Windows Patch Management, PatchLink Update
The most recent articles in our Windows Patch Management series covered patch management products from Shavlik Technologies and BigFix, vendors exemplifying two distinct trends in vulnerability detection, patch deployment, and reporting. The Shavlik programs offer centralized administration without requiring a client-side component, while BigFix Enterprise Suite delivers similar functionality by employing agent software. Despite some benefits of the first approach (most notably, no need for initial agent deployment), the latter type dominates the software market.
From an architecture perspective, the solution implemented in PatchLink Update resembles the approach used in BigFix Enterprise Suite.
Its popularity resulted from a number of advantages, such as better utilization of distributed resources and network bandwidth as well as the capability to deploy software in a compressed format over the network, to resume interrupted downloads without restarting them from the beginning, and to verify patch identity. Next to BigFix, the leading player in this category is PatchLink. PatchLink's flagship product, PatchLink Update, was first introduced in 1996 and is currently in version 6.
PatchLink entered the software market in the early 1990s, which makes it one of the longest-standing providers of patch management products. In addition to maturity, one characteristic distinguishing it from the crowd of vendors is the range of platforms PatchLink Update agents support. These include Windows, Unix (Solaris, IBM AIX, and HP UX), Linux, Macintosh, and NetWare. Bear in mind, however, like with BigFix Enterprise Suite, the cost of supporting non-Windows clients is considerably higher. Server software currently runs on Windows, although the company plans to extend it to Unix and Linux operating systems. While PatchLink Update's primary focus is patch management, it also offers a number of other very useful features, such as general software deployment or policy-based configuration control and auditing.
From an architecture perspective, the solution implemented in PatchLink Update resembles the approach used in BigFix Enterprise Suite. Its focal point is the patch knowledge database PatchLink Update Master Archive. Like PatchLink Update, this product has been around since 1996. It references a wide variety of operating systems, antivirus programs, and general-use applications. PatchLink collects relevant patch information and source files and tests them internally to ensure their quality, discover possible interdependencies, and prevent incompatibility issues. Once the functionality and reliability are verified, fixes are released for distribution to the PatchLink Update Servers (PLUS) residing at customers sites. Servers at these sites must run Windows 2000 SP2 or later with MS IIS and without Microsoft SQL Server or MS Access installed.
The patch distribution process is secured through a number of mechanisms, such as the 128-bit Secure Sockets Layer channel required when communicating with Update Master Archive Web site, and identity and integrity verification against Cyclic Redundancy Checks and digital signatures included in patches. Each patch is assigned a unique, PatchLink-specific identifier in the process referred to as fingerprinting, which is used to determine its presence or applicability to a particular system (this method enables PatchLink to track interdependencies among operating system versions, installed applications, and patches).
Customers choose whether their PLUS will receive updates automatically or whether they will initiate downloads manually (in this case, PatchLink offers notification service whenever updates become available). This can be further customized based on desired download behavior for each patch category. For example, those marked critical are prioritized. In enterprise environments, PatchLink Update servers can be set up in load balanced and highly available configurations, with automatic failover between them. Such servers also use PatchLink's proprietary Secure Background Transfer Service (SBTS) protocol with bandwidth throttling capabilities, which can be used to control network utilization when distributing software in larger environments.
In addition to caching patches tested and approved by PatchLink and distributed in a push or pull fashion, PLUS functions as a central management point. Management functionality is provided through the Agent Management Center console, which has an intuitive interface from which you can discover new client computers (using LDAP-based directory services, including Active Directory and IP subnets), deploy agents to them, and group them based on arbitrary criteria, such as their vulnerability characteristics.
For each group, applicable patches are either deployed manually (each group of deployment targets can be configured with different installation settings) or remediation activities are defined and applied automatically. This results in the immediate deployment of patches to their new members or notification sent to a designated group of administrators in case compliance criteria cannot, for some reason, be met.
You can also collect information about the overall status of the computing environment (e.g., operational characteristics of systems missing a particular patch, such as uptime or agent properties) or installed hardware and software. Administrators can track installed applications and hardware components, patches, and active services via an auditing mechanism that features e-mail notifications about any changes to configuration.
Although the majority of the deployed fixes originate from Patchlink Update Master Archive, PLUS' management console provides the functionality necessary to deploy custom-created patches. In fact, the patch deployment infrastructure built into PatchLink Update can remotely install any type of software (such as standard applications or antivirus updates).
>> Using PLUS