Patchwork made easy
Patch management tools work well, but differ based on user preferences
- By Carlos A. Soto
- May 11, 2005
The importance of patch management to any network is often understated. A common misconception of patch management software is that it simply initializes the auto-update features found in existing operating systems and software applications. In fact, good patch management solutions not only analyze the actual patches, looking for possible bugs in the software, but also ensure the integrity of applications after patches have been applied.
That's important because patching a computer has a domino effect. One swapped Dynamic Link Library file will alter another file, which in turn changes a registry setting, and pretty soon you have 30 or 40 files that are different because one file had to be replaced. And this scenario includes only one computer, not a network. It also doesn't take into account the fact that patches often contain corrupt or incorrect files, created either by accident or by an attacker. Multiply the single-system domino effect by 1,000 or 500,000 nodes, then add spyware, virus and spam worries, and you have an appreciation for the IT nightmare common among agency network administrators.
The GCN Lab recently invited four solution providers to participate in a review of patch management software: BMC Software Inc., LANDesk Software Inc., PatchLink Corp. and Symantec Corp. After much discussion, Symantec chose not to participate; its LiveState Patch Manager product is due out soon.
We're aware there are many solutions we were unable to review [for details on a variety of solutions, see the GCN Buyers Guide coming June 6]. We chose these three for our first foray into enterprise patch management testing because they are well known, demonstrate the full spectrum of patch management capabilities and could meet our rigid schedule, which included day-long appointments with each vendor in our Washington lab.What we did
We installed each patch management suite on the GCN Lab network and judged several aspects of usability, performance and features.
Setup and administration. Enterprise-level patch management software is often complicated to install and maintain. This operation, however, varies greatly from product to product. Some programs are ready to go out of the box and some aren't.
Detection and remediation. Patch management software needs to be able to map and identify every component of a network in a manner more sophisticated than the basic whois and ping protocols. The patch management solutions that yield a deeper network analysis fared better in our review.
Heterogeneous environment support. Mixed platforms are common in every agency. One of the toughest tasks for a patch management program is to cover multiple types of operating systems, device drivers and applications. The lab established 10 nodes that covered most operating systems, as well as drivers and applications from more than a dozen different vendors.
Control. Management and delegation go hand in hand. The lab explored the sophistication and depth of permissions control in each suite. Having the capability to restrict certain administrative staff and users to certain parts of the network is paramount in maintaining an up-to-date enterprise network.
Automation. The more the software does by itself, the better. A challenge facing patch management, particularly in large enterprises, is the ability to push and to pull software from one node to another in an efficient, automated way. Some patch man- agement software merely pushes or pulls patches; the most effective does both.What we found
There are two main types of patch management software. One is intended for small- to medium-sized enterprises, roughly 50 to 20,000 nodes, and the other for medium to large enterprises, 20,000 to 500,000 nodes. LANDesk's and PatchLink's solutions fit better into the former category; BMC's Marimba software into the latter.
Each solution we reviewed handled every device driver, application and Microsoft Windows patch efficiently. They all come with crude Linux support, but not all handle the Mac OS platform. The lack of robust operating system support is a problem we found in all the products in this review. For example, the Mandrake flavor of Linux isn't supported at all.
Finding and fixing problems was not an issue, though. Whether dealing with a corrupt .DLL or an issue with the Windows Registry, every one of these products was able to diagnose and fix the errors, which bodes well for patch management technology in general.
All told, LANDesk identified 43 missing patches on a single test machine; PatchLink found 53; Marimba 59. The disparity is more a function of changes over time to our test network and different vendors' categorizations of patches. Some vendors combine two patches into one, and vice versa. Whether a product that identifies more patches is actually better would require analysis of the software's reports. More patches doesn't always mean more security (and can often lead to more headaches).
Security is the next frontier for patch management. Two of the three products we looked at include full-blown anti-spyware capabilities, and they all have some sort of crude virus recognition engine. All the vendors said they were developing high-grade antivirus engines for future versions.
Of the three solutions we tested, BMC's Marimba would be best suited for large enterprises. But we'd have to get our hands on other large-scale patch management solutions, such as Altiris Patch Management, to see how they compare before endorsing Marimba. BMC's support for Linux and Mac OS left us wanting, and the company itself doesn't test patches.
In the end, we liked PatchLink Update best of the three, regardless of network size. The company rigorously tests all patches before pushing them to network administrators and uses a unique 'fingerprint' system to ensure patches haven't been tampered with. Although the PatchLink interface could use an update, the software is relatively easy to learn'and learning how to do patch management effectively is half the battle against network vulnerabilities.LANDesk Management Suite 8Pros:
Easy to use, nice peer-to-peer capabilitiesCons:
Difficult to install, smaller patch repository
LANDesk Management Suite is an all-encompassing network administration package that includes asset discovery and a patch management module. We found its installation a bit complicated'it took us twice as long to set up as the other two suites'but after we were up and running, we were largely impressed.
The suite's interface is well designed and easy to use. It only took us a couple of hours to become proficient at downloading and installing patches, as well as taking inventory of the machines on our network.
