Windows Patch Management, St. Bernard’s UpdateEXPERT

Unlike the vendors whose products we looked at earlier in this series, St. Bernard Software did not start off in the patch management market. Its initial customer base was built for its Open File Manager program, middleware software that resolves the problem of backing up files open for use. Its success was followed by the introduction of UpdateEXPERT patch management solution, which is currently in version 6.3 and will be the subject of this article. Other St. Bernard products are the iPrism and ePrism product lines, which monitor and filter Internet Web browsing and e-mail traffic, respectively.

We conclude our overview of Windows patch management solutions with a look at UpdateEXPERT, a unique offering that allows agent-based and agentless implementations, as well as implementations with a mix of both.

Like the products from PatchLink and Bigfix that we recently covered, UpdateEXPERT supports multiple operating systems: Windows (NT, 2000, XP, and 2003), Red Hat Linux (versions 7.3, 8, and 9), and Solaris (versions 8 and 9), as well as a wide range of Microsoft applications and services, including Exchange and SQL Server, Terminal Services, Windows Media Services, and Microsoft Office.

As we discussed throughout our series, patch management products generally belong to one of two categories, depending on whether they rely exclusively on centrally operated systems for software deployment and inventory or whether this functionality is supplemented with client-resident agent software. Although a majority of vendors favor an agent-based philosophy in their solutions, since its benefits considerably outweigh its drawbacks (for a more detailed discussion on this subject refer to one of our earlier articles), St. Bernard took a unique approach to this issue: It allows both agent-based and agentless implementations, as well as implementations with a mix of both.

This flexibility has implications on the way UpdateEXPERT operates that must be recognized and considered at the design stage. As with other previously presented products, UpdateEXPRESS’ architecture is multilayered, which helps make it scalable (although its scalability is more limited than that of BigFix’s or PatchLink’s products because of the lack of an intermediate distribution layer). At the top of the hierarchy, the vendor manages a central database, which continuously checks for updates of all patched products, downloads newly released ones, and tests them independently using its own processes. Following the comprehensive testing, which includes cross-referencing new and existing patches, each new one, along with associated metadata (such as checksums, which are used to preserve integrity and identity, designation of its intended targets, or its dependencies and conflicts with other patches) is distributed to management servers (constituting the second layer of hierarchy), residing on customers’ premises.

Management servers running “Master Agent” software constitute an entry point for regular updates from St. Bernard and are the central point for customers’ internal patch management (including deployment and inventory collection). Its features are accessed via one or more management consoles (consoles can be installed on any Windows NT or later system with reliable network connectivity to the system running Master Agent). It serves as an interface for tasks like initiating scans (for both agent and agentless target systems), defining policies (UpdateEXPERT relies on policy-based management, which categorizes target systems according to their characteristics and specifies set of actions that will be applied to them), and generating patch inventory reports.

Targets can be discovered through a network-based scan (using specific IP ranges or subnets), by collecting computer information stored in Active Directory, or manually (either one-by-one or en masse by importing specially formatted text files). It is also possible to leverage existing Active Directory groups when setting a scope for deployment or policy definition (administrator-defined groups can also be created directly with the management console). Policies automate patch deployment by triggering installation whenever criteria defined within them result in a match for target computers. You can, for example, define a patch baseline applicable to all clients that satisfies a specific set of conditions (such as an operating system version or software installed on them) and deploy missing patches to all of them in one step (UpdateEXPERT will inform of missing prerequisites or potential issues, if applicable). Reporting reflects patch installation results, which are determined by an exhaustive examination of relevant file characteristics (such as checksum, size, or version information) in the form of Conformance Reports, summarizing discrepancies between the patch level of each computer and its corresponding baseline.

Operations performed by the Master Agent can be supplemented by optional “Leaf Agents” running on target systems (forming base levels of the hierarchy). Leaf Agents are installed using either Agent Install Wizard from a management console or locally by executing the Agent Installer program included with the product’s main installation program. Decisions regarding target selection for where Leaf Agents should be installed is arbitrary and changes from one environment to another, depending on the requirements. In particular, client agents are intended for situations where machines are locked down (via restricted administrative access or through the use of encryption), reside behind firewalls (in environments like a DMZ), operate disconnected from a corporate network for an extended amount of time (a common situation when one considers laptops or other computers used for remote access), or are located on remote network segments (where agents offer more efficient bandwidth utilization and can offload Master Agents in some of the patch-related tasks). They are also more secure, since they communicate with the Master Agent via a PKI-encrypted TCP/IP connection.

>> Deploying UpdateEXPRESS