Productive Corporation

P-Guide: Patch Management: An In-depth Look

Patch management is a challenging but crucial task in today's environment. What options do you have at your disposal?
Date Published: November 23, 2008
Length: 1,808
Download: PDF version

Executive Summary
By any measure, patch management is a crucial task. Data security is more important than ever, and threats to your data are multiplying and growing more sophisticated all the time. On top of that, given the number of updates and patches that vendors release each month, the patch management process can quickly overwhelm the typical mid-market IT staff. What options do you have? This P-guide examines some of the latest solutions.

Introduction
It seems hard to believe, but as little as 10 years ago, patch management wasn't a huge issue for most IT departments. That changed in the early years of this decade, when businesses were hit with coordinated mass onslaughts of viruses and worms. Threats such as 2000's "I Love You" virus; the "Code Red" worm of 2001, which caused an estimated $2 billion in damages to firms running Microsoft Windows NT and Windows 2000 server software; and 2003's "Slammer" worm, which doubled in size every 8.5 seconds and infected more than 70,000 hosts, all highlighted serious vulnerabilities in corporate servers and Microsoft Windows.

One result: Software vendors stepped up their releases of emergency patches, and even formalized the process, such as with Microsoft's Patch Tuesday program. But the threats have continued to multiply and grow more sophisticated, making it harder to keep pace. According to the CERT Coordination Center at Carnegie Mellon University, there were 417 known security holes in 1999. That figure jumped to 1,090 in 2000 and has risen steadily each year since. During the first three quarters of 2008 alone, the organization catalogued 6,058 different vulnerabilities. IBM's X-Force Threat Analysis Service offers similar numbers, and notes that the number of "high-severity" vulnerabilities (which it defines as "security issues that allow immediate remote or local access, or immediate execution of code or commands with unauthorized privileges") continues to rise. And Microsoft products are by no means the only targets these days-everything from desktop and Web-based applications to server virtualization to VoIP systems offers potential new entry points for cybercriminals.

In a sense, the entire situation is a race between hackers looking to find new holes and vendors working to cover them up, with IT staffs caught in the middle of the chaos. Unfortunately, there's no escaping the need to patch. Neglect it, and you allow viruses, worms, botnets, and other forms of malware to slither into your system. Indeed, the Gartner research firm estimates that approximately 90 percent of security breaches are caused by improper or neglected patches.

The trouble is that patch management can be a time- and resource-draining chore. You need to continually assess your risks and take steps to address them. You need to keep abreast of the latest round of patches, evaluate their importance, and determine which computers need them. You also need to test the patches to ensure they don't disrupt business systems, distribute them throughout the company (including to remote workers and office locations), and develop rollback plans if problems emerge. Factor in different OS versions, platforms, and configurations and, well, patch management becomes a complicated business-and one that an overworked IT staff can easily fall behind on.

The good news is that you do have a range of patch management tools and solutions at your disposal.

Patch Management Fundamentals
While there are notable differences between the products offered by patch management vendors, the solutions share certain characteristics. All are designed to manage multiple patch-related tasks, including collection, analysis, delivery, and reporting. Some work double-time to root out spyware and viruses. Some focus exclusively on the Windows environment, while others have built-in cross-platform flexibility.

One key distinction to keep in mind is that there are essentially two types of patch management tools: agent-based and agentless. Agent-based systems use communications software to periodically scan an individual computer and download updates from a patch server. Given that setup, an agent-based solution needs to be installed and maintained on each individual computer. In contrast, agentless solutions scan networks to determine patch and update requirements and push them out as needed.

Both approaches have their advantages and disadvantages. For instance, an agent-based system requires agents to be deployed on all of a company's monitored machines. While that can be a hassle in itself, it's ideal for distributed environments and ones that feature mobile users. It also ensures that each individual computer will be patched effectively. Generally speaking, an agentless solution will be easier to deploy and offer the advantages of a centralized management point. But the scanning process can hog bandwidth and miss machines that are disconnected from the network. While the debate over agent-based vs. agentless solutions is not new, it might be coming to an end-some newer products use a combination of both approaches.

Here's a look at a few of the major players in the patch management market.

Solution -Microsoft Windows Server Update Services (WSUS)
One of the best-known point solutions is Microsoft's Windows Server Update Services (WSUS). In a nutshell, WSUS is an agent-based version of the Windows Automatic Updates service that a business can run on its own network. WSUS has some benefits. For starters, it's a free product. It also does a fair job of streamlining the patch management process. WSUS notifies users of patches and allows for either automatic or manual downloading of them. Users also can test and approve updates from the Windows Update site before deployment and distribute the patches manually or automatically. To conserve on bandwidth and avoid slowing down a company's network, WSUS allows users to download update metadata separately from each update during synchronizations and also uses Microsoft's Background Intelligent Transfer Service (BITS 2.0), which takes advantage of idle bandwidth for file transfers. Finally, while WSUS doesn't have a Web-based interface, it is possible to manage it remotely via Microsoft's Remote Desktop client.

