PatchLink offers solid flaw management

By Tom Bowers, Contributing Writer 16 Jan 2007 | Information Security magazine

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Category: Vulnerability scanning
Product: PatchLink Update 6.3
Vendor: PatchLink
Price: $1,495 per update server, plus annual subscription fee starting at $18 per client

Keeping systems patched can be a nightmare for enterprises. Mid- and large-sized enterprises will find this automated patching tool from PatchLink an excellent, cost-effective solution.

Configuration/Management: B
PatchLink's wizard-based process walks you through installation, including MSDE if it (or SQL Server) isn't already present. PatchLink Update provides a Web-based manual installation process for one-off installs. It's also possible to automate installation by using a script or Group Policy Object with the standalone installer. Agents can be automatically deployed through the console using Active Directory/LDAP lookup or IP/DNS scanning.

One major shortcoming is weak integration with AD. Although you can deploy the agent through AD, it's not possible to manage devices through Active Directory organizational units (OUs) or import OU membership information into PatchLink's group-based management structure.

Policy control: B+
PatchLink Update grants administrators a great deal of policy control, including the ability to schedule scans and deployments. PatchLink will enforce minimum baselines automatically according to standards you create for admin-defined or platform-based groups of devices. When a patch becomes available, you may create a rollout schedule based on your specific needs.

As noted above, tighter AD integration would allow enterprises to leverage the time they've already invested in creating an OU structure to apply policies to different parts of the organization.

We were impressed with PatchLink's ability to create custom patch packages and deploy them to the enterprise or specific groups on a scheduled basis. These packages can also be used to change configuration settings, install software and run automated scripts.

We also like the flexibility to grant end users varying degrees of control over the PatchLink agent. For example, administrators may choose to allow users to delay patch deployments and system reboots.

Effectiveness: A-
PatchLink Update is a robust and flexible automated patch tool that will go a long way toward taking some of the pain out of Patch Tuesday.

The Windows-centric product provides a baseline level of support for other OSes, including Mac OS X and several Unix/Linux variants. It also supports many Windows applications, but only a handful of Mac apps and none for *nix.

Determining which systems are unpatched and verifying successful deployments are major pain points for enterprises. PatchLink uses digital signatures for each patch and scans the host system to determine patch level. If the initial patch fails, it attempts to redeploy it up to three times.

Reporting: B
PatchLink has a wide range of reports on the status of agents, enterprise-wide package compliance, patch deployment status for systems/groups and the current mandatory baseline.

Customization and filtering are limited. For example, you can filter your report based on devices or device groups, but not on complex criteria such as creating a report listing devices missing patches for a certain period of time.

Verdict
PatchLink Update 6.3 is a solid solution to the enterprise patch management problem and demonstrates its true power in a Windows environment.

Testing methodology
PatchLink Update was tested in a Windows Server 2003 and Windows XP environment within VMware Workstation. We ran the PatchLink Web server on IIS 6.0.

This product review originally appeared in the January 2007 edition of Information Security magazine.

Tags: Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary