Product Reviews

Patch Possibilities

The latest version of Patch Manager is a solid performer with exquisite reporting capabilities.

• By David W. Tschanz
• 11/01/2005

If you don't have a patch management system set up in your enterprise today, your boss should fire you for criminal negligence. No matter how diligent you are, you're eventually going to miss an important patch, and the results can be catastrophic. Systems will be infected, shut down and die torturous deaths as their 0s and 1s evaporate into thin air. It's the stuff to end promising IT careers.

Over the past 18 months, we've written extensively about the value of effective patch management and how to best automate the process (see "Grunt Work," Redmond Roundup, November 2004 and "The 10 Essential Rules of Patch Management," February 2005). The coverage has exposed a key issue in automated patch management—the relative merits of agent-based versus agentless architecture.

The Great Agent Debate
Some patch management products are "agentless" and work directly with each client system (Shavlik is one example). Others use software agent modules installed on each client (such as PatchLink and BigFix). Some agents are always active, while others are active only when needed. Each approach has its pros and cons, and proponents of both agent-based and agentless architectures view their respective positions with the fervor of religious zealots.

Using agents can be very effective, especially when your patch management system has to communicate through a firewall. Agents can also detect bandwidth, so you don't try to push a 10MB patch down a dial-up connection. However, some feel that using agents is cumbersome. You have to install them on clients and there is always the possibility of conflicts with other software.

The principle advantage of using an agentless architecture is ease of deployment. The patch server typically scans the network for patches that are ready to be deployed, and sends them out where appropriate. There are drawbacks, however. The scanning process can miss machines that are powered down or disconnected from the network. If your network is equipped with access-control devices like firewalls, these can prevent or interrupt server and workstation dialog. Sophisticated users can also inhibit patch relevance scanning. As a result, agentless architectures are usually best suited for smaller networks, static networks or networks with few mobile users.

Ecora has opted to work with both architectures. Like previous versions, Patch Manager 4.0 will automatically identify and patch both server and workstation operating systems. The key change is that this new version adds an agent option. It had formerly been a strictly agentless application. The new deployment options expand the scope of patch management to include machines best served by agents, such as laptops that connect to the network infrequently, remote machines on slow connections, locked down workstations and servers located in DMZ environments.

Figure 1. After surveying your network, Patch Manager gives you exhaustive details on the patch status of all your client systems. (Click image to view larger version.)

Proper Patching
Patch Manager is agentless by default. To add the Agent Manager, you'll have to follow a few additional steps, either as part of the setup wizard or through the setting dialog box. Once that's installed, Patch Manager conducts its usual discovery and scanning process to review systems for content and patch status. This process is straightforward and remarkably smooth.

Figure 2. Patch Manager gives you a graphical representation showing the percentage of your network's systems that are compliant with your patch policies. (Click image to view larger version.)

The new version has a lot of features—some are essential and others are more in the bells and whistles category. Ecora's Sure-Scan technology helps ensure accurate analysis of missing patches by dynamically updating its database to include the most current patch status information for your network. Patch Manager uses both registry and file integrity checks to analyze your systems.

REDMOND RATING Documentation 10% 8 Installation 10% 8.5 Feature Set 20% 8 Performance 20% 8 Management 20% 8 Patch Management 20% 8 Overall Rating: 8 —————————————— Key: 1: Virtually inoperable or nonexistent 5: Average, performs adequately 10: Exceptional

Another Ecora technology, 3-D Patch Views, gives you a quick, bird's eye view of your patch status. Sortable displays let you see which critical patches are missing and/or installed in the network environment by host, application or patch. Both Sure-Scan and 3-D Patch Views worked well in our testing.

I was pleased to see that Ecora included two essential elements for testing and removing patches. The first new feature is Test Center, which lets you test patches before deployment. The Test Center also lets you designate a model or "reference" system against which you can compare updated systems. This way you always have a reference system to check the original system state prior to deploying patches. The Patch Rollback feature automates the removal of patches, which is vital for recovering from patch-induced conflicts.

Alerting is another necessary feature for any patch solution. Patch Manager 4.0 will alert you about any of a number of events, including whether there are any patches missing or if a patch installation failed.

The Repository Manager lets you schedule patch downloads to specified repositories. This lets you maintain an environment where patches are always available for immediate deployment.

The Policy Manager lets you create rules about how you want your systems configured. You can also set policies that apply different levels of strictness for applications you consider most critical to the organization or at highest risk of vulnerability. It also gives you a snapshot of whether or not your systems comply with your standards. You can configure Patch Manager 4.0 to automatically patch any systems that are not in compliance.

The Ten Commandments of Patching 1. Security patches are a fact of life. 2. It does no good to patch a system that was never secure to begin with. 3. There is no patch for bad judgment. 4. You can't patch what you don't know you have. 5. The most effective patch is the one you don't have to apply. 6. A service pack covers a multitude of patches. 7. All patches are not created equal. 8. Never base your patching decision on whether or not you have seen an exploit code, unless you have actually seen an exploit code. 9. Everyone has a patch management strategy, whether they know it or not. 10. Patch management is really Risk Management. Source: Microsoft

I've saved the best for last. Ecora Patch Manager 4.0 truly stands apart from the competition with its exceptional reporting capability. The Reporting Center is a Web interface that gives you an intuitive way to query the Patch Manager database. You can make the URL accessible to anyone who can access the system hosting the reporting center.

There are 25 base report formats. You can also manipulate each report—meaning you really have thousands of report templates from which to choose. An elegant user interface makes building compelling reports a simple task. If you need accurate reports that are easy to read for administrators or top level management, no one is in the same league.

Ecora's Patch Manager 4.0 has some solid features and an exceptional reporting system that make it well worth a look.