PatchLink offers solid flaw management

Category: Vulnerability scanning
Product: PatchLink Update 6.3
Vendor: PatchLink
Price: $1,495 per update server, plus annual subscription fee starting at $18 per client

Keeping systems patched can be a nightmare for enterprises. Mid- and large-sized enterprises will find this automated patching tool from PatchLink an excellent, cost-effective solution.

Configuration/Management: B
PatchLink's wizard-based process walks you through installation, including MSDE if it (or SQL Server) isn't already present. PatchLink Update provides a Web-based manual installation process for one-off installs. It's also possible to automate installation by using a script or Group Policy Object with the standalone installer. Agents can be automatically deployed through the console using Active Directory/LDAP lookup or IP/DNS scanning.

One major shortcoming is weak integration with AD. Although you can deploy the agent through AD, it's not possible to manage devices through Active Directory organizational units (OUs) or import OU membership information into PatchLink's group-based management structure.

Policy control: B+
PatchLink Update grants administrators a great deal of policy control, including the ability to schedule scans and deployments. PatchLink will enforce minimum baselines automatically according to standards you create for admin-defined or platform-based groups of devices. When a patch becomes available, you may create a rollout schedule based on your specific needs.

As noted above, tighter AD integration would allow enterprises to leverage the time they've already invested in creating an OU structure to apply policies to different parts of the organization.

We were impressed with PatchLink's ability to create custom patch packages and deploy them to the enterprise or specific groups on a scheduled basis. These packages can also be used to change configuration settings, install software and run automated scripts.

We also like the flexibility to grant end users varying degrees of control over the PatchLink agent. For example, administrators may choose to allow users to delay patch deployments and system reboots.

Effectiveness: A-
PatchLink Update is a robust and flexible automated patch tool that will go a long way toward taking some of the pain out of Patch Tuesday.

The Windows-centric product provides a baseline level of support for other OSes, including Mac OS X and several Unix/Linux variants. It also supports many Windows applications, but only a handful of Mac apps and none for *nix.

Determining which systems are unpatched and verifying successful deployments are major pain points for enterprises. PatchLink uses digital signatures for each patch and scans the host system to determine patch level. If the initial patch fails, it attempts to redeploy it up to three times.

Reporting: B
PatchLink has a wide range of reports on the status of agents, enterprise-wide package compliance, patch deployment status for systems/groups and the current mandatory baseline.

Customization and filtering are limited. For example, you can filter your report based on devices or device groups, but not on complex criteria such as creating a report listing devices missing patches for a certain period of time.

Verdict
PatchLink Update 6.3 is a solid solution to the enterprise patch management problem and demonstrates its true power in a Windows environment.

Testing methodology
PatchLink Update was tested in a Windows Server 2003 and Windows XP environment within VMware Workstation. We ran the PatchLink Web server on IIS 6.0.

This product review originally appeared in the January 2007 edition of Information Security magazine.