Managing Patch Pain

SOFTWARE VENDORS TO THE RESCUE?
In general, there are four classes of patch management products, based on what they patch and how they use agents: Windows desktops and servers with optional agents, Windows desktops and servers with required agents, multiplatform systems with required agents, and multiplatform systems with required agents and a virtualization support/data center focus. Here's a preview of some products we hope to test.

Windows desktops and servers with optional agents:
Many organizations are willing to devote specialized resources to patching their hundreds or thousands of Windows desktops and servers before a virus or malicious code spreads throughout the network, resulting in substantial downtime. Shavlik Technologies' NetChk Protect combines patch and spyware management with the option of using an agent-based or agentless architecture; it can patch nearly 700 applications as well as Windows operating systems. Many vendors, including BMC, Microsoft, and Symantec, use Shavlik products within their patch management suites.

Like NetChk Protect, Ecora Software's Patch Manager gives IT administrators the option to use agents or run without them. With a concentration on discovery, patch assessment, and patch installation on both Windows workstations and servers, Ecora uses bandwidth throttling to limit the network resources dedicated to patching. Critical functions such as patch rollback, wake on LAN, and the ability to designate a test environment for patching before production deployment are all promised in Ecora, and a variety of reports are included that will aid in auditing and compliance.

Top 7 Patching Mistakes

1. Not testing the patch prior to rollout.
Some patches will be incompatible with, or even totally break, other applications.

2. Not having a rollback version.
If the patch fails, you need the ability to retreat gracefully.

3. Killing the network.
Deploying multiple patches at the same time across the network will grind other applications to a halt and raise the ire of users.

4. "Reboot required" during production hours.
Many patches require users to restart systems. When possible, deploy these after hours.

5. Missed patches.
Often a user call or virus initiates a frantic search for a missing patch. Stay on top of releases to minimize downtime.

6. No patch audit trail.
If you patch regularly, you need to keep track of what fixes were applied, and when, for auditing and reporting.

7. No formalized patch process.
A defined policy that specifies who may approve patches and the procedure to deploy them is critical to patch management success.

Windows desktops and servers with required agents:
Agents are typically used in environments where IT may not have dedicated access to managed devices, such as laptops that connect sporadically to the corporate network. Agents may also come in handy when you need to distribute network traffic related to patching, and they tend to provide tighter control over devices.

Kaseya's Patch Management software automatically discovers missing patches and updates, and it can automate deployment and installation of patches on a defined schedule. Once initial scans are completed, IT can review results for each machine and decide if, when, and how each missing patch or update will be applied. IT administrators also can track and approve patches for auditing and reporting.

Novell's Zenworks Configuration Management focuses on notifying IT when a new security update exists and ensuring that the update has been staged for distribution. Novell provides a team of security experts to track software vendor support sites and update feeds to organizations.

IBM's Configuration Manager provides Microsoft client and server software patch automation capabilities in distributed environments. Configuration Manager also can scan clients for missing patches, build patch plans, and distribute required patches to clients. Like IBM, CA Unicenter's Patch Management is focused on Windows--in its case, desktop environments. CA monitors for newly available patches and validates available patches.

Multiplatform with required agents:
If your environment includes Unix, Linux, and/or Mac OS, you'll turn to vendors that support cross-platform applications and operating systems. In addition to offering a broader suite of policy management products, BigFix provides patch management and security update delivery for major operating systems as well as common applications, and it can handle more than 50,000 devices. You will need to run the BigFix Server on Windows and deploy an agent on every managed node.

LANDesk's Patch Manager includes a subscription service that will collect and analyze patches for heterogeneous environments. Like other suites, it scans managed devices to identify application and operating system vulnerabilities; when it discovers an issue, you can download the associated patch and research requirements, dependencies, interactions, and known issues. LANDesk monitors the status of each installation and provides bandwidth throttling, staging, and detailed policy and compliance reporting.

BMC Patch Manager, formerly Marimba, provides testing capabilities that allow administrators to minimize risk by analyzing the impact a patch will have on an endpoint. The BMC Patch Manager Policy Engine facilitates the initial patch installation and continually monitors patches to ensure that they stay installed. Lumension's PatchLink Patch Management suite automates the collection, analysis, and delivery of software patches to a wide range of operating systems. It also focuses on reporting.

Other vendors deploy configuration management databases to manage and control patches. Configuresoft's Enterprise Configuration Manager automatically discovers new systems and tracks configuration changes at scheduled intervals to ensure that the latest patch information is available. It groups machines by function or role and supports patch testing across different configurations. The software continually updates the patch status of all machines and maintains an audit history of patch deployment, extremely useful for compliance reporting. Similarly, Symantec's Altiris Patch Management is focused on a central, extensible repository.

Multiplatform with required agents, virtualization support/data center focus:
As organizations move toward data center consolidation and virtual machines for cost reduction and improved efficiency, ensuring that IT can maintain those consolidated servers is key. Patch management is critical, and care must be taken to work with vendors that can support complex, heterogeneous operating system environments that include servers running Windows, Linux, and Unix on VMware. HP's Opsware/SAS and BladeLogic fit well here.

BladeLogic is focused more on the data center server environment than the desktop world and supports operating systems, server components such as middleware, utilities, system software, and multitier apps in virtualized environments. BladeLogic Configuration Manager uses a policy-based approach where changes are applied to a policy, then synchronized with target servers. The company says this bidirectional method significantly lowers the costs and errors associated with managing servers. Configuration Manager also features a cross-platform command line interface that supports single sign-on using a range of authentication protocols. All communication is encrypted, and all user actions are logged and can be authorized based on role, which is key for highly secure environments and something that may not be available in midmarket products.

Opsware SAS will automatically discover server hardware, configurations, and software. With broad configuration and provisioning capabilities, SAS can identify and patch a large number of servers as well as create and enforce patch policies. SAS also uses best practices in audit and remediation definitions to enable fast response to security or compliance vulnerabilities that require patches.

Illustration by Michael Sloan