Product Group Tests

Patch management (2005)

by Peter Stephenson April 11, 2005
products

GROUP SUMMARY:

We have found ourselves with a tie for Best Buy. Red Hat Network picks up one of the honors for the way it makes patching Red Hat Linux environments simple and hassle-free, while Symantec's ON iPatch does an equally impressive job of managing Microsoft environments.

Patching is a particular bane in admin and support lives, but there's no need for this to be the case any more. Modern patch management can take the weight off IT's shoulders, explains Robert Jaques.

No piece of software is completely bug-free. And as software gets more complex and the code-base larger, it just means that there are more bugs. Not surprisingly, this means that there are more updates designed to fix problems.

While tools such as Microsoft's Windows Update make it easy for consumers to keep their PC right up to date with the latest patches, running a network is a much more complicated business.

First, there is the question of testing the patches before installation. While an update might fix one problem, there is always the chance that the fix will break another piece of your software. There is also the chance you are not using the particular bit of the application that needs to be updated, so do not really need the update, either.

Then there is the case of security. Updates do not just fix breaks in the software, they also often block security holes helping to protect your network. It is clear that a download-and-hope-for-the-best approach is not going to work when it comes to updates.

Once you have validated, there is the problem of deciding how to roll out. Traditional software deployment methods do not offer enough flexibility, so, for this test, we have tested nine patch management applications that will help you control updates as and when you need them. While free tools, such as Microsoft's HFNetChk, already do part of the job, we are looking for applications that go above and beyond its capabilities.

We used our test network and got each piece of software to scan our computers. While most software can happily tell which patches a computer does and does not have, we want more than that.

Patch management is, as the name says, about managing the process. A simple list is what the free tools give. We are looking for more, including the ability to get more information when needed.

For example, if an update for XP is released, it is important to find out what it fixes and which computers it affects. Patch management software should give simple access to this information, so that you can begin your patch testing procedure and ensure compatibility with your systems.

The scanning is one of the most important aspects of this type of software. As well as detailing what needs to be installed, a certain degree of flexibility has to be taken into account.

While RPC-based scanning might do well on small networks with a few computers, larger networks will be more interested in distributed agents.

Agents take the load off the network and force the local PC to examine itself, which is usually quicker and more scalable. Agents also have the advantage that they can be installed in remote sites and, provided you update your firewall rules, managed remotely.

People with lots of branch offices will be much happier with agent-based scanning. We have examined each product to see the scanning options it has available.

The larger the network, the better the organization needs to be. You will probably want to logically divide the network into groups, such as, at the top level, workstations and servers. Both groups obviously have to be treated in a different way, so we wanted to see how the software can deal with these different needs.

One of the most important aspects of this kind of software is how it deals with the deployment of patches. We were particularly interested in how the software dealt with building lists of required patches – when you have a new PC on the network, you need to make sure it is running a required list of updates.

Once you have this list, we looked at how powerful the distribution tools are. It is easy enough to force a remote installation of an update using admin rights, but we need smarter tools than that.

If you are updating a server, it needs to take into account any software running that might have to be stopped. We were also interested in how it dealt with reboots. In particular, some distribution software is smart enough to order the patch installations to minimize the number of reboots.

Finally, we looked at the support. While supporting Microsoft OSs is likely to be most important, that is not the end of the story.

Applications such as IIS and SQL server also have patches available, so we looked at the support offered. But it is not just a Microsoft world, so we looked at other OSs and application support. This is usually limited to supporting a version of Solaris/Linux, but any additional support is welcome, particularly in large environments.

With this group test, we will take you through the available options, helping you keep on top of your patch deployments.

Sign up to our newsletters