ZENworks® Patch Management
with PatchLink
Objectives
Business Issues with patch management
ZENworks Patch Management as a solution
Architecture
Integration and deployment
Business Issues of patch management
Threat
of attacks from viruses, worms spyware etc.
Security Focus reported in 2003, 223 vulnerabilities in Microsoft
products alone - http://www.securityfocus.com/
174 reported as of October of 2004
Cost
and time needed for obtaining and applying updates
Many hours spent just looking for patches and updates
Loss
of productivity due to business continuity failures
Patch Management Drivers
Increasing security “incidents”


Over 90% of the security exploits are carried
out through vulnerabilities for which there are
known patches.
Poor Processes


Microsoft has released roughly 1.38 patches
per week since January 2002, all products
included
Incomplete Patch Deployments


5,990
Steady trend from 2000 to 2006
Increasing Patch Counts, Including Apps


7,000
During a 6-12 month period, approximately
20% of machines become “unpatched”
Not Addressed by Software Giants

< 5% of organizations have a “satisfactory
automated patch management solution”
Reported Vulnerabilities

6,000
5,000
4,129
4,000
3,000
2,000
3,784 3,780
2,437
1,597
1,090
1,000
0
2000 2001 2002 2003 2004 2005
Q1
2006
Sources: Microsoft and CERT Coordination Center Data
Total vulnerabilities reported 1995-Q1,2006: 24,313
http://www.cert.org/stats/
7/
20
1/ 03
3/
2
1/ 004
10
/2
1/ 004
17
/2
1/ 004
24
/2
1/ 004
31
/2
0
2/ 04
7/
20
2/
0
14 4
/2
2/ 004
21
/2
2/ 004
28
/2
0
3/ 04
6/
20
3/
0
13 4
/2
0
3/
20 04
/2
3/ 004
27
/2
0
4/ 04
3/
2
4/ 004
10
/2
4/ 004
17
/2
4/ 004
24
/2
0
5/ 04
1/
20
5/ 04
8/
2
5/ 004
15
/2
5/ 004
22
/2
5/ 004
29
/2
0
6/ 04
5/
20
6/
0
12 4
/2
6/ 004
19
/2
6/ 004
26
/2
0
7/ 04
3/
20
04
12
/2
A Continuous Cycle of Infection
70
60
50
Sasser
CodeRed
Nachi
Blaster
40
30
20
10
0
Why Security Patch Management?

Phenomenal Increased in Security
“Incidents”




An increase of 620% from 2000
Ever Increasing Patch Counts
140
 Microsoft has released an average of 1.38 patches 120
per week since January 2002, all products included
100
80
Your Accountable!
60
 Over 90% of the security exploits are carried
40
out through vulnerabilities for which there are
known patches.
20
0
Are You Really Patched?


Reported Network Security
Incidents (1,000's)
During a 6-12 month period, approximately
20% of machines become “unpatched”
Remediation Window Shrinking

