Random Entry: The Convergance of Physical and Information Security
< Demsoc Meeting | Quality of Life Survey >
< Demsoc Meeting | Quality of Life Survey >
Last night while reading around my project for my draft proposal I suddenly felt very stupid.
I had not checked to see if other people were workingon this problem and how they solved it. After some cursory googling I managed to find quite a lot.
This guy started it.
http://www.infoworld.com/article/03/04/04/14winman_1.html
Client-Server
http://www.patchlink.com/company/about.html
Cross-platform software adds support for Windows 95, 98, Me, and NT, as well
as Unix, Linux, AIX, Solaris, and NetWare. Update automates more than 200
vendors' upgrades, including those of McAfee, Sophos, and Symantec. The
product costs $1,295 for a server version, plus about $11 per machine per year
(at a volume of 1,000 seats).
http://www.bigfix.com/solutions/what_we_fix.html
M$ only. BigFix sends only small delta files across your network and is
configurable with numerous modules. It's $2,500 for a server plus $10 per
machine annually for its Patch Manager component.
No-Agent
http://www.shavlik.com/pHFNetChkPro.aspx
M$ only. Scans for vunerabilities and applies patch'es over SUS. It's $16 per
seat, or use the free, "light" starter version. Close collaboration with M$.
http://www.stbernard.com/products/updateexpert/products_updateexpert.asp
Same as above, but no additional software uses IIS and SQL. It costs about $9
per year.
http://www.securitybastion.com/
Free download. Service Pack Manager patches Windows NT/2000/XP plus Exchange,
Outlook, etc. no extra programs. It's about $20.
http://www.gfi.com/lannetscan/
M$ only. Security Scanner and patch deployment. Around $500.
http://www.configuresoft.com/product_sum_overview.htm
http://www.configuresoft.com/product_sum_howitworks.htm
M$ only, and M$ patches only. The second link had a pretty picture.
More:
http://www.ecora.com/ecora/products/patchmanager.asp
http://www.landesk.com/
http://www.marimba.com/
http://www.novadigm.com/
http://www.opsware.com/
http://www-306.ibm.com/software/tivoli/
After reading all of this I was quite put down. I did notice that there were three types of patch management SUS however.
Security Expert Discussion
http://www.computerworld.com/networkingtopics/networking/story/0,10801,88833p2,00.html
""Effective" patch management tools are those that meet your organization's
process requirements. Most organizations have complex workflows that prescribe
testing, dictate patch applicability, control scheduling and even throttle
bandwidth use. There are three classes of tools for deployment: free
patch-management services, patch management point tools and configuration
management tools.
Free services include vendor-provided services (Windows Update) as well as
Microsoft's SUS. These tools automate deployment but have limited
functionality, are not comprehensive and do not include reporting.
Patch management point tools allow patches to be downloaded and applied on a
granular basis to specific subsets of machines, on a scheduled basis. These
tools tend to be very quick to set up and do not require specialized skills.
But features and cost vary: Products may or may not require agents, and they
may or may not have limited testing and rollback capability and rich reporting
capabilities. Examples include Shavlik Technologies' HFNetChkPro, St. Bernard
Software's UpdateExpert, Configuresoft's Security Update Manager, Ecora's
Ecora Patch Manager, and PatchLink's PatchLink Update.
Configuration management tools encompass many functions, including inventory
and metering, operating system installation and configuration, and software
installation and configuration. These tools tend to require expertise to set
up and manage and often have detailed reporting and very advanced
functionality such as testing and rollback. They tend to be expensive but
extremely sophisticated. Among them are products from LANDesk, Marimba,
Novadigm, Opsware, Microsoft and IBM Tivoli.
The optimal solution combines tools, people and process to provide overlapping
coverage and better overall risk mitigation. You might augment a patch
distribution tool with tighter configuration management (i.e., locking down
client and server configurations) and investigate ways to effectively
quarantine systems that do not meet a baseline patch level on the LAN and over
VPN."
-"Avanade Inc.'s responses were contributed by Christopher Burry, technology
infrastructure practice director and Avanade fellow; Rick Birkenstock, Western
region technology infrastructure practice director; Ryan McCune, MCSE in the
technology infrastructure practice; and David Bleecker, senior systems
engineer. Avanade is a Seattle-based integrator for Microsoft technology
that's a joint venture of Accenture Ltd. and Microsoft."
