Rolling Review: Lumension PatchLink

Our second entry in this Rolling Review, Lumension PatchLink, is ideal for cross-platform shops that don't mind agents

March 12, 2008

5 Min Read
Network Computing logo

Lumension Security's PatchLink Update is an agent-based patch manager that plays well with heterogeneous operating systems. Unlike the first product we reviewed, Shavlik NetChk Protect, which supported only Microsoft environments, PatchLink Update works with Mac OS X, Unix, Linux, Solaris and VMware as well as Windows. In addition, it can protect a number of applications supported on these platforms, including Adobe Flash, antivirus products and alternative Web-browsers like Firefox.


CLAIM: Lumension manages critical security and application patches across most operating systems, all from a single, easy-to-use Web-based console that connects to agents. CONTEXT: This Rolling Review will rate patch management tools on breadth of platforms supported, testing and staging capabilities, reporting, the ability to roll back and more. Lumension is the first cross-operating-system patch product reviewed. In total, we've invited 15 vendors to participate. CREDIBILITY: While its overall features and capabilities were not as polished as our first reviewed product, Shavlik, PatchLink's cross-platform support will be a life saver for organizations that are not 100% Windows. Do be prepared for higher ongoing costs, however.

If, like us, you're hesitant about deploying agents, you'll appreciate PatchLink's Agent Management Center, a central interface that helps with agent administration and deployment. PatchLink also integrates with Active Directory for dynamic creation of groups with cascading assignments of baselines, agent policy and user permissions. The product's inventory management feature allows for identifying and reporting on software, hardware and services, while user policy features enable some administration to be delegated while still maintaining security. The system's patch repository is updated daily; after patches are tested by Lumension, they're packaged and delivered securely to the application.

Finally, the reporting component offers flexible charts and graphs for analyzing vulnerabilities, deployment status, agents and baseline compliance. Notifications via e-mail are available for just about any type of event.

Let's Get PatchingWe were pleasantly surprised to find PatchLink's agents a breeze to install—we simply connected to the update server via a Web browser to get rolling. For Windows agent installs, the Agent Management Center can automate deployment with remote registry and file and print sharing enabled. Command line silent installs speed up deployment on non-Windows systems.

Initial scan results were available almost immediately and showed patches available as "vulnerabilities." Installed agents are by grouped according to OS, and devices can be assigned to multiple groups. Organizations that need customization will find plenty of options. Aside from the ability to schedule deployments of multiple patches, we could suspend deployment in case of patch failure, easily change the deployment order or options of a particular patch, and customize user notification or alert to a required reboot. Each patch can have its own message, options and time limit.

Lumension's patch repository was quick to respond to requests for new package downloads, and communications between update server and patch repository is over a secure protocol, with each package verified by the server. More Control


FEATURED PRODUCT:Lumension Security PatchLink Update 6.4ABOUT THIS ROLLING REVIEW:We're testing patch management products at our Windward IT Solutions Real-World Labs. Assessment areas include breadth of platforms supported, how well a product uses subscription services to discover patches, how thoroughly it discovers our environment, what rollback capabilities are available, testing and staging capabilities prior to production, reporting, and network bandwidth control. ALREADY TESTED:ShavlikNEXT UP:BigFix OTHER VENDORS INVITED:BladeLogic, BMC Software, CA, Configuresoft, Ecora Software Corp., IBM, Kaseya Corp., LANDesk Software, Novell, Opsware, Symantec Corp.

One aspect we saw with room for improvement is how the application dealt with network bandwidth: Patchlink let us control bandwidth in two ways, as a client-end KB/sec setting and by allowing consecutive or limited concurrent deployments. The option for consecutive or limiting concurrent deployments can be specified per deployment while the client setting will affect all deployments until changed. An option for limiting bandwidth use to a percentage of available bandwidth would enable more timely patching results and more efficient use of resources while minimizing the performance impact on the other services.In addition, the process to roll back patches was not as clear cut as we would like. Previous deployments are listed for each device, and to uninstall a patch we needed to open the properties of that patch within the deployment dialog, check the uninstall box, and run the deployment again. This could be cumbersome if many patches must be uninstalled.


While we did not test scalability, the PatchLink architecture should allow large organizations to easily distribute the product. We also discovered that many large enterprise software vendors use Lumension as an OEM for their patching and configuration management systems.

Lumension's policy-based administration scheme will be a good fit for organizations using a best-practice framework for process control and regulatory compliance; PatchLink will allow them to ensure that all systems meet a mandatory baseline policy.

PatchLink does not use a perpetual license model, which we found a little disappointing. The server software is a one-time fee of $1,695, while 300 Windows physical servers cost $19 per node, renewable yearly. For 200 Linux servers you'll pay $40 per node, and 150 Sun Solaris physical servers run $40 per node; both are renewable each year. If you have virtualization enabled, 100 VMware ESX virtual servers running 300 instances of Windows OSes cost $19 per node, again renewable yearly. For our environment, we would spend about $27,000 for the first year, then have $25,000 in recurring costs. We understand the logic around this—Lumension does do an extensive amount of testing on new patches as a service to customers—but it's something to factor in the budget.0

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights