Tuesday's special

Find opportunities — and win them.

The second Tuesday of every month has become a red-letter day for computer security professionals.

The second Tuesday of every month has become a red-letter day for computer security professionals. Microsoft Corp. has turned it into "Patch Tuesday," the day that heralds the latest round of hot fixes and bug catchers for the Windows operating system and other Microsoft programs.The problem is the bad guys also get the patch data on the same day, if not sooner. And every hour that passes between a new patch's announcement and its installation on vulnerable systems raises a network's risk level. Last year's SQL Slammer worm and the infamous Code Red attack of 2001 both exploited known vulnerabilities after Microsoft had issued patches for them.Then there's the compatibility issue. Some patches may break an installed application. Many organizations put off deployment of Microsoft Windows XP's Service Pack 2 because it affected the operation of some browser-based programs.It's easy to see why patch management software ? tools designed specifically to test and deploy fixes for software defects and other potential security vulnerabilities ? has become one of the fastest-growing segments of the software market. Analysts from Yankee Group in Boston expect the global patch management market to grow from $70 million in 2003 to $300 million in 2008.Patch management tools don't just automate rolling out patches, they help prevent many of the problems a patch rollout can cause. Depending on the number of systems in an organization and how critical their operation is, the workflow elements of a patch management tool can be as important patch rollout.The first part of the process is determining which systems are vulnerable. Scans are done either by remotely examining a system through a series of service requests and remote procedure calls, or by running a script or agent software program on the machine being examined. By using integrated scanning software such as that in Shavlik's HFNetCheck, or by pulling in data collected by vulnerability scanners such as eEye Digital Security's Retina Network Security Scanner, the patch management software helps administrators identify and group systems.The next step is to make sure patches will work and won't break other software. Some patch management tools, such as Citadel's Hercules, include a subscription service from their vendors that includes certification of patches, including a full dependency check.Finally, administrators must get the patches out to the machines. An important workflow feature to look for, particularly if you're managing a large network or multiple sites, is patch staging. Distributing patches over the network from one server to a few thousand clients, even during off-peak hours, can create a glut of network traffic and slow rollout. Staging servers distribute patches from various places throughout a network, closer to the target machines.Be sure to pick a patch management system that suits your network. Some patch management tools, such as those from Shavlik, focus on Windows patches. BMC Software, NetIQ and Symantec have licensed Shavlik's HFNetChkPro technology as part of their patch management solutions. (As of this writing, Symantec's LiveState Patch Manager product had not yet been released.) HFNetChkPro pulls in Microsoft patches that have been validated by Shavlik's own testing team.Opsware, on the other hand, focuses on heterogeneous servers and network devices such as routers and firewalls.The Transportation Department of San Jose, Calif., started using St. Bernard's UpdateEXPERT software two years ago, according to Clark Owen, a network engineer with the department. "Before that, we had to do [patch deployment] machine by machine for our 100 desktops," he said.The resulting savings in man-hours have been dramatic. Now Owen tells users to leave their systems on at the end of the day and schedules a deployment of patches overnight."It's been very good, I'm pretty comfortable with it," he said. "But I still do the servers manually." Based on the department's experience, San Jose's Police Department recently purchased 2,000 St. Bernard client licenses.But patch management is not a cure-all. As the recent MySQL worm demonstrated, if not properly configured, even fully patched systems can be compromised. The worm took advantage of systems with root accounts that had weak or default passwords, effectively a back door for hackers."Patch tools go after software defects, but those are only 25 percent to 30 percent of your overall vulnerabilities," said Dave Donovan, vice president of public sector for Citadel. Citadel's Hercules software is one of a new breed of tools for automated vulnerability remediation.Several products in this guide let administrators establish a required state for client systems, a combination of patches, configuration settings and active services.AVR software has been adopted by many federal agencies, including the Defense Department. The Defense Information Systems Agency bought enterprise licenses for Citadel and eEye's solutions.But the first line of defense for the average networked agency remains what it has been: well-enforced user policies and standardized systems.

The lowdown

What is it? Patch management software helps systems administrators distribute fixes to operating system software, applications and, in some cases, to system settings without having to manually install them on each system.

How do I decide which computers to patch and which patches to install? Be sure your patch man- agement tool lets you audit networked systems to determine their patch levels and group systems based on how they're used. Some tools provide policy-based management, letting you use a database or directory service to tie security or configuration profiles to systems. If you use directory services to manage other aspects of security and authentication, a directory-based patch system may be a better fit than one that stores information in its own database.

Can't patches break my applications? It's important to study the effects of patches before you roll them out. Some tools include either a local database or a remote knowledge base to help determine which patches are important enough to deploy. Good services also will indicate any known conflicts between a patch and other software, plus any patch dependencies, i.e., what previous patches and other software need to be installed before the patch will work.

Do I need "agent-based" or "agentless" patch management? To scan systems for vulnerabilities, agentless patch management uses a combination of remote software calls and processes that run when a user logs in. They're fine for Windows networks without remote or occasionally connected users. But if you have remote or laptop users who need patches, want to quarantine unpatched systems or want to push patches at will, you'll want an agent-based system, which installs a small program on the client to communicate with the patch management server.

Patch management tools serve for the weekly specials, but they're not the whole enchilada





































S. Michael Gallagher is an independent technology consultant in Baltimore.