This lead me to a cool drawing which has had some great ideas thrown at it. I hope to elaborate on those soon.
This guy started it.
http://www.infoworld.com/article/03/04/04/14winman_1.html
Client-Server
http://www.patchlink.com/company/about.html
Cross-platform software adds support for Windows 95, 98, Me, and NT, as well
as Unix, Linux, AIX, Solaris, and NetWare. Update automates more than 200
vendors' upgrades, including those of McAfee, Sophos, and Symantec. The
product costs $1,295 for a server version, plus about $11 per machine per year
(at a volume of 1,000 seats).
http://www.bigfix.com/solutions/what_we_fix.html
M$ only. BigFix sends only small delta files across your network and is
configurable with numerous modules. It's $2,500 for a server plus $10 per
machine annually for its Patch Manager component.
No-Agent
http://www.shavlik.com/pHFNetChkPro.aspx
M$ only. Scans for vunerabilities and applies patch'es over SUS. It's $16 per
seat, or use the free, "light" starter version. Close collaboration with M$.
http://www.stbernard.com/products/updateexpert/products_updateexpert.asp
Same as above, but no additional software uses IIS and SQL. It costs about $9
per year.
http://www.securitybastion.com/
Free download. Service Pack Manager patches Windows NT/2000/XP plus Exchange,
Outlook, etc. no extra programs. It's about $20.
http://www.gfi.com/lannetscan/
M$ only. Security Scanner and patch deployment. Around $500.
http://www.configuresoft.com/product_sum_overview.htm
http://www.configuresoft.com/product_sum_howitworks.htm
M$ only, and M$ patches only. The second link had a pretty picture.
More:
http://www.ecora.com/ecora/products/patchmanager.asp
http://www.landesk.com/
http://www.marimba.com/
http://www.novadigm.com/
http://www.opsware.com/
http://www-306.ibm.com/software/tivoli/
After reading all of this I was quite put down. I did notice that there were three types of patch management SUS however.
- Client/Server
- Security Scanner & Patcher
- Full configuration manager
Security Expert Discussion
http://www.computerworld.com/networkingtopics/networking/story/0,10801,88833p2,00.html
""Effective" patch management tools are those that meet your organization's
process requirements. Most organizations have complex workflows that prescribe
testing, dictate patch applicability, control scheduling and even throttle
bandwidth use. There are three classes of tools for deployment: free
patch-management services, patch management point tools and configuration
management tools.
Free services include vendor-provided services (Windows Update) as well as
Microsoft's SUS. These tools automate deployment but have limited
functionality, are not comprehensive and do not include reporting.
Patch management point tools allow patches to be downloaded and applied on a
granular basis to specific subsets of machines, on a scheduled basis. These
tools tend to be very quick to set up and do not require specialized skills.
But features and cost vary: Products may or may not require agents, and they
may or may not have limited testing and rollback capability and rich reporting
capabilities. Examples include Shavlik Technologies' HFNetChkPro, St. Bernard
Software's UpdateExpert, Configuresoft's Security Update Manager, Ecora's
Ecora Patch Manager, and PatchLink's PatchLink Update.
Configuration management tools encompass many functions, including inventory
and metering, operating system installation and configuration, and software
installation and configuration. These tools tend to require expertise to set
up and manage and often have detailed reporting and very advanced
functionality such as testing and rollback. They tend to be expensive but
extremely sophisticated. Among them are products from LANDesk, Marimba,
Novadigm, Opsware, Microsoft and IBM Tivoli.
The optimal solution combines tools, people and process to provide overlapping
coverage and better overall risk mitigation. You might augment a patch
distribution tool with tighter configuration management (i.e., locking down
client and server configurations) and investigate ways to effectively
quarantine systems that do not meet a baseline patch level on the LAN and over
VPN."
-"Avanade Inc.'s responses were contributed by Christopher Burry, technology
infrastructure practice director and Avanade fellow; Rick Birkenstock, Western
region technology infrastructure practice director; Ryan McCune, MCSE in the
technology infrastructure practice; and David Bleecker, senior systems
engineer. Avanade is a Seattle-based integrator for Microsoft technology
that's a joint venture of Accenture Ltd. and Microsoft."
This lead me to a cool drawing which has had some great ideas thrown at it. I hope to elaborate on those soon.
Trackbacks
Trackback specific URI for this entry
No Trackbacks