|
|
To print: Select File and then Print from your browser's menu
-------------------------------------------------------------- This story was printed from ZDNet Australia. --------------------------------------------------------------
|
Patch management: 4 packages tested June 11, 2004 URL: http://www.zdnet.com.au/reviews/software/security/soa/Patch-management-4-packages-tested/0,139023452,139150207,00.htm
Security patches are a big worry: they come out at odd times, they suck up your bandwidth, and just occasionally they break things. We look at patch management packages to ease the burden.
There are a few problems, however: the main one being that there are so many patches and just not enough time to test and deploy them. Enterprises need to be given a large window of time to test patches before deploying them on their machines ââ,¬" and as we know you can't just push patches out to machines ââ,¬" as there may be issues with particular applications which can leave you in an even worse situation. Stepping back a little, patches do very little if your systems are not secure in the first place. Most of the time security problems don't involve flaws in the software but more to do with employees using weak passwords, machines that are not configured properly, machines that are left unattended, and employees opening e-mail attachments and running untrustworthy applications. There is also the idea that the most effective patch is the one you don't have to apply. In other words, you should turn off the services you don't intend to use and only run the ones you need. Even if there are vulnerabilities, they won't make a difference if the service isn't running. This has been a long-running problem with Microsoft's operating systems (among others), that services most people didn't use -- and could lead to security problems -- were turned on in the out-of-the-box installation. Microsoft has now turned off over 20 services in Windows 2003 Server by default. This is one of the steps they have taken to reduce the "attack surface" as Linux distributions have been doing this for years. Administrators have been expressing concerns about the frequency of patches Microsoft has been releasing. Other concerns have been to do with too many different patch installers, the large size of patches, the need to restart machines after patching, and the abundance of patch management products that overlap in terms of features -- yet there isn't a single complete end-to-end patch management package. Microsoft has been working hard to iron out these issues by placing severity ratings next to patches, improving the way patches are tested, providing consistent installers, modifying the size of patches, and minimising restarts. In this review we look at Prism Deploy from New Boundary, HfNetChk Pro from Shavlik Technologies, Radia Patch Manager from Novadigm, and LANGuard Network Security Scanner from GFI. These products only deploy patches for Microsoft operating systems, Internet Explorer, Exchange Server, SQL Server, IIS, Media Player, DirectX, MDAC, Outlook, and Office. We also invited Altiris and IBM to submit products: Altiris is currently awaiting the release of the next version and couldn't get us a preview copy in time, and IBM was unable to submit a product. Patches for non-Microsoft products can also be deployed using some of these products however you would need to have the executable. If you're running Macs or Linux-based systems you will have to wait. Some of these vendors are working on it, so hopefully it won't be too far away. We also looked at a product that would be of interest in this area but doesn't actually deploy patches: the Network VirusWall from TrendMicro. We also had a quick look at Microsoft's SMS which does both software distribution and asset management. GFI LanGuard
The GFI Languard Network Security Scanner is a network security solution that not only scans your operating systems and applications for missing patches but also for open ports, open shares, weak passwords, and more.This GFI product runs on Windows 2000/ 2003 family operating systems as well as Windows XP. You need to make sure the systems being scanned don't have personal firewall software running as it may block the scanner.
The scanner has a "New Scan" button which enables you to scan a single computer or whole a domain for missing patches. It actually goes beyond this by giving you the option to scan TCP/ UDP ports, CGI, and force patch updates.
The New Boundary Prism Patch Manager is also a product that only deploys Microsoft patches.This product comes from the UK. Setup was a little tricky. There are a few components of the installer you have to understand how to install. A typical installation includes the console, the master agent, and the agent installer. You also don't have to manually install agents on client machines. The minimum software requirements to run Patch Manager are Windows NT 4.0, Windows 2000, or Windows XP Professional and Windows Server family operating systems. Clients PCs can run on Windows 2000 and 2003 Server operating systems. Machines are discovered using Microsoft's Active Directory. There were a few things we had to do beforehand, like enter a domain to search as well as give administrator access to the master agent, which does all the interrogating. When a machine is discovered you have to allow it to be managed which will then allow you to query the machine. Querying the machine means checking to see what patches need to be installed; this was pretty simple. The format in which this information is displayed was excellent. Across the top of the application running horizontally you can tab across the various windows products and check to see which patches you're missing.
The front end is somewhat busier than the Shavlik interface. There was a lot more information displayed on the screen but it was laid out very well and didn't cause any major confusion.
Radia Patch Manager came in as a late submission. It arrived already pre-installed on a Windows 2000 notebook running SQL Server. The Patch Manager was made up of three components, the Patch Manager, Application Analyzer, and System Explorer.It's a relatively large package and possibly the most complex we looked at. We were informed that this product is suited to environments with over 1000 machines and can be installed on Windows NT/2000 Server and Windows Server 2003 and clients running Windows 95, 98, NT, 2000, and XP. As for UNIX and Linux support, Novadigm has advised us it is currently working on this one. At the moment it only supports Microsoft operating systems and applications. However you can push out third-party software as executables that can run on client machines. We were surprised that the Patch Manager has to install an agent prior to running any vulnerability assessments so the main software can better manage the client machines. The installation of agents was quite messy and can be time consuming. The user interface was also a little primitive. The design would have been greatly improved if all the features could be accessed from one window. We had constantly switch windows to run the other components. Navigating within the applications was simple enough, but the information could have been displayed better. We had to scroll down long pages, which can make you forget what options are available at the start of the page. We are advised Novadigm is currently working on this.
