Patch Work

Team leader Tori Harris, center, shows Susan Ruffcorn and Jerry Cronin the test bed computers that will provide authenticated software patches for Air Force systems.

Courtesy of the Air Force Communications Agency , Illustration by Phyllis Maringer

The ENOSC patch team also wants to offer notification to users, but 'we are not there yet,' project leader Susan Ruffcorn says.

Courtesy of the Air Force Communications Agency

Air Force has the job of tracking which machine has which patch all sewn up

Following a hot trend, the Air Force has set up its own software patch service for Microsoft Windows operating systems.

'We went from zero to 60 in two weeks' to get the Enterprise Network Operations Support Cell up and running last November, said Jerry Cronin, chief of the Air Force Communications Agency's computer systems and applications division. Since then, ENOSC has expanded its support from a handful of Windows OSes to some Microsoft applications and Unix.

'We're not mandatory, but we're trying to let people know it's there,' ENOSC project leader Susan Ruffcorn said.

ENOSC and its civilian counterpart, the Patch Authentication and Distribution Capability established by the Federal Computer Incident Response Center, are parts of what Cronin called the first phase of patching to keep programs always secure and up-to-date.

'At some point we might consolidate,' he said. At present the task is to standardize central management of a vital task that overwhelms administrators of enterprise networks.

A shell game

Software patches correct flaws or security vulnerabilities discovered in already released programs, but the job of keeping track of what has been installed on which machines is complex'not to mention evaluating and installing the patches. As a result, networks often remain vulnerable to attacks long after a fix is available for a particular security hole.

ENOSC provides two services: It evaluates the efficiency and safety of patches and provides a single, secure source for downloading them.

FedCIRC goes a step further by letting users upload system profiles so that the alerts can be specifically tailored to them.

'We have thought about offering notification,' Ruffcorn said. 'We are not there yet, but it's something we'd like to do.'

ENOSC, located at Scott Air Force Base, Ill., makes the authenticated patches available at www.afca.scott.af.mil/osc. The site is accessible only to IP addresses registered in the .gov or .mil domains.

'It's intended for the Air Force, but anybody who can access them can download the patches,' Cronin said.

The communications agency put ENOSC together with help from Microsoft Corp., which launched its trustworthy computing program in response to complaints about security problems in its products.

ENOSC initially supported Windows 9x and NT 4.0. It since has added Win 2000 and XP, as well as Exchange Server and Internet Explorer. In the Unix family, it now supports Sun Solaris and will add Linux and HP-UX.

Ratings reported

When a patch comes out for those OSes or applications, the Air Force Computer Emergency Response Team judges its effectiveness'that is, does it in fact fix the problem? A nine-member ENOSC team evaluates the patch's impact on the OS and on the applications likely to be running under it. The team assigns a numerical value to the risk of interference with other software and publishes a report on the Web site along with the patch, so that administrators can decide whether to install it.

The Air Force CERT also notifies the major command NOSCs about new patches, referencing ENOSC as the official source.

'But there's nothing stopping them from going to the Microsoft Web site' for patches, Ruffcorn said.

ENOSC wants to hear more about Air Force managers' experiences with the patches.

'There are hundreds of different systems across the Air Force,' Cronin said, and ENOSC cannot duplicate every configuration in its test beds. The real-world experience of program managers could provide valuable information to others.

Over the next year, the communications agency wants to automate the distribution of patches to the major command NOSCs. 'We want to make sure people can get them in a secure manner, upgrade their computers and let us know about it,' Cronin said.

ENOSC would not automatically install patches, but would push them to top-level NOSC servers for distribution to bases. Individual administrators still would decide whether or not to install each one.

'We've got to get them out there, they've got to be implemented and we've got to know,' Cronin said. 'That's the challenge of the next year.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above