Application Security
When installing a patch-management solution, the last thing you want is to introduce more security holes to your network. Because a patch manager has a wide reach across an enterprise, it must be secure.
Patch managers must obtain patches and patch information databases from a reliable source and must ensure that they're working with original, unmodified files. Most of the products had strong security features. BigFix Patch Manager uses a public key encryption system for which the company issues its own certificates. Although someone might be able to gain access to the application and view hotfix information, he or she can't take any action without knowing the certificate's credentials. HFNetChkPro uses extra caution by checking not only signatures on the XML files and downloaded patches but also on each of the application's executables.
One problem with agentless patch managers is that Windows doesn't encrypt much of the information queried from network hosts. To properly secure this type of traffic, you need to implement IP Security (IPSec) or some other encryption between the scanning server and network hosts.
Scalability
Scalability is a vital concern for some administrators. The products we tested differed widely in their ability to scale to different environments. When evaluating patch-management solutions, consider the following criteria:
- How many end-user systems will you manage?
- How many administrators will use the patch manager?
- How many patch-manager consoles will you need?
- How will you segment your network for patch management?
- How much bandwidth do you have available?
- How much time do you want to spend managing the patch manager?
Of all the products tested, BigFix Patch Manager was the most scalable, with PatchLink Update following close behind. BigFix designed Patch Manager with scalability in mind; each console can efficiently handle up to 15,000 clients. BigFix Patch Manager also uses relays to establish multiple patch distribution points across a network. Although the other solutions don't have fixed limits for the number of clients they can support, they're not well suited for handling more than 5000 clients per console; however, you can break up the network into segments and manage each segment with a separate console.
Reporting
BigFix Patch Manager, Service Pack Manager 2000, and SysUpdate had the most flexible and useful reporting options. Most of the others had some reporting features but had limitations on output format, features, or interactivity. BigFix Patch Manager provides a user-friendly Web-based reporting module filled with features such as filtering, custom fields, charting, interactive links, and exporting to Microsoft Excel. Service Pack Manager 2000's template-based reporting provides many of these same features without the Web interface. SysUpdate uses Crystal Decisions' Crystal Reports for its reporting engine, allowing for powerful reporting options if you have access to the Crystal Reports Designer. HFNetChkPro also provided powerful reporting capabilities with flexible report criteria and numerous export formats.
Although not all the products have advanced reporting features, they all provide an export feature so that you can use an external reporting mechanism. And many of the products allow ODBC access to their scan databases, providing further options for custom reporting.
Our lab tests didn't single out one overall winner; some products are simply better suited for certain environments. Consider your requirements for flexibility, accuracy, deployment, product coverage, security, scalability, and reporting and compare them with the feature comparison in Web Table 1. Patch management is an industry still in its infancy, and plenty of room for improvement exists, but we've come a long way from where we were just a few years ago. The number of patch-management solutions is growing, and each solution is growing in features and reliability. The hard part is finding the solution that's right for your environment.