Security patches are a big worry: they come out at odd times, they suck up your bandwidth, and just occasionally they break things. We look at patch management packages to ease the burden.
 |
|
|
|||
| |||||
There are a few problems, however: the main one being that there are so many patches and just not enough time to test and deploy them. Enterprises need to be given a large window of time to test patches before deploying them on their machines ââ,¬" and as we know you can't just push patches out to machines ââ,¬" as there may be issues with particular applications which can leave you in an even worse situation.
Stepping back a little, patches do very little if your systems are not secure in the first place. Most of the time security problems don't involve flaws in the software but more to do with employees using weak passwords, machines that are not configured properly, machines that are left unattended, and employees opening e-mail attachments and running untrustworthy applications.
This has been a long-running problem with Microsoft's operating systems (among others), that services most people didn't use -- and could lead to security problems -- were turned on in the out-of-the-box installation. Microsoft has now turned off over 20 services in Windows 2003 Server by default. This is one of the steps they have taken to reduce the "attack surface" as Linux distributions have been doing this for years.
Administrators have been expressing concerns about the frequency of patches Microsoft has been releasing. Other concerns have been to do with too many different patch installers, the large size of patches, the need to restart machines after patching, and the abundance of patch management products that overlap in terms of features -- yet there isn't a single complete end-to-end patch management package. Microsoft has been working hard to iron out these issues by placing severity ratings next to patches, improving the way patches are tested, providing consistent installers, modifying the size of patches, and minimising restarts.
In this review we look at Prism Deploy from New Boundary, HfNetChk Pro from Shavlik Technologies, Radia Patch Manager from Novadigm, and LANGuard Network Security Scanner from GFI. These products only deploy patches for Microsoft operating systems, Internet Explorer, Exchange Server, SQL Server, IIS, Media Player, DirectX, MDAC, Outlook, and Office.
We also invited Altiris and IBM to submit products: Altiris is currently awaiting the release of the next version and couldn't get us a preview copy in time, and IBM was unable to submit a product. Patches for non-Microsoft products can also be deployed using some of these products however you would need to have the executable. If you're running Macs or Linux-based systems you will have to wait. Some of these vendors are working on it, so hopefully it won't be too far away.
We also looked at a product that would be of interest in this area but doesn't actually deploy patches: the Network VirusWall from TrendMicro. We also had a quick look at Microsoft's SMS which does both software distribution and asset management.
