If cars were sold in the same way as software, you would
have to hook your Mondeo to the internet and download the latest
code update before you left the garage.
Managing software patches across an organisation can be one of
the biggest headaches for IT departments, but luckily there are
products to help.
According to Mark Nicolett, a research director at Gartner,
there are three main types of patch management tool.
The first, supplier-specific utilities, manage patches for a
single company's product set.
The second, software distribution systems, fold patch management
into a wider set of software management functions such as asset
management, complete application roll out and configuration, and
helpdesk systems.
The third, the point solution, focuses exclusively on the deeper
aspects of patch management.
What all these systems generally have in common is the way they
manage patches. A central server queries machines on the network
(often using a piece of agent software installed on the client) to
assess the patches currently installed.
The server uses this information, along with policies defined
for that machine by the IT administrator, to transmit and install a
package of patches to the client, bringing it up to date. Smarter
systems will integrate with a resource like Microsoft's Active
Directory server, enabling IT administrators to apply policies to
groups of users and machines in the same way they set system access
and other permissions.
Most business-class suppliers will have some sort of patch
management system specific to their products. For example, Oracle
feeds all its patches through Oracle Enterprise Manager, a central
administrative tool that includes an enterprise management agent
sitting on each machine running Oracle software.
The agents tell the monitoring application what patches exist on
a given machine, said Duncan Harris, senior director for security
assurance at Oracle. Enterprise Manager then downloads and applies
the relevant patches from Oracle's website.
Microsoft offers a mix of products. Consumers and very small
businesses can use the Windows update service, recently revamped to
support all of Microsoft's products. Client PCs connect to it
directly across the internet using a downloadable Active X
component.
Larger businesses can use the Windows Server Update Service
(WSUS), which is available free in Windows 2000 with service pack
four, or Windows Server 2003. WSUS on the server downloads patches
from Microsoft's update service, and then users pull down the
patches by accessing an internal WSUS web page. WSUS, therefore,
relies on the clients to take the initiative.
Microsoft's heavier duty Systems Management Server pushes out
patches and software updates to desktop clients. Unlike WSUS, it
also enables its administrators to include software upgrades from
other suppliers rather than restricting them to Microsoft's own
products.
All of these offers are separate from the Microsoft Developer
Network (MSDN), which only provides software updates on optical
media through the mail, or from a downloadable website. MSDN then
ships pre-patched products, usually with service packs rolled
in.
Users are starting to see an overlap between the different types
of patch management tools. For example, Red Hat operates the Red
Hat Network, a patch management and software update service for its
enterprise Linux operating system, which is made available along
with the software on a subscription basis.
Using the Red Hat Satellite server, which takes data from the
Red Hat Network and manages software updates locally in the
enterprise, it is possible to distribute preconfigured system
images based on profiles defined for different users or groups of
machines, said product marketing manager Scott Gilbertson.
Just as some supplier-specific patching utilities offer software
distribution features, so the gap between software distribution
suites and specialised patch management suites has narrowed as
software distribution suppliers have started to flesh out their
patch management modules.
Traditionally, according to Nicolett, the difference between the
two was that software distribution systems would offer little or no
patch management functions. Users would have to look to a point
solution for features such as the automated analysis of currently
installed patches, the collection and automation of packages, and
automatic distribution and installation.
These days, a larger proportion of software distribution systems
offer the same thing. Nevertheless, said Nicolett, "To this day,
while some of the software distribution suppliers provide [patch
management] capability on paper, it is functionally inferior to
what is provided by the best patch management point solutions."
Look for differences in usability, and the speed of reporting
and deployment, he said. "It is a classic trade-off. Go with a
point solution engineered to do one thing very well, or leverage
something broader, which means you have to compromise in terms of
function."
Point solutions and software distribution systems with patch
management modules will support either a single platform and
operating system or, more usefully, multiple platforms and
applications. Because they are designed to offer a single point of
collection for patches in the enterprise, many companies will
gather patches from supported suppliers and package them for users.
This is an important point to take up with any potential supplier
as some, such as Enteo, focus only on the Microsoft operating
system.
