Patch Management Solutions

PatchLink Update 6.3
PatchLink Update 6.3 is an agent-based, multiplatform patch management product that provides agents for Novell NetWare, Mac OS X, Windows, and several Linux platforms. You use policies to configure the agents to periodically scan for applicable vulnerabilities. You can then schedule deployments of Packages, which are patches for one or more vulnerabilities. PatchLink Update runs on Windows 2003 and, like the other products reviewed, can store patch deployment data in a SQL Server database. PatchLink Update uses SQL Server Express if SQL Server isn't available.

The evaluation copy of PatchLink Update 6.3 came preinstalled on a VMware virtual machine (VM). This was a nice touch that made evaluating the product easier.

PatchLink Update uses a patching cycle that begins by downloading an XML file from PatchLink. This file lists available software patches for the supported software. You then use the Web-based administrator console to schedule or manually initiate scans for vulnerabilities. Based on the results of the vulnerability scan, PatchLink Update distributes patch deployments to agents. The patches can be prestaged on the server or downloaded from software vendor Web sites immediately prior to their deployment. PatchLink Update also can roll back patches after they're installed.

PatchLink Update can accommodate a variety of network topologies by using distribution points. This lets you locate patch content closer to clients or load-balance clients across multiple distribution points. PatchLink Update recognizes and patches vulnerabilities in the supported OSs, Microsoft server and desktop applications, and other popular applications such as Adobe Acrobat and Flash, Mozilla Firefox, Apple QuickTime, and WinZip.

In addition to collecting vulnerability information, PatchLink Update performs an inventory of hardware, services, and installed software. The Web-based interface displays the inventory organized in several ways and with several summary levels (as Figure 2 shows), and this data can be exported in CSV, XLS, and XML formats. Neither of the other products in this review collected such inventory information.

PatchLink Update is also the only product reviewed that includes an interface for creating system users and assigning role-based permissions. For example, you can give an administrator read-only access to PatchLink Update's inventory data (the Guest role) or full access to a subset of the managed computers.

Even if you've scheduled regular vulnerability scans, PatchLink Update lets you force a vulnerability scan. That way, when a major software vulnerability is discovered, you can use an on-demand scan to more quickly identify and deploy the needed patch.

The PatchLink Update report module is configured with several useful reports. Included are reports (mentioned above) on hardware, software, and service inventory along with the usual reports on missing and deployed patches. One particularly useful report is the Vulnerability Analysis Report, which summarizes several critical metrics relating to specific unpatched vulnerabilities. All report data can be exported in CSV, XLS, and XML formats.

The PatchLink Update agent proved tricky to install on the Linux Fedora Core 4 client that I included in my testing. The agent requires the Sun Microsystems Java Runtime Environment rather than the GNU Java Runtime Environment packaged with Fedora. This could complicate agent deployment in some environments.

To prevent unauthorized connections to the server, the PatchLink Update agent requires you to enter the server license key during installation. Windows installs can use a customized .msi file to automate this step, but it seems unnecessary to require a license key for a software patching agent.

Overall, I found PatchLink Update to be a capable solution worthy of consideration for multiplatform enterprises. In fact, it's my pick as the Editor's Choice product. Its flexible agent software and full set of features will keep a wide variety of enterprise networks patched and secure.