free Membership to View

We asked seven patch vendors to design a system for a hypothetical enterprise. See what they proposed.

By: Neil Roiter

Patch management can bleed organizations of time and resources. Delay exposes critical assets to potential compromise, while inadequately tested patches can break apps and systems. The cycle of discovery, testing, remediation, verification and re-remediation is a major drain on SMBs and Fortune 1000 companies alike.

Automated patch/configuration management tools are designed to relieve these pain points, allowing organizations to enforce security polices and processes quickly and cost-effectively. Companies can choose between various commercial products and services, but how do they pick the right product for their environment?

Assuming that companies buy solutions and not just cool feature sets, we invited vendors to respond to a request for proposal (RFP) from a hypothetical company suffering all the miseries associated with patching a highly distributed environment.

Information Security assembled a panel of four infosecurity experts to evaluate the seven responses that best addressed the specific requirements detailed in our scenario--from BigFix, Citadel Security Software, Configure-soft, Everdream, PatchLink, St. Bernard Software and Shavlik Technologies.

The responses were revealing, showing how different vendors address customer needs on a conceptual and planning level. Some were polished, others creative, and a few just disappointing. A complete analysis is available online; the following is a synopsis:

  • BigFix provided a clear, detailed explanation of its capabilities, addressed directly to our requirements. It was the only vendor that provided a deployment diagram. Its highly flexible agent-based BigFix Enterprise Server (BES) automates vulnerability assessment and remediation for LAN-based and mobile devices. Its proposed Relay Server architecture addressed one of our main concerns: patching small satellite offices in three countries.
  • Citadel Software Security didn't do a very good job explaining its Hercules product architecture technology and how it could be deployed to address our company's needs. Although it answered the requirements, we were left with a vague picture and too much brochure-type material about the company.
  • Configuresoft's response emphasized the Enterprise Configuration Manager (ECM) and Security Update Manager (SUM) suite's strength as a configuration management and automated patch management product, turning the issue, correctly, into one of overall vulnerability management. However, it didn't provide a real plan for our company. Configuresoft's agents offer flexibility for setting policy and automating remediation.
  • Everdream's Everdream Patch Management is the only managed service among the respondents, offering the usual trade-offs of offloading the work versus loss of control. Its responses were generally of the "we can do this" variety, lacking specific recommendations.
  • PatchLink spelled out specific architecture recommendations and clearly explained how PATCHLINK UPDATE works and why it was well suited to meet our requirements. Its flexible agents, verification technology and Distribution Points met our small office needs. It also described the most thorough patch-testing regimen among the vendors.
  • St. Bernard Software did a capable job explaining how its UpdateEXPERT works, but it offered few specifics that addressed our company's needs. Its option for agent-based and agentless technology offers great flexibility for using agents on mobile devices and, possibly, in satellite offices.
  • Shavlik Technologies did an excellent job explaining the features of its product, HFNetchkPro, and offered two distinct deployment scenarios: central management and distributed management. However, it made no attempt to discuss its product in terms of our needs, leaving us to pick through the response to figure out what was relevant.

For more information and the full text of this article, visit www.searchsecurity.com/ismag

Neil Roiter is senior technology editor at Information Security.

Unwelcome Surprises
Out-of-cycle patch releases can still plunge IT teams into chaos.

"When [Microsoft] issues an out-of-cycle patch, it's always critical," says Children's Arrington. "The department testers aren't in place, so emergency notification goes out to all hands.

"If it's a Friday, we have a meeting to figure out if it's something that can wait until Monday. If not, we make plans for who will have to do what," he adds.

The last surprise was December's cumulative fix for critical IE vulnerabilities. That time, the staff chose to act immediately.

"When something is released out of cycle, you know it's big," Arrington says. "Under the old system, when patches could come at any time, it was much harder to determine what was critical, important or moderate."

Problems can also develop within the normal cycle.

It took a week before Children's Marshall was able to deploy April's patches. The process started smoothly enough, but then the lab ran into trouble with MS05-023, a critical fix for flaws in Microsoft Word and Office that would allow an attacker to take over vulnerable machines.

"It turned out that machines running Office without SP1 weren't compatible," Marshall says. With exploit code floating around cyberspace and worms like Mytob in the wild, the team had to decide whether to hold back all the patches and isolate problem machines or just delay deploying the one patch. This time, they chose to isolate the 67 incompatible machines.

"Those 67 users won't know the difference, and once their computers are updated to include SP1, we can put them back on the SUS system," Marshall says.

Size Matters
Small companies don't have the resources of BOC Edwards or Children's Hospital. Some have to rely on Microsoft for automation via Windows Update Services (WUS) to patch workstations, while often manually patching servers; others isolate machines from the Inter-net and patch as time allows.

"If a patch is very critical, it's scary for a company like ours because of the testing involved," says the VP of information services of a small Pennsylvania manufacturer. "If there's a SQL 2000 patch, do I want to put that patch on an enterprise server? It has gotten so big and complex that we have gone more on faith. We test what we can, but we just don't have the resources, time, money or software to do total software testing."

The VP, who didn't want his name or company published, tests patches on his home systems for application compatibility. If all goes well, he begins deployment.

"I don't think we are that uncommon at all," he says of 120-workstation, 13-server shop. "The nature of business cycles up and down. The amount of money I spend is based on business rather than need. We're a smaller shop with no resources. There are too many different versions of everything, including hardware."

Another small shop, a manufacturer in Washington, runs its mission-critical Oracle applications on Solaris and Red Hat, running other apps on 11 Windows NT, 2000 and 2003 servers. Critical patches are also pulled off WUS for 175 desktops, but downtime is scheduled for Sunday afternoons following Patch Tuesday for manual patching of enterprise servers.

"We apply it to production and trust Microsoft," says an administrator who also wished to remain anonymous. "It's different with Oracle; we have test boxes, and we test every patch. We install it, launch all the features and functions, test it out, and then put it into production. The same with Linux; we put patches into test boxes, test them, and then put them into production.

"We have enough confidence with Microsoft," he says. "It costs a fortune to have mirrors of every box with custom apps."

This was first published in May 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: