Patch Management

With simple Windows networks, Microsoft's Windows Update Services, now in open-evaluation stages with final release expected in Q4 this year, can be used to keep your home computers up-to-date and may be enough to provide critical systems with the latest patches. Microsoft says the final release of Windows Update Services will add features that will make it your best patch source. It promises more features, including the capability to automate uploads of suggested and preferred patches, not just critical ones. Despite its limitations, SUS remains valuable, especially when paired with a tool like MBSA (Microsoft Baseline Security Analyzer), which scans your Microsoft systems for patch and vulnerability status and links to SUS to provide critical updates.

Windows SUS uses HfNetChk, a component that's available as a standalone offering. Developed by Shavlik Technologies and distributed for free, HfNetChkLt surveys computer systems on the network, building a list of the installed and available patch status for each server and workstation. HfNetChkPro is the commercial product.

Although the free version won't automate patch distribution, simply knowing which current patches need to be applied is a vital starting point. If you want to tie patch management into a broader security scheme, look at third-party patch-management products like Freeware QChain.Patching Linux

One of the compelling arguments for Linux is its low acquisition cost, though this may be offset by high support costs. Patch management for Linux, whether it comes as part of a commercial distribution or from a third party, changes the equation, increasing purchase costs in exchange for making patch management more effective.

With Linux servers, there are several distribution-specific mechanisms for managing patches. Red Hat has included patch management and update automation as part of its Enterprise Linux. If you need direct-from-the-vendor patch management, options include Novell's SuSE Linux for enterprise installations.

Commercial and Cross-PlatformVendors such as Hewlett-Packard, IBM and Sun Microsystems include patch management in their maintenance contracts for enterprise OSs and applications. However, several commercial patch-management applications will provide a single console across different platforms. Although not free, they may be more cost-effective than building a patch-management system from scratch or managing updates manually.

Ecora provides patch management for Linux, Unix and Windows OSs, as well as for a number of Windows server and desktop applications. PatchLink is another cross-platform player, though it adds a more visible services component to its total offering, rolling everything into a general security framework. Configuresoft takes this approach in the Windows-only realm. The vendor ties closely to Microsoft's Security Database through XML database creation. Microsoft would like Windows software-vulnerability packages to deal with patch management by including its XML Security Database.

Outsourcing Versus ...

Most of the vendors offering either software or services for patch management also provide professional services to help you determine where your system vulnerabilities lie. Companies without a dedicated IT security staff may find it far more affordable to outsource patch management.

... Managing In-House

Vendors providing commercial patch-management products offer an array of pricing plans--per seat ($5 to $50), per server (from $900) or some combination of the two. Some vendors, such as Shavlik, have set prices up to a certain number of seats, for example. The length of licenses also varies, from annual to perpetual.

The cost of providing internal expertise and time to develop and administer a patch-management system must be weighed against the purchase price of commercial systems. Regardless of the path you take, you must integrate patch management into a total-vulnerability assessment and mitigation function.

Outsourcing is a very real option for patch management. Several leading vendors either present themselves as managed-service providers or include elements of an outsourced service in their total offering. As an outsourced service, patches are gathered from respective vendors, gathered into centrally managed bundles and pushed out to your network hosts as necessary. The advantages of outsourcing on its various levels are many, ranging from freeing staff time spent on gathering patches to contractual assurances that available patches will be pushed to network hosts within a specified number of hours.Questions To Ask Providers:

* Times: How often are patches distributed? Is there a guarantee of a maximum number of hours between patch availability and install? Do they automatically download and install all patches, or are you notified of patch availability and offered the option of installation?

* Costs: Monthly recurring? Start-up? Shutdown or early termination penalties? Additional number of hosts or servers? Are fees based on network segments? Are there discounts for multiyear signup?

* References: Who locally? Who nationally? Number of paying customers? How many businesses like mine?

* Management: What distributed control is offered? Where are the bundled patches stored? What reports are provided on installed patches? Do we get a complete inventory of which machines are supplied with which patches? Are there any tie-ins with vulnerability-assessment tools?0