Patch Management using ZENworks for Servers 3
Novell Cool Solutions: Feature
By Ron Tanner
Digg This -
Posted: 22 May 2003
Since the beginning of the computer program there have been vulnerabilities and bugs in the software. Now that our servers are connected through networks and the Internet and the complexity of our system has exploded, the possibility of the exploitation of software vulnerabilities is at an all-time high.
We are all familiar with virus scanners and understand the need to keep our files cleaned from the pesky infections so we don't continue to have problems. Beyond those viruses, however, are holes in our running software that allow those viruses to get into our system in the first place.
Operating Systems vendors are constantly running to plug up any holes that exist to keep our systems safe. And don't forget our enterprise software. It also has bugs and loopholes that let your adventurous hacker slip right into your most sensitive information.
So far in 2003, according to Security Focus, Microsoft has had over 45 vulnerabilities reported in their software; Sun has had 36 and Oracle has reported 3. In 2002 these same companies had 395 vulnerabilities. All of these required patching of our servers and application software.
NWFusion magazine, in an article in October 2002, states, "Patch Management is one of the prickliest, and most costly, problems network executives face today."
SneakerNet Patch Management
Today, if you are doing patch management, you are probably using SneakerNet (running around in your Keds, manually patching each of your servers). Many systems administrators today have to keep the patch state of each server either mentally or manually - an impossible task.
Network Fusion says, "?many network administrators essentially tracked patch status in their head, fixing holes on the fly. But in the past 2 years, the sheer complexity of networks and number of patches have rendered this approach ineffective."
Let's take a quick calculation. Say you are the administrator of a small network of 25 servers. These servers also hold several of your corporate applications. Based on the number of patches sent in the last year, you will have about 2-5 patches to apply to each of these servers every working day. That's 125 installations and reboots to get each of these servers up-to-date each and every day. Assuming a rapid 1 hour for each installation, reboot and making sure the server is back and running, not to mention traveling to each of the server closets, you can't even get it all done in a single day.
The problem is NOT that you cannot get a patch for the vulnerability. The problem is getting it to all of your servers in a timely fashion and keeping track of which patches have been applied to which servers.
This became most apparent with the latest worm attach of Slammer, the fastest spreading virus ever recorded, infecting 300 machines in the network a second. Patches that Microsoft had released 6 months earlier fixed the vulnerability that allowed Slammer to work; however, most had not applied the patches. Even Microsoft itself had not applied the patches and became infected with Slammer.
ZENworks for Servers 3
ZENworks for Servers 3 can help you through your patch management nightmare. ZfS 3 will automate the delivery and installation of any patches to servers in your network, inside or outside the firewall. ZENworks will also give you alerting information, logs and reports to help you keep up on which servers have what patch and when it was delivered.
How Does ZfS3 Do It?
ZfS3 uses a technology called TED (Tiered Electronic Distribution) to efficiently deliver any size package to a NetWare, Windows, Linus, or Solaris server. Once the package is there, TED will call agents on each of these platforms to extract the package and install it on the local server. TED then reports back any status on the delivery and extraction of the package.
These status packets are stored into a central database repository. From there you can extract reports to know if a particular patch has been delivered and extracted on a specific server or across your entire network.
ZfS3 Patch Management
Now a system administrator that is lucky enough to have ZfS3 installed has a much better handle on his patches. The administrator will have a channel setup to provide patches. This channel will have all subscribers (target servers) subscribing to the patches channel.
When a new patch is delivered to the administrator, they only need to create a Distribution and place that distribution into the channel. ZfS3 will automatically take that Distribution and send it to all the appropriate subscribers (Windows servers get Windows patches, Linux servers get Linux patches, etc.). The subscribers will receive the patch and apply it to their local server, reporting back status of the delivery.
If it takes you 2 hours to create the Distribution (that includes lunch), then it would take you about 10 minutes to start ZfS3 off on applying your 5 patches to all of your servers. That's 123 hours of savings. Not to mention the report you can produce to prove that the patches have been delivered.
ZENworks for Servers 3 can really save your bacon!
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com