In a perfect world, vendors would release only secure software and patching would be just a bad memory. Of course, that's about as likely as a cure for the common cold in our lifetimes. In 2006, the CERT Program at Carnegie Mellon's Software Engineering Institute reported upward of 8,000 application vulnerabilities that required software patches—that's 30% more than in 2005. Sure, not all vulnerabilities will be stopped by patching. We're seeing more zero-day attacks than ever, and for too many IT shops, patching still causes a great deal of angst because they lack the tools, processes and resources to implement effectively.
But that doesn't mean you're excused. No fewer than 14 patch management vendors are making waves and gaining followings. Each product has its strengths and weaknesses, and we're hoping to get most of them into our lab in the near future. We'll also highlight resources, like the PatchManagement.org listserv, dedicated to discussing security patch management topics across a broad range of operating systems, applications and network devices.
| ROLLING REVIEW DETAILS: |
|
THE INVITATION: For this Rolling Review, we're allowing both desktop and server patch management products and will test each in the appropriate environment, on as many OSes as are supported. We will note when products do not provide wide OS coverage.
THE TEST BED: We'll evaluate patch management products in our Windward Consulting Group Real-World Labs, judging each on breadth of platforms supported, how well it uses subscription services to discover patches, how thoroughly it discovers our environment, what rollback capabilities are available, testing and staging capabilities prior to production, reporting, and network bandwidth control. Our test environment will contain a mix of Windows XP desktops, Windows 2003 servers, Linux Red Hat servers and Solaris 10 servers. We will patch antivirus software, operating systems and/or Microsoft Exchange on the server. Our pricing scenario includes 500 Windows desktops, 50 Windows servers, 50 Linux servers, 150 Sun Solaris servers and 25 VMware ESX virtual servers.
THE VENDORS: |
Ideally, in larger shops patch management will be just one element of a comprehensive configuration management or software distribution system. Smaller companies can get by with standalone tools but many need several different point products for different types of apps and devices. But however you manage it, automation is critical, as are documenting changes, testing to ensure that patches won't break other apps, and deployment policies to avoid bogging down networks.
What Happens in Redmond...
While the need to patch applications is as old as computing, the volume of Windows updates coupled with Microsoft's market dominance have focused attention on the issue. Since the introduction of Windows 98, Microsoft has looked to automate patching of Windows servers and desktops. Its current incarnation, the Windows Server Update Services, or WSUS, provides a locally managed software update service alternative to the local Microsoft Update system. Using WSUS, IT can automatically distribute patches and updates to clients from a central server.
What skills do network managers really need to properly secure industrial networks? What new protocols, frameworks, and regulations are important? And what conferences and certifications can help? Here are five tips to get started.
A full-stack approach to retail edge offers retailers a way to optimize operations and adapt to changes in a post-pandemic world.
Network management tool sprawl is getting in the way of network management. It’s time for IT to do something about it.