On a better note, the product does an excellent job managing the full life cycle of patches from acquiring, testing, assessing, deploying, applying, reporting, and maintaining patches. In particular, the way the product does patch testing is quite useful. You can use the Application Analyzer to test to see whether there will be any conflicts between two or more applications or machine resources. Also, this product can open up a patch executable from Microsoft and reveal to you files that are of concern. Most other packages don't give you that level of detail.
HFNetChkPro 4 is a GUI based patch management tool. It stems from the HFNetChk tool that Microsoft distributes for free. This tool can be set up in only a couple of minutes.It can run on Windows 2000 SP3 or later, XP Professional, and Windows Server 2003 Family. As for clients, it supports Windows NT, 2000, and 2003 Server operating systems. Other prerequisites are MDAC, XML, and Jet. The great thing about this software is that it doesn't use an agent. This speeds up set up time dramatically. This HFNetChk engine uses CAB files that Microsoft maintains to check whether client machines are missing patches. It can scan up to 64 machines simultaneously and if you need to scan more, you can schedule another scan once the first one has finished.
This tool was the easiest package to use. The front end is very clean and within seconds the software would discover our machines and run a scan on them. It was just as easy to deploy the fixes. There were a few different ways in which you can scan and deploy fixes they were either by IP address, domain, or a group of machines. All in all a very intuitive product but it only deploys Microsoft patches.
Interoperability All the software packages were installed on an Acer Altos Server running Windows 2000 Server and SQL Server 2000 SP3a. This server was part of a private network which consisted of another three PCs. Each PC was running Windows 2000 Professional. No service packs, or any kind of fixes were installed on the client PCs prior to testing. We scanned the client PCs for any missing patches and then deployed the patches to these machines to test the basic functionality of each product. We focused on ease of installation of both client and admin software, and the overall ease of use including reporting on the patches that were installed on the target machines. We also looked out for any outstanding features that separated some of these packages from each other.
Trend Micro Network VirusWall The Vulnerability Assessment component discovers vulnerabilities and summarises the potential danger of the vulnerability. It lists the associated software and the potential malware could affect it. The Outbreak prevention component focuses on preventing and containing viruses. For example, from here you can isolate un-patched machines from infecting other machines. As well as preventing outbreaks it monitors your network. The VirusWall uses smarts that monitor your network flow for anything that may seem irregular, and then notifies you. It scans port numbers, hosts, and connections for any sudden increases in traffic. Based on this sort of information you can also create policies that will enable you to block or isolate these machines. The Cleanup component cleans and fixes unwanted registry entries and corrupted systems files. As you can see there is a definite spot for this type of device on your network. In concert with a patch management package, you will have most of your bases covered. Trend Micro offers phone support from 9am to 5pm and e-mail support 24x7. Trend Micro Control Manager Version 3.0 is necessary to Control the appliance. If you include the Trend Micro Control Manager, Vulnerability Assessment Service, Damage Cleanup Service, Outbreak Prevention Service, and the Network Virus Wall appliance itself, the price works out to AU$80 per user for 100 users.
Micosoft Systems Management Server
As you can imagine, it would get quite messy if you were to mix modules and components from differ-ent vendors.
Microsoft System Management Server Enterprise Edition 2003 sells for AU$1019, and client access licences are AU$72. System Management Server Enterprise Edition 2003 English sells for AU$2325 and includes a copy of SQL Server 2000 that runs the SMS database. Sample Scenario
Company: Victorian Loyalty Program Marketing Best Solution: The only end-to-end patch management software submitted was Novadigm's Radia Patch Manager, so it's the best option for this company. It did everything we expected of it, however it wasn't the easiest to use. Look out for...
This article was first published in Technology & Business magazine.  Novadigm Radia Patch Manager If you're looking for one package that wil do everything, Novadigm's Radia Patch Manager has all the tools to manage patches through their entire lifecycle, from acquiring patches through testing to deployment and beyond. On the downside, you'll need to install an agent on all the systems you want to manage, but no other package we looked at gives you the same level of control.
RMIT IT Test Labs is an independent testing institution based in Melbourne, Victoria, performing IT product testing for clients such as IBM, Coles-Myer, and a wide variety of government bodies. In the Labs' testing for T&B, they are in direct contact with the clients supplying products and the magazine is responsible for the full cost of the testing. The findings are the Labs' own--only the specifications of the products to be tested are provided by the magazine. For more information on RMIT, please contact the Lab Manager, Steven Turvey.
Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