The time to protect has decreased from 30 days to
just a few
130
70
40
18
Incidents
Sources: Microsoft, Deloitte, and
CERT Coordination Center Data
2000
2001
2002
2003
Current Climate
Most InfoSec Organizations are Overwhelmed
Base = 1,395 Data: Secure Enterprise Security Deployment Survey, October 2004
The Problem
The problem is NOT that you cannot get the patch for the vulnerability.
The problem is two fold:
1
2
Knowing about the patch,
its severity and its
applicability to your
environment
Getting it to all of your
servers and workstations
Slammer worm – fastest spreading virus ever recorded, infecting 300
machines in the network a second. Patches for Slammer were released
by Microsoft 6 months earlier.
Sneakernet Patching
Sneakernet = running around, manually patching each server
and desktop and then verifying the patch (e.g. windows update)
Network Fusion says:
“...many network administrators essentially tracked patch
status in their head, fixing holes on the fly. But in the last 2
years, the sheer complexity of networks and number of
patches have rendered this approach ineffective.”
Sneakernet - Do The Math
Medium-sized corporate network: 10 servers, 1000 desktops
Average patches: 2 per week
Installations + Reboots = 404 per day
Assume fast 5 minute apply and patch ~ 17 hours
You need to spend 17 hours each day to apply patches!
ZENworks Patch Management
 ZENworks Patch Management automates the process
Notification and acquisition of the patch
Displays applicable machines
Distribution to targeted devices with flexible
scheduling
Maintains patch integrity
Patch Management Lifecycle
Acquire Patch
Research
Report
Monitor
Plan
Defend
Detect
Test
Deploy
Pilot
Rollout
Patch information
ZENworks Patch Management provides extensive patch information
 Know the vulnerabilities addressed
 Know the severity of the risk
 Know if the patch is applicable to you
Also
 Full dependency resolution
 Superseded patch prevention
Architecture overview
Microsoft
Novell
Patch
Source
Patch
Server
Adobe
Many
Others!
Admin
Console
Agent based architecture
Security and flexibility
Consistent administrative user ID’s and passwords are big
risks!
ZENworks Patch Management agent provides:
 No NetBIOS ports required to be open outside firewall
 Bidirectional initiation of updates
 Full scheduling engine
 Support for intermittently connected users
Platform support
PatchLink Server runs on Windows 2000/2003 Server
Desktop Support
 Windows 98, NT, 2000 and XP
Server Support
 Windows NT, 2000 and 2003 Servers
 NetWare® 4.11 and later
Patch Support
 Microsoft, Novell, Adobe, Real, Macromedia, Corel, McAfee, Sophos, Authentium,
Command, Oracle, Sybase, Citrix, IBM, Compaq, Dell, Apple, CA, Symantec, SAP
and Norton
Target selection
Know which devices need updates
Manage individually, by group or by policy
Policy defines required patches for all devices in your
organization
Automated compliance
Scheduling options
Patch on your schedule
Exact time that patches are applied
When to check for new patches
How many devices to patch at once
Server initiated overrides
Reporting
•Know the state of your organization
 Graphical reports indicate status
 Where are you safe
 Where are you vulnerable
 Device success or failure
Why Riverview chose ZENworks PatchLink?
Why Riverview chose ZENworks PatchLink?
 Cost is always a significant factor for all schools…
AND
How is Novell’s PatchLink is priced?
 Take the number of FTE students and multiply by US$0.50
In our case 1530 FTE @ AU$0.70 = $1071.00
Allows 1530 workstations/servers to be patched
 Subscription to patches valid for a year
 Patches included..
 Microsoft, Abobe, Macromedia, Mozilla, WinZip, etc…………
Additional subscriptions can be obtained
Summary

Full support of appropriate platforms

Automated patch acquisition

Detailed information about the patch

Fully integrated security

Robust agent-based architecture

Applicable target management and selection

Scheduling options

Strong reporting

Role-based management

Minimum required patch conformance
ZENworks Patch Management
1
Dedicate a Windows 2000 +SP2 or 2003 Server to host your
installation
 Does not need to be member of domain
 Needs to be a clean, vanilla server with IIS
 Connection to the Internet
ZENworks Patch Management
2
Copy the Patch Management agent
 Include agent as an Application Object in ZENworks
 Use Deployment Agent Wizard to roll agent out via a domain
 Individual installation
ZENworks Patch Management
3
Allow devices to register and perform analysis and server
to retrieve patch information
 Analyze the managed devices
 Transmit information to ZENworks Patch Management
server
 Generate vulnerability reports
ZENworks Patch Management
4
Review vulnerability reports and deploy patches
 Review which patches are required for your environment
 Select patches to deploy
Configuration set on Server on how often the agent will
contact the Patch Server
Agent uses patented technology to keep resource
consumption down to approximately 8% on the
workstation
Because of the CPU throttling, the agent will not
consume entire connection while retrieving patches
Agent will remain fairly undetectable to the user
In a basic installation of the ZENworks Patch
Management server you will received the MSDE engine
for the database support.
This will support ~200 client devices
To grow larger, you must install MS SQL Server on the
Patch Server. This can allow support up to 10,000-15,000
client devices.
To give good performance on a 5,000 device server,
recommend dual processor, 4GB machine.
Each server in your environment is an independent
installation. They do not know about or cooperate with
one another.
Each server requires its own key. This key is also
provided to each agent as it is installed. The agent cannot
be moved to another patch server without uninstalling the
agent and reinstalling with the other server key.
Only Novell ZENworks Patch Management keys will work
with ZENworks Patch Management software. And Novell
software will only work with Novell keys.
Contact Details
David Hayes
Manager of Information Services
Saint Ignatius’ College, Riverview
Tambourine Bay Road, Lane Cove, NSW 2066
Phone (02) 9882 8513 Fax (02) 9882 8588
Web www.riverview.nsw.edu.au Email [email protected]