|
Cal Poly |
Cal Poly
|
Title V Project
Patch Management
Patch management is a vital part of any IT infrastructure to ensure that all critical patches are installed to protect your network against the latest exploits. Managing configuration changes and uploading the most current hot-fixes in a distributed environment can be extremely difficult and time consuming. With the use of patch management tools, applying critical patches can be a simplified automated process.
There are essentially two types of patch management tools: agent-based and non agent-based. Non agent-based tools work by scanning hosts to determine their service pack and hot-fix configurations. This requires domain or local administrator access along with Remote Registry Service enabled and SMB network access available. These target level requirements may limit the type of networks that non agent-based tools can be installed on to those in which the administrator has a high degree of control over. The benefit to this is that the tool is only installed on one machine.
The agent-based tools work by installing an agent on the target host that runs in the background. The agent periodically queries the patch server for updates to install on the host. The benefit to this is that network scanning problems are avoided and updates can be installed whenever the host is active, not just when the tool does the network scan. It is ideal for dynamic environments where users have autonomous control over their systems. The downside to agent-based tools is that the patch management tool must be installed and maintained on every host.
Non Agent-Based Tools
St. Bernard Software
UpdateEXPERT is a
software patch vulnerability assessment tool that scans your networked systems
for missing patches and fixes. It offers a unique and easy to use user
interface that allows you to manage bulk installations. It allows you to filter
and categorize patches according to type, and also allows you to create profiles that define OS-level patch configurations
per OS/service pack platform. UpdateEXPERT can also be scheduled to scan and
update the network at any time.
Supported Patches
Windows
NT/2000/XP
IIS
Terminal Server
SQL Server
Exchange Server
Windows Media Services
Net Meeting
Internet Explorer, Media Player, Office, Outlook
*Product information was obtained from St. Bernard’s website
HFNetChkPro
Shavlik Technologies
HFNetChkPro is an
enhanced GUI version of Microsoft’s HFNetChk utility.
HFNetChkPro is an automated, real-time, patch inspection and push solution with
real-time access to Microsoft's security update database and extensive file
validation to assure proper patch installation. Its friendly user interface filters out patches that do not apply to a
particular machine, and allows you to select and download all necessary patches
at the same time.
However HFNetChkPro lacks flexibility for providing authentication information on a per-machine basis making it difficult to scan hosts on different domains.
Supported Patches
Exchange 5.5, Exchange 2000
SQL Server 7.0, SQL Server 2000
Windows Media Player
Windows NT/2000/XP
Windows Terminal Server
Internet Information Server
Internet Explorer
*Product information
was obtained from Shavlik’s website
Agent-Based Tools
PatchLink Update
PatchLink Corporation
PatchLink Update is the most comprehensive agent-based patch management tool currently available.
The agent is installed on all managed hosts, both servers and workstations. By periodically connecting to the PatchLink server, the agent checks for new patches that have been pushed out by the administrator and installs them as instructed. PatchLink also checks vendor Web sites every day for new releases, then notifies agents on your site if new software is available. You get notification via e-mail showing what is available for which platforms. The administrator can then roll out the fixes via a Web-based distribution system. Unlike other patch management tools, PatchLink supports non-microsoft platforms such as Solaris and Novell Netware, and other software vendors such as Symantec and Citrix.
Supported Patches
Windows 95/98/2000/NT/XP
UNIX (Solaris, Linux, AIX)
Novell Netware
Terminal Server
Internet Information Server
SQL Server
Exchange Server
ISA
Internet Explorer, Media Player, Office, Outlook
Other software venders: Adobe, Citrix, Corel, Symantec, McAfee, WinZip, Sophos
*Product information
was obtained from PatchLink’s website
BigFix Enterprise Suite
BigFix, Inc
BigFix is similar to PatchLink in that it uses agent-side intelligence for patch-configuration scanning of the end-user host and for pulling down the patches pushed out by the BigFix administrator. The BigFix server that subscribes to, stores, and delivers up-to-date Fixlet messages from Internet-based Fixlet message sites to all computers on the network. A Fixlet message contains a description of the vulnerability, who it affects, and how it can be fixed. The BigFix client then silently monitors the computer and determines which Fixlet messages are relevant and then takes the appropriate action. The user interface is similar to an email inbox that the administrator can monitor and filter out unnecessary patches.
Unfortunately BigFix cost much more than any of its competitors.
Supported Patches
Windows 95/98/2000/NT/XP
Terminal Server
Internet Information Server
SQL Server
Exchange Server
ISA
Internet Explorer, Media Player, Office, Outlook
*Product information was obtained from BigFix’s website
Product Comparisons
The following is a comparison of various patch management tools taken from Network Computing’s review of patch management tools (http://www.networkcomputing.com/1318/1318f33.html).
It includes all of the tools evaluated here
along with other alternatives.
