Windows Patch Management, PatchLink Update

Windows Patch Management, PatchLink Update


October 20, 2004

The most recent articles in our Windows Patch Management series covered patch management products from Shavlik Technologies and BigFix, vendors exemplifying two distinct trends in vulnerability detection, patch deployment, and reporting. The Shavlik programs offer centralized administration without requiring a client-side component, while BigFix Enterprise Suite delivers similar functionality by employing agent software. Despite some benefits of the first approach (most notably, no need for initial agent deployment), the latter type dominates the software market.

From an architecture perspective, the solution implemented in PatchLink Update resembles the approach used in BigFix Enterprise Suite.

Its popularity resulted from a number of advantages, such as better utilization of distributed resources and network bandwidth as well as the capability to deploy software in a compressed format over the network, to resume interrupted downloads without restarting them from the beginning, and to verify patch identity. Next to BigFix, the leading player in this category is PatchLink. PatchLink's flagship product, PatchLink Update, was first introduced in 1996 and is currently in version 6.

PatchLink entered the software market in the early 1990s, which makes it one of the longest-standing providers of patch management products. In addition to maturity, one characteristic distinguishing it from the crowd of vendors is the range of platforms PatchLink Update agents support. These include Windows, Unix (Solaris, IBM AIX, and HP UX), Linux, Macintosh, and NetWare. Bear in mind, however, like with BigFix Enterprise Suite, the cost of supporting non-Windows clients is considerably higher. Server software currently runs on Windows, although the company plans to extend it to Unix and Linux operating systems. While PatchLink Update's primary focus is patch management, it also offers a number of other very useful features, such as general software deployment or policy-based configuration control and auditing.

From an architecture perspective, the solution implemented in PatchLink Update resembles the approach used in BigFix Enterprise Suite. Its focal point is the patch knowledge database PatchLink Update Master Archive. Like PatchLink Update, this product has been around since 1996. It references a wide variety of operating systems, antivirus programs, and general-use applications. PatchLink collects relevant patch information and source files and tests them internally to ensure their quality, discover possible interdependencies, and prevent incompatibility issues. Once the functionality and reliability are verified, fixes are released for distribution to the PatchLink Update Servers (PLUS) residing at customers sites. Servers at these sites must run Windows 2000 SP2 or later with MS IIS and without Microsoft SQL Server or MS Access installed.

The patch distribution process is secured through a number of mechanisms, such as the 128-bit Secure Sockets Layer channel required when communicating with Update Master Archive Web site, and identity and integrity verification against Cyclic Redundancy Checks and digital signatures included in patches. Each patch is assigned a unique, PatchLink-specific identifier in the process referred to as fingerprinting, which is used to determine its presence or applicability to a particular system (this method enables PatchLink to track interdependencies among operating system versions, installed applications, and patches).

Customers choose whether their PLUS will receive updates automatically or whether they will initiate downloads manually (in this case, PatchLink offers notification service whenever updates become available). This can be further customized based on desired download behavior for each patch category. For example, those marked critical are prioritized. In enterprise environments, PatchLink Update servers can be set up in load balanced and highly available configurations, with automatic failover between them. Such servers also use PatchLink's proprietary Secure Background Transfer Service (SBTS) protocol with bandwidth throttling capabilities, which can be used to control network utilization when distributing software in larger environments.

In addition to caching patches tested and approved by PatchLink and distributed in a push or pull fashion, PLUS functions as a central management point. Management functionality is provided through the Agent Management Center console, which has an intuitive interface from which you can discover new client computers (using LDAP-based directory services, including Active Directory and IP subnets), deploy agents to them, and group them based on arbitrary criteria, such as their vulnerability characteristics.

For each group, applicable patches are either deployed manually (each group of deployment targets can be configured with different installation settings) or remediation activities are defined and applied automatically. This results in the immediate deployment of patches to their new members or notification sent to a designated group of administrators in case compliance criteria cannot, for some reason, be met.

You can also collect information about the overall status of the computing environment (e.g., operational characteristics of systems missing a particular patch, such as uptime or agent properties) or installed hardware and software. Administrators can track installed applications and hardware components, patches, and active services via an auditing mechanism that features e-mail notifications about any changes to configuration.

Although the majority of the deployed fixes originate from Patchlink Update Master Archive, PLUS' management console provides the functionality necessary to deploy custom-created patches. In fact, the patch deployment infrastructure built into PatchLink Update can remotely install any type of software (such as standard applications or antivirus updates).

>> Using PLUS

PatchLink Update's scalability is based on the hierarchical software distribution model known as PatchLink Distribution Point technology (a similar approach is offered by a number of other products, most notably Microsoft SMS and SUS, and Bigfix Enterprise Suite). The model includes one or more layers of Distribution Point servers, which serve as intermediaries between PLUS and their and clients. Intelligence built-into client agents allows them to locate automatically the closest server and use it for patch deployment, resulting in lower bandwidth utilization, improved deployment speed, and increased levels of redundancy. Downloads are performed in the background and can be resumed (rather than restarted from the beginning) should they be interrupted.

Agents deliver a number of other functions, such as inventorying locally installed hardware and software (in addition to keeping track of patches that have been installed) and installation monitoring. This, in turn, enables the rapid determination of installation outcome, which is then reported back to PLUS, and facilitates rollback and uninstallation (through checkpoint mechanism).

One of the unique features implemented through agents is the capability to quarantine vulnerable systems until appropriate patches are applied. This capability, called "End-Point Security Management," isolates and remediates systems that do not meet the policy-based criteria defined on PLUS. Furthermore, agents allow flexibility in deployment options by providing configurable levels of user control over deployment behavior. For example, administrators can specify whether users will be able to postpone installation or reboot. Agent status is verified via a Control Panel applet.

Installation of agents can be automated (depending on arbitrarily defined policy). By performing repetitive network scans, PLUS can detect all systems without client software and can trigger their automatic setup (a less intrusive option whereby the administrative team is sent notification about such systems is also available). Similarly, mobile computers, which potentially might remain outside of the corporate intranet for extended periods of time, are scanned and updated as soon as connectivity to PLUS is re-established.

Administering PLUS is a more granular process than it is for Shavlik or BigFix. It is based on predefined and custom-created roles (such as manager, operator, or guest) and secured by a password required to access the administrative console. Some of rights and permissions associated with these roles are pre-defined (e.g., administrative pages of the console are limited to administrators only), while others are customizable (e.g., limited to a specific set of computers).

For more information and evaluation software refer to the Patchlink's Web site at www.patchlink.com.