Rolling Review: LANDesk Patch Manager

LANDesk software's Patch Manager is offered on its own and as a component of LANDesk's Security Suite or Management Suite; we tested only Patch Manager. Like the other three tools we've covered thus far in this Rolling Review, LANDesk Patch Manager uses proprietary agents installed on target devices. In testing, Patch Manager provided thorough vulnerability discovery and remediation, as well as a robust array of tools to customize those tasks. LANDesk permits management of end devices via existing directory structures, like Active Directory, or through groups created in the application. DIG DEEPER THE FIRST STEP Patching systems is vital to protecting your business, but there's a lot more to do. Download our InformationWeek Report on data loss prevention Download this InformationWeek Report >> See all our Reports << Patch Manager's repository of patches can be customized, and the system supports a number of operating systems, including Mac OS X, Red Hat and SUSE Linux, Solaris, and Windows, as well as most common applications, from Apple's iTunes to Sun's JRE, plus popular antivirus systems, including those from McAfee, Sophos, and Symantec. At setup we simply selected the applications we wanted to scan and downloaded appropriate patches. Scans can be enabled with an "autofix" functionality--unique among products we've reviewed so far--that will automatically deploy patches when Patch Manager finds a vulnerability. This may seem like an attractive capability, but it's important to thoroughly test patches before pushing them out to production, so proceed with caution. Instead, we'd recommend the notification option, in which Patch Manager alerts IT by e-mail or pager when a vulnerability of a specified severity is discovered.

LANDesk also supports a policy-based implementation, where you can define the types of patches you want to install and when. While distributing packages, we could use features like targeted multicast, which minimizes bandwidth consumed, or peer download, which capitalizes on local bandwidth by sharing packages already downloaded by one agent on a given subnet. Pretty cool.

Moreover, these features enable pre-staging of patches, allowing for even more flexibility than the usual scheduling options we've seen. LANDesk also impressed us with Patch Manager's inventory scan. In our environment, it provided a surprisingly thorough physical inventory of servers.

Rolling Reviews resent a comprehensive look at a hot technology category, beginning with market analysis and wrapping up with a synopsis of our findings. See our kickoff and other reviews in this patch management series at
networkcomputing.com/rollingreviews/patch

¿SE HABLA ESPAÑOL?

We were pleased that LANDesk enabled us to specify language-specific patches, a handy capability for global enterprises that want to standardize on a patch package. The patch repository is updated daily by LANDesk, and the frequency with which the management station checks for updates is configurable by IT from hours to months and anywhere in between.

While the use of agents may be problematic for some organizations, in our testing it's become clear that for robust patch management, you're going to have to bite the bullet. To ease the pain of getting agents to target devices, Patch Manager supports push-based agent deployment as well as login script installation.

We also liked the ease of bandwidth monitoring. With agent installation, both peer downloading and bandwidth throttling, including settings for both minimum and maximum usage, are available.

Bandwidth usage is calculated by the device agent dynamically during patch deployment. Peer downloading is also an interesting feature, especially for distributed enterprises with remote locations or employees who have less-than-optimal connectivity.We found reporting to be on par with the other three platforms we've reviewed. Patch Manager has a wide array of standard reports and provides the ability to create custom reports as needed. Reports can be run on any group of devices or all devices and can analyze agent status, vulnerability states, and remediation progress.

While a wide range of operating systems are supported, features are relatively limited for non-Windows devices. For example, while we could do scanning and remediation on Red Hat Enterprise Linux and SUSE Enterprise Linux systems, no other Unix platforms or Linux distributions are supported for both scanning and remediation. HP-UX, AIX, and Solaris 8 and 9 are supported for scanning only, and Solaris agent installation was lacking in both ease and documentation.

While the user interface is adequate, the overall design is less intuitive compared with what we've seen in other platforms. Agent deployment, scanning, and remediation tasks can all be done through the GUI, but in some cases, we found that creating the desired task required multiple steps and nonintuitive navigation. For example, deploying agents to unmanaged devices required dragging the devices from one tab to another tab, then onto their correct places.

Navigation may be better if you're using LANDesk's Management Suite. The option to uninstall a patch wasn't as easily exercised as it was in the other products we reviewed, but it did the job. Pricing is about $29 per node managed.