Eleven solutions to help handle a crucial IT responsibility
In these days of infectious computer viruses, rampant spyware, and endless spam, keeping systems patched is a crucial aspect of an IT pro's job. In the enterprise, the sheer size of the business and the multitude of desktops and servers that require updates make a patch-management product that minimizes the amount of time required to evaluate, test, and deploy patches indispensable.
This month's Buyer's Guide lists 11 enterprise patch management products. To make the guide specific to the typically heterogeneous environment of large businesses, we include only products that manage updates for both non-Windows and Windows OSs. Vintela Management Extensions appears with Microsoft Systems Management Server (SMS) as a single solution. For those who wonder why well-known patch-management vendor Shavlik Technologies doesn't appear in the print Buyer's Guide, it's because Shavlik doesn't offer one product that patches both Windows and non-Windows OSs. But Shavlik's HFNetChkPro and HFNetChkPro for Solaris are included in our online version of the Buyer's Guide.
Each listed solution also patches applications (e.g., Microsoft SQL Server, Exchange, Office). All the products let you schedule patch installation to minimize workflow disruption; assign client computers to groups and approve patches for each group individually; and roll back patches—if those patches support rollbacks.
The most bandwidth-efficient way to distribute updates to numerous clients is to first download the updates to local patch servers. In addition to letting you configure patch servers, all the solutions included here support selective patch downloads, letting you download to patch servers only patches you've approved for distribution.
Some products offer features that others don't. For example, some vendors offer a patch-verification service that tests updates before you apply them. If you need this feature, you'll want to find out whether the service tests patches from all or just some third-party vendors and whether it's included in the product's price.
Bandwidth throttling can give you a measure of control over bandwidth use. Some products let you set a limit on the bandwidth used to download patches to a patch server; others let you control the bandwidth clients use to download patches from the patch server. Support for tiered patch servers—separate update servers located at branch offices—let you deploy updates to remote users at LAN speeds while retaining the ability to centrally manage patch distribution across all servers by client or by user.
Most products in this guide will alert you should a patch fail to install, and many products give you some control over post-patch reboots. Available options include rebooting automatically after patch installation, rebooting the client after the user logs off, specifying a maximum interval between patch installation and reboot, or scheduling a reboot. A couple of products even offer a snooze option that lets a user defer a reboot.
One important consideration is how a product installs updates on remote and VPN clients. Some products treat remote and local clients similarly, but most support bandwidth throttling to minimize the impact of patch deployment on the client's network connection. A few let you configure remote clients to download only patch metadata or approvals from a corporate patch server, then obtain the patch itself directly from the vendor. PATCHLINK UPDATE even lets remote users delay deployment until a high-speed connection is available or until after hours.
All the products in this guide use agents, but some make them optional. Although agents give you another piece of software to manage, they often minimize bandwidth use, can scan continuously, and might provide better protection for roaming users and offline systems by letting clients obtain an update directly from the vendor when they can't connect to a patch server. If you're concerned about the potential vulnerability an agent introduces, look for a product that includes security controls to minimize the risk of introducing rogue patches through the agent. Techniques used include MD5 hashing, public key infrastructure (PKI), encryption, checksums, and digital-signature verification.
Enterprises always have IT projects waiting on the back burner until resources are available. But patch management is perpetually simmering on a front burner. A management product can help you ensure that the pot doesn't boil over from lack of attention and can even free up time for some of those back-burner projects.