Strategies for automatic patch management
If the onslaught of Trojan horses, worms and viruses has taught us anything, it's that software patches are as vital to network security as virus updates.
By Eric Voskuil, Computerworld | Computerworld UK | Published: 01:00, 20 August 2004
If the onslaught of Trojan horses, worms and viruses has taught us anything, it's that software patches are as vital to network security as virus updates. The infamous Blaster worm and the more recent Scob Trojan are just two examples of attacks that could have been easily avoided with timely and accurate application of software updates.
Patch management is one of many critical IT management tasks, which is why busy IT departments look to automation for relief. But what's the best approach to automated patch management? The answer depends on your network's infrastructure and design, both current and future.
The many third-party solutions available today generally break down into two major categories: stand-alone patch management utilities and patch management capabilities integrated into larger enterprise management systems. Each has its advantages and disadvantages. By understanding the pluses and minuses of each class of solution, IT administrators can choose the patch management alternative that fits their environment, their budget and their overall administrative approach.
Patch management utilities
Patch management utilities are available from a number of independent software vendors, including BigFix, Shavlik Technologies, PatchLink and Microsoft. Most have incorporated a wealth of functionality as the market for patch management solutions has grown. However, because utility products evolve outside of a more comprehensive management framework, they are only point solutions, lacking true integration with a comprehensive management system.
An example of this type of solution is Microsoft's Software Update Services (SUS), which leverages the built-in Automatic Updates service supporting Windows 2000 Service Pack 2 and above. This product is a free add-on to Internet Information Server but doesn't provide integration with management technologies.
The monolithic architecture of SUS is largely an artefact of its origins as a Microsoft Web service packaged for enterprise use. SUS is getting some much-needed improvements in the next major upgrade, called Windows Update Services; however, the bulk of these improvements are in the area of broader patch coverage and improved patches, not in the fundamental architecture.
Utilities, especially when multiple point solutions are implemented for various management tasks, have the drawback of causing redundant management activity. For example, point solutions implement unique management consoles and reporting systems, many distribute services to workstations, and each has its own requirements for network communication. Point solutions can offer the benefits of a quicker implementation than full-blown enterprise management systems, at a reduced purchase price. However, this short-term gain may result in unforeseen longer-term costs.
Enterprise management systems
Patch management is now recognised as a persistent issue that can no longer be ignored by systems management vendors. While few, if any, enterprise management products initially included patch management features, most do now. The addition of patch management would seem to be a natural extension, since enterprise management products all include software deployment and reporting capabilities. Yet these products have been slow to adapt and are still in transition.
Microsoft, for example, recently provided a Systems Management Services add-on called the SUS Feature Pack (no relation to the SUS product). SUS Feature Pack integrates the free HFNetCheck and Office Update Tool scanning utilities with the SMS reporting and software deployment capabilities. While this hybrid system is certainly not optimal at this point, it does provide an integrated capability for SMS customers.
In another case, Marimba (recently acquired by BMC) has licensed Shavlik's patch metadata (the information about which patches may be required and how to install them) for Windows platforms. This information has been integrated with Marimba's advanced software packaging and deployment capabilities.
Enterprise management systems such as these have the disadvantage of being much larger products that generally require substantial investments in planning, infrastructure and licensing. While patch management has become an important piece of the puzzle, the purchase of a systems-level solution will generally depend upon much broader considerations and will take much more time to implement than a point solution. What's more, these products often require dedicated expertise; this level of expertise is difficult to find and usually expensive.
The greatest advantage of an enterprise management system is integration. If such a system is already in place, using the integrated patch management capability may present an attractive solution to the patch management problem.
Built-in systems, such as Group Policy on Windows 2000 and later platforms, can provide comprehensive integration of enterprise management systems without burdensome overhead. They can also provide robust functionality by heavily leveraging the management capabilities that have been integrated into these newer operating systems. The drawback is their dependence upon this newer operating system support. However, if you are on fairly recent platforms, or moving there soon, this type of option may be the best of both worlds.
On an Active Directory network (roughly 50% of the market today), there are a number of built-in management technologies tied together by third-party Group Policy plug-ins to provide a powerful and integrated capability at a price comparable to point solutions.
As Group Policy is an essential part of Active Directory management, this type of solution also reduces training costs, eliminates the deployment of proprietary services and leverages a common planning and reporting infrastructure.
Another essential consideration is support for various operating systems, patches and patch languages. While some patch systems support multiple platforms, such as Linux, HP-UX, AIX, Solaris and Windows, others may support only a subset of these platforms.
Language support also runs the gamut from single language systems to all available languages. Even Microsoft support for deployment of its own patches varies from limited to complete depending on the technology.
Finally, some systems don't support deployment of non-Microsoft patches or patches that are not included in the patch management vendor's metadata distribution. At a minimum, ensure that you have a solution that will meet your needs in these areas.
Deciding on the optimal automated patch management solution for your network depends on the number and variety of systems involved, the size and experience of your IT staff and your network management infrastructure. Research into the various options is essential, as is dialogue with others who are responsible for networks similar to yours. In the end, the right automatic patch management technology -- properly installed and supported -- will help make the days of desk-by-desk software updates a thing of the past, and lead you to a controlled, thorough, dependable and accountable solution.
Eric Voskuil is chief technical officer at AutoProf, a provider of desktop management software.