WSUS does have drawbacks, however. Consider:

• It only supports relatively current Microsoft-issued updates and patches. (For example, it doesn't support Windows 2000 updates or patches.)
• It needs its own dedicated server and a Windows Server license.
• Compared to several of its competitors, it has limited reporting capabilities (although that quality has been improved in version 3.0, the latest release of the product).
• It's something of a storage hog, requiring approximately 8 GB of hard drive space to install, and up to 30 GB for storing patches.
• It can't deal with unpatched computers that aren't configured to use WSUS.
• It works by distributing approved patches to individual computers, which download and install them at predetermined times-an arrangement that can put a system at risk when exposed to rapidly spreading threats.
• The patching process itself is a bit clunky. Users must first download the patches. Each patch must be approved for target machines to scan for it. From there, each target machine will scan, request, and approve the patch before downloading it.

Solution-Shavlik NetChk Protect
Like many of the other WSUS alternatives, NetChk Protect offers enhanced flexibility and functionality, including virtualization support; built-in bandwidth-management controls; and detailed reporting capabilities such as high-level summary reports, up-to-the-minute details on patch status, and in-depth details on specific machines or groups of machines. It's core is an agentless system that automates the patch management process from an easy-to-use central console. The software can perform scheduled patch scans along with on-demand scans, lets users uninstall patches in any order, and has the ability to hunt down and eliminate spyware, malware, and unwanted software applications. It also features an installable agent component that can be used to deploy patches to mobile users and across distributed environments.

One key addition to the latest version (6.0) of the software is "Any Patch, Anywhere," a patch editor that allows users to create and maintain their own custom patches. One point to consider: NetChk patches non-Microsoft products, but only works on a Windows OS platform.

Solution-BigFix
Like NetChk, the BigFix offers far greater functionality than WSUS. Many of the similarities stop there, however. While NetChk is a standalone point solution, BigFix is an agent-based system that features 18 applications within a scaleable, single-console management platform. The applications span a number of areas-from OS deployment to data leak detection, antivirus, power management, and patch automation, among others. It also offers cross-platform capabilities-in addition to Windows, it supports VMware ESX Server, Linux, Apple, Solaris, and several other operating systems.

The BigFix patch management approach is based on packets called "Fixlets" that spot and warn of any unpatched issues or related problems. From there, users can handle the patching manually or authorize the BigFix system to automatically download and install the needed patches. The Fixlets themselves are created and maintained in a centralized location by BigFix, and users can subscribe to various FixLet servers, depending on their needs. The system also provides the BigFix Configuration Manager, which allows customers to create their own customized Fixlets, and thorough reporting options that include vulnerability assessments, statistics, specific action results, patch status, and the like.

Solution-Lumension PatchLink Update
Lumension Security's PatchLink Update is a scalable, agent-based patch manager that also has cross-platform capabilities. One of its key features is the Agent Management Center, a Web-based interface that provides users with a one-look view of any vulnerabilities on a network, automatically sounds an alert when a patch is removed or dropped, and provides extensively detailed reporting options. Patchlink also uses what it calls Digital Fingerprinting, a patented process that creates a profile of all software, hardware, drivers, and existing and missing patches for individual machines. The software also delivers multiple patches to multiple computers in one distribution round, and draws its patches from what Lumension claims is the world's largest repository of tested patches.

Conclusion
In sum, automated patch management is a necessity in today's IT environment-particularly given the ever-increasing number and intensity of threats at hand. Today's patch management solutions can handle multiple challenges and provide tangible benefits. The only real question comes down to the type of system to employ. Will Microsoft WSUS work for you? Should you go with an agent-based or agentless approach? Do you need other applications rolled into the system? The answer, of course, comes down to your needs and your budget.

Download: PDF version

For more information on patch management solutions, contact Productive Corporation:

Web: productivecorp.com
Phone: 1.800.726.4099
Email: help@productivecorp.com

About Productive Corporation
Productive Corporation is a specialized software reseller that helps small and medium businesses across North America with software initiatives in security, storage, and infrastructure. We provide subject matter expertise, access to technical resources, and excellent customer service. We also strive to provide the most relevant resources for our customers.

About the Author
Chris Mikko is a Twin Cities-based writer and editor who specializes in technology topics.