We especially liked LANDesk's attention to bandwidth conservation and intelligent patch distribution. The software supports peer-to-peer distribution, meaning once the LANDesk server detects that a patch is needed, network administrators can choose how to deploy it based on network utilization. They can download the patch to the LANDesk server, called the core, and the core will push the patch to every node on the network, or they can select a node on the network to download the patch and seamlessly distribute it to all its peers. If the worker on the distribution node shuts off his computer, deployment automatically shifts to an active node, which completes the patch rollout.
Overall, though, LANDesk didn't quite stack up against the other packages we tested. For example, the main problem with the LANDesk installation was its difficulty locating computers on our network and installing remote agents. Both Marimba and PatchLink auto-discovered the PCs and deployed the necessary software, while LANDesk, which is also supposed to auto-discover, ultimately required us to type the network paths of computers.
Not surprisingly perhaps, LANDesk's inventory of network assets wasn't as comprehensive as Marimba's, which caters to larger enterprises. For that matter, neither was PatchLink's. We also weren't particularly impressed with LANDesk's patch repository, which was more limited than PatchLink's.
LANDesk patch management is ideal for smaller agencies where bandwidth management and ease-of-use are mission-critical. But as networks grow larger, we found it can be difficult to follow who has a patch and where it's deployed.
LANDesk Software Inc., South Jordan, Utah, 800-982-2130, www.landesk.comMarimba Patch Management from BMC SoftwarePros:
Web-based user interface, highly automated, good network detectionCons:
Weak Mac and Linux support, no comprehensive patch testing
Marimba (acquired by BMC a year ago) employs a secure, Web-based approach to patch management, which lets users administer patches from any machine with an Internet connection. Moreover, the Web-based console is easy to use and logically designed.
Marimba also offers the best network detection tool of the packages we reviewed. It uses, but does not require, Windows Management Instrumentation to gather information about computers on the network. WMI is a new protocol found in recent versions of Windows that gives detailed information about a computer such as processor, BIOS version and a full account of every operation and error the machine may have encountered.
The benefits of WMI, coupled with Marimba's robust inventory capabilities, are numerous. The software can plug a security hole by identifying unauthorized software, and it lets administrators remove programs that users don't need or use. This can save agencies money on licensing and increase operational performance.
We were also impressed with Marimba's patch repository, which gives administrators granular information about the patches down to the bit level, making it easier for an agency to test the patches. And that's important because BMC is the only vendor in this review that does not do comprehensive testing of patches before sending them to networks. The Marimba solution can run a mock test of patches to see how they might operate on your network; however, this operation is far from secure and accurate.
The reason BMC doesn't test the patches is that the company caters to larger enterprises that it feels are equipped with staff to run all tests before patch deployment. The Marimba software itself is strictly for automating and organizing patch deployment, which it does better than either other solution in the review.
If there are drawbacks to the Marimba software itself, they have to do with its complexity and dependency on Microsoft networks. The patch manager is only one cog in a large enterprise system that relies on distribution servers, inventory servers, policy servers and common management servers. All these servers intertwine off-site to deliver the patch management solution.
For smaller agencies this may be overkill, but larger organizations may like the granular control, such as the power to compartmentalize your entire infrastructure so each group of users has what they need and nothing else.
Marimba supports Sun Microsystems' operating systems, but BMC has not developed seamless support for Red Hat Linux and Apple operating systems. In fact, the entire Marimba solution operates off a Microsoft Active Directory.
For large Microsoft shops, Marimba offers a lot. It gives users the option to push or pull software and has a robust automation system so that once parameters are in place, an administrator has to do very little to keep updates going.
BMC Software Inc., Mountain View, Calif., 888-800-5444, www.marimba.comPatchLink UpdatePros:
Very affordable, unique patch fingerprinting, good Mac and Linux supportCons:
Despite a dated user interface that relies on tree-structures to manage patch deployment, PatchLink Update was our favorite solution. From start to finish, PatchLink makes it nearly effortless for administrators to secure their networks.
The company spends a lot of time working with the patches to determine every possible variable that will affect your network and delivers patches along with any additional software that may be required. In fact, PatchLink runs the patches they receive from application vendors through 250 different environments and publishes the results for you to see.
PatchLink is also the only product in this review to 'fingerprint' each patch with a public-key-infrastructure-style technology to guarantee that the patches in your network were not tampered with. It also submits patches through a 128-bit Secure Sockets Layer connection from a File Transfer Protocol server.
PatchLink Update fully supports Mac and Linux environments, and we liked the way it conserves bandwidth during patch deployment. Patch packets are not sent all at once but are gradually deployed to your PatchLink Update server, which then pushes the patches to each PC and even patches itself.
One caveat about the PatchLink solution that may make some agencies nervous: When the PatchLink server on your network retrieves new patches from the PatchLink FTP server, information about the number of client PCs using the PatchLink Update solution is transmitted for billing purposes.
PatchLink assured us this information is minimal, secure and necessary to facilitate billing on a per-computer basis, which typically comes out to about $27 per year.
PatchLink's solution is less comprehensive than something like Marimba. For example, it doesn't let administrators group or organize patches on an enterprise level the way Marimba does. Although it's possible to run a large agency using PatchLink, your administrators may have to do additional organizational work. Still, the advanced capabilities and secure infrastructure of PatchLink make it top-notch for small to medium-sized operations.
PatchLink Corp., Scottsdale, Ariz., 480-970-1025; www.patchlink.com