Taking care of patches

SecurityProfiling Inc. has a simple, four-step model for taking care of patches: You install a SysUpdate OnSite Server, put client programs on each workstation on the network, plug the Anti-Vulnerability Management Console into a Microsoft Corp. Windows workstation, and you're ready to go.

Once we had the management console installed on a workstation, we connected remotely to the vendor's servers and started an update to our Microsoft Desktop Engine database. It only took about three minutes to update our database of patches.

We liked the simple interface for configuring security policies. SysUpdate is relatively undemanding of hardware resources. Small and even midsize organizations should not have to buy expensive servers.

We liked the granular control that the Anti-Vulnerability Management Console gave us over each workstation group's enforced patch, software and settings templates. And we also liked the use of the Microsoft Management Console (MMC) for the Anti-Vulnerability Management Console, the software's administration program. Use of this interface greatly reduces the learning curve for this product.

For all its ease of use, there are a few things we would have liked to see in SysUpdate. For starters, we would have liked to see some integration with Microsoft's Active Directory.

It's also worth noting that on more than one occasion, when the management workstation became low on resources, the Anti-Vulnerability Management Console crashed. We consider this event to be merely a caution not to overload the management workstation. The OnSite servers and clients were stable, so this should not affect production.

Finally, we disagree with SysUpdate's use of plain HTTP rather than secure and encrypted HTTPS for communication across the Internet between the customer's OnSite servers and the vendor's remote-update servers. Fortunately, all communications between the OnSite server and the clients used strong encryption.

Deploying SysUpdate

The SysUpdate servers can each support 10,000 clients. But when implementing this product in the real world, the physical layout of your local- and wide-area networks will come heavily into play. Cost and complexity will grow in direct proportion to the number of remote locations in the network.

If you have a large, heterogeneous network, this product may not fit your organization. Given the layout and organization of the Anti-Vulnerability Management Console, we have serious reservations about whether it can scale to meet the needs of a network consisting of 10,000 or 25,000 computers.

Nevertheless, we must qualify our criticism by saying that, compared to other patch-management products we have evaluated on the market today, the SysUpdate suite is high quality.

Greer is a network analyst at a large Texas state agency. Bishop operates PeoplesInformation.com, an Internet consulting firm. They can be reached at egreer@thecourageequation.com.