When suppliers provide such services, users should check their
pricing mechanisms. Some, like Altiris, provide the service as part
of a standard maintenance package, which amounts to about 15% of
the cost of a new licence per year.
What other functions should users look for? The ability to
schedule patch distribution is crucial, as is configuring the way
in which systems reboot following the application of a patch.
"Our reboot schedule is independent of the download and install
schedule, so the customer can decide what their maintenance window
is for individual boxes," said Jim Baker, product manager at
Altiris. Consequently, systems can sit in a transitional state when
the patch has been installed, but the system has not yet rebooted,
thus preventing disruption to applications.
For many organisations, the ability to patch applications not
supported by default in the patch management system is paramount.
Companies that have developed bespoke software for their staff, for
example, would need the facility to support that in a patch
management product.
Altiris' answer is to roll out a whole program update as part of
its software distribution function. The company is one of a growing
number of suppliers positioning a patch management module as part
of a wider security system.
Terms such as "vulnerability management" and "security lifecycle
management" are bandied about in sales meetings these days. To this
end, some patch management suppliers, such as Patchlink, are
beginning to work with Cisco on its network access control (NAC)
mechanism, which quarantines computers that do not meet a certain
baseline for operating system patches and anti-virus
signatures.
Patching products compatible with NAC will check the patch
status of any machine connecting to the network and inform Cisco's
access control system software of its status, enabling it to be
measured against a baseline of necessary security patches. If the
machine fails, the patching software can take over, updating the
machine before the Cisco software allows the user full access to
the network.
This focus on mobile users who connect occasionally to the
network is important, because it presents a whole new set of
patching problems.
For companies that have large numbers of users on the road, some
of whom may not connect for weeks or even months, keeping systems
up to date becomes a huge headache. Some patching systems may wait
for the user to reconnect, while others, such as Fiberlink's
Endpoint Vulnerability Management, provide the option to update
mobile computers on the move.
"We can control the patch process by saying if this is a slow
type of connection then do not download any patches, or do not
download a big patch," said Fiberlink's chief technology officer,
Barry Porozni.
"We can be very granular about it, saying do not apply a
particular type of patch that may need a reboot if the customer is
not comfortable about managing reboots remotely."
In this situation, even more so than on a local area network, it
is important for a product to be able to roll back a patch. If a
connection fails or a user on the move has to turn off their PC, an
installation should be able to pick up where it left off. Any
worthwhile patching system will offer this capability, using state
flags saved on the client system to record how far the patch
progressed.
Monitoring the health of a patch in this way is a vital part of
any patch management system, and patch management software should
be able to monitor and maintain the health of the software patches
on a system. It is easy for the software installation to interfere
with an existing patch.
Similarly, patches can also break each other when used in
certain combinations, even when they come from a single supplier,
but even more so when multiple suppliers' patches are used
together.
This is why the ability to schedule patches is important,
because an IT department will want to test combinations of patches
to ensure they do not break the system. Some patching software
suppliers will do this to a certain extent as part of their
service.
"We test our patches for operating systems and applications on
something like 250 different configurations," said Alan Bentley,
EMEA managing director of Patchlink.
He said IT departments should still carry out their own quality
assurance testing as a matter of course. "The way that we group and
the way we use that grouping makes it easier for customers to have
test groups and then roll those out across larger parts of the
network," he said.
Altiris (which has bought installation software firm Wise) has
introduced patch testing features in Wise Package Studio 6.0. The
product can assess patch dependencies and help to identify
conflicts where one patch overwrites resources installed by
another.
But of course application and operating system software are not
the only things that need patching. What about less frequently
upgraded components such as routers? Cisco achieves this by using
Software Image Manager in Ciscoworks Resource Manager Essentials
4.0.
At the end of August, Cisco also launched an enhanced version
of its IOS router software for use with its Catalyst 6500 switch,
which makes it easier to patch elements of the system without
disrupting the forwarding of packets.
With so many different options to consider, deciding on a patch
management product can seem daunting. The first step on your
journey is to consider patch management as part of a wider security
strategy and evaluate the systems you already have in place to
manage things like software distribution, asset inventory and
mobile user management.
Once you understand the elements of this wider system, you can
begin inching your way towards a shortlist.