Easy and efficient patching all comes down to having the right management software

If cars were sold in the same way as software, you would have to hook your Mondeo to the internet and download the latest code update before you left the garage.


If cars were sold in the same way as software, you would have to hook your Mondeo to the internet and download the latest code update before you left the garage.

Managing software patches across an organisation can be one of the biggest headaches for IT departments, but luckily there are products to help.

According to Mark Nicolett, a research director at Gartner, there are three main types of patch management tool.

The first, supplier-specific utilities, manage patches for a single company's product set.

The second, software distribution systems, fold patch management into a wider set of software management functions such as asset management, complete application roll out and configuration, and helpdesk systems.

The third, the point solution, focuses exclusively on the deeper aspects of patch management.

What all these systems generally have in common is the way they manage patches. A central server queries machines on the network (often using a piece of agent software installed on the client) to assess the patches currently installed.

The server uses this information, along with policies defined for that machine by the IT administrator, to transmit and install a package of patches to the client, bringing it up to date. Smarter systems will integrate with a resource like Microsoft's Active Directory server, enabling IT administrators to apply policies to groups of users and machines in the same way they set system access and other permissions.

Most business-class suppliers will have some sort of patch management system specific to their products. For example, Oracle feeds all its patches through Oracle Enterprise Manager, a central administrative tool that includes an enterprise management agent sitting on each machine running Oracle software.

The agents tell the monitoring application what patches exist on a given machine, said Duncan Harris, senior director for security assurance at Oracle. Enterprise Manager then downloads and applies the relevant patches from Oracle's website.

Microsoft offers a mix of products. Consumers and very small businesses can use the Windows update service, recently revamped to support all of Microsoft's products. Client PCs connect to it directly across the internet using a downloadable Active X component.

Larger businesses can use the Windows Server Update Service (WSUS), which is available free in Windows 2000 with service pack four, or Windows Server 2003. WSUS on the server downloads patches from Microsoft's update service, and then users pull down the patches by accessing an internal WSUS web page. WSUS, therefore, relies on the clients to take the initiative.

Microsoft's heavier duty Systems Management Server pushes out patches and software updates to desktop clients. Unlike WSUS, it also enables its administrators to include software upgrades from other suppliers rather than restricting them to Microsoft's own products.

All of these offers are separate from the Microsoft Developer Network (MSDN), which only provides software updates on optical media through the mail, or from a downloadable website. MSDN then ships pre-patched products, usually with service packs rolled in.

Users are starting to see an overlap between the different types of patch management tools. For example, Red Hat operates the Red Hat Network, a patch management and software update service for its enterprise Linux operating system, which is made available along with the software on a subscription basis.

Using the Red Hat Satellite server, which takes data from the Red Hat Network and manages software updates locally in the enterprise, it is possible to distribute preconfigured system images based on profiles defined for different users or groups of machines, said product marketing manager Scott Gilbertson.

Just as some supplier-specific patching utilities offer software distribution features, so the gap between software distribution suites and specialised patch management suites has narrowed as software distribution suppliers have started to flesh out their patch management modules.

Traditionally, according to Nicolett, the difference between the two was that software distribution systems would offer little or no patch management functions. Users would have to look to a point solution for features such as the automated analysis of currently installed patches, the collection and automation of packages, and automatic distribution and installation.

These days, a larger proportion of software distribution systems offer the same thing. Nevertheless, said Nicolett, "To this day, while some of the software distribution suppliers provide [patch management] capability on paper, it is functionally inferior to what is provided by the best patch management point solutions."

Look for differences in usability, and the speed of reporting and deployment, he said. "It is a classic trade-off. Go with a point solution engineered to do one thing very well, or leverage something broader, which means you have to compromise in terms of function."

Point solutions and software distribution systems with patch management modules will support either a single platform and operating system or, more usefully, multiple platforms and applications. Because they are designed to offer a single point of collection for patches in the enterprise, many companies will gather patches from supported suppliers and package them for users. This is an important point to take up with any potential supplier as some, such as Enteo, focus only on the Microsoft operating system.

