Equal Opportunity Patching

Lumension Security'sPatchLink Update is an agent-based patch manager that plays well with heterogeneous operating systems. Unlike the first product we reviewed, Shavlik NetChk Protect, which supported only Windows, PatchLink Update works with Mac OS X, Unix, Linux, Solaris, and VMware as well as Windows, and it can protect a number of applications supported on these platforms, including Adobe Flash, antivirus products, and Firefox.

If you're hesitant about deploying agents, you'll appreciate PatchLink's Agent Management Center, a central interface that helps with agent administration and deployment. PatchLink integrates with Active Directory for dynamic creation of groups with cascading assignments of baselines, agent policy and user permissions. The product's inventory management feature allows for identifying and reporting on software, hardware, and services; its user policy features enable some administration to be delegated while still maintaining security. The system's patch repository is securely updated daily by Lumension, and the reporting component offers flexible charts and graphs for analyzing vulnerabilities, deployment status, agents, and baseline compliance. Notifications via e-mail are available for just about any event.

We were pleased to find PatchLink's agents a breeze to install. For Windows, the Agent Management Center can automate deployment with remote registry and file and print sharing enabled. Command line silent installs speed deployment on non-Windows systems.

Initial scan results were available almost immediately, and organizations that need customization will find plenty of options. Lumension's patch repository was quick to respond to requests for new package downloads. Communication between update server and patch repository is over a secure protocol, with each package verified by the server.

One aspect we didn't like is how the application deals with network bandwidth: PatchLink let us control bandwidth only indirectly, by configuring consecutive or concurrent deployments. While the number of concurrent deployments is easily set, there's no other way to throttle bandwidth usage. In addition, the process to roll back patches wasn't as clear-cut as we'd like.

COMPLIANCE AND COST

Lumension's policy-based administration scheme will be a good fit for organizations using a best-practice framework for process control and regulatory compliance; PatchLink will let them ensure that all systems meet a mandatory baseline policy.

We didn't test scalability, but the PatchLink architecture should let large organizations easily distribute the product.

PatchLink doesn't use a perpetual license model. The server software is a one-time fee of $1,695. Beyond that, PatchLink comes with a per-server cost that's renewable yearly: 300 Windows physical servers cost $19 per node, for 200 Linux servers you'll pay $40 per node, and 150 Sun Solaris physical servers run $40 per node. If you have virtualization enabled, 100 VMware ESX virtual servers running 300 instances of Windows operating systems cost $19 per node, again renewable yearly. For our environment, we would spend about $27,000 for the first year, then have $25,000 in recurring costs. We understand the logic around this--Lumension does an extensive amount of testing on new patches--but it's something to factor into the budget.

Rolling Reviews present a comprehensive look at a hot technology category, from market analysis to a synopsis of our findings. See more Rolling Reviews.