When suppliers provide such services, users should check their pricing mechanisms. Some, like Altiris, provide the service as part of a standard maintenance package, which amounts to about 15% of the cost of a new licence per year.

What other functions should users look for? The ability to schedule patch distribution is crucial, as is configuring the way in which systems reboot following the application of a patch.

"Our reboot schedule is independent of the download and install schedule, so the customer can decide what their maintenance window is for individual boxes," said Jim Baker, product manager at Altiris. Consequently, systems can sit in a transitional state when the patch has been installed, but the system has not yet rebooted, thus preventing disruption to applications.

For many organisations, the ability to patch applications not supported by default in the patch management system is paramount. Companies that have developed bespoke software for their staff, for example, would need the facility to support that in a patch management product.

Altiris' answer is to roll out a whole program update as part of its software distribution function. The company is one of a growing number of suppliers positioning a patch management module as part of a wider security system.

Terms such as "vulnerability management" and "security lifecycle management" are bandied about in sales meetings these days. To this end, some patch management suppliers, such as Patchlink, are beginning to work with Cisco on its network access control (NAC) mechanism, which quarantines computers that do not meet a certain baseline for operating system patches and anti-virus signatures.

Patching products compatible with NAC will check the patch status of any machine connecting to the network and inform Cisco's access control system software of its status, enabling it to be measured against a baseline of necessary security patches. If the machine fails, the patching software can take over, updating the machine before the Cisco software allows the user full access to the network.

This focus on mobile users who connect occasionally to the network is important, because it presents a whole new set of patching problems.

For companies that have large numbers of users on the road, some of whom may not connect for weeks or even months, keeping systems up to date becomes a huge headache. Some patching systems may wait for the user to reconnect, while others, such as Fiberlink's Endpoint Vulnerability Management, provide the option to update mobile computers on the move.

"We can control the patch process by saying if this is a slow type of connection then do not download any patches, or do not download a big patch," said Fiberlink's chief technology officer, Barry Porozni.

"We can be very granular about it, saying do not apply a particular type of patch that may need a reboot if the customer is not comfortable about managing reboots remotely."

In this situation, even more so than on a local area network, it is important for a product to be able to roll back a patch. If a connection fails or a user on the move has to turn off their PC, an installation should be able to pick up where it left off. Any worthwhile patching system will offer this capability, using state flags saved on the client system to record how far the patch progressed.

Monitoring the health of a patch in this way is a vital part of any patch management system, and patch management software should be able to monitor and maintain the health of the software patches on a system. It is easy for the software installation to interfere with an existing patch.

Similarly, patches can also break each other when used in certain combinations, even when they come from a single supplier, but even more so when multiple suppliers' patches are used together.

This is why the ability to schedule patches is important, because an IT department will want to test combinations of patches to ensure they do not break the system. Some patching software suppliers will do this to a certain extent as part of their service.

"We test our patches for operating systems and applications on something like 250 different configurations," said Alan Bentley, EMEA managing director of Patchlink.

He said IT departments should still carry out their own quality assurance testing as a matter of course. "The way that we group and the way we use that grouping makes it easier for customers to have test groups and then roll those out across larger parts of the network," he said.

Altiris (which has bought installation software firm Wise) has introduced patch testing features in Wise Package Studio 6.0. The product can assess patch dependencies and help to identify conflicts where one patch overwrites resources installed by another.

But of course application and operating system software are not the only things that need patching. What about less frequently upgraded components such as routers? Cisco achieves this by using Software Image Manager in Ciscoworks Resource Manager Essentials 4.0.

At the end of August, Cisco  also launched an enhanced version of its IOS router software for use with its Catalyst 6500 switch, which makes it easier to patch elements of the system without disrupting the forwarding of packets.

With so many different options to consider, deciding on a patch management product can seem daunting. The first step on your journey is to consider patch management as part of a wider security strategy and evaluate the systems you already have in place to manage things like software distribution, asset inventory and mobile user management.

Once you understand the elements of this wider system, you can begin inching your way towards a shortlist.

Read more on Operating systems software