10

I'm looking for advice on what patch management solutions you would recommend based upon your experience. I'm also looking for which ones you would not recommend based upon your experience.

We have a mixed network of Windows and Mac clients. Our central servers are all Windows servers, although I have considered putting in a Mac server to better handle our Mac clients. The issue we are facing currently is that we need to maintain the patches on all of our third-party applications. Right now we use WSUS, which handles with patching of Windows and some Microsoft products but that is about it. I need something to cover the other applications, specifically things like Adobe products (Reader, Flash, Dreamweaver, etc.)

Our network isn't that big (maybe 200 clients) and I don't have a person to dedicate just to patching and maintaining a patch management solution. Thus very large and complicated solutions like System Center are most likely out.

I have recently been looking at Dell's Kace K1000 solution (software.dell.com/products/kace-k1000-systems-management-appliance/). It seems simple and it provides a lot of tools in one package that I would like/need as well. I like the fact that it is self-contained in an appliance and that it is designed for solutions like mine. However, I'm not sure if this is the best solution.

I've also looked some at Shavlik's Netchk solution (http://www.shavlik.com/netchk-protect.aspx) but I don't need an anti-virus product. However, it looks like they might have a very good patch database.

My question is this: What are your thoughts on these to products? Are there better products out there? Are there issues that I'm not considering?

I want something that is very good at patching a broad range of products, that is simple to use, that takes a minimal amount of management (like WSUS), and that (hopefully) works with Mac and Windows.

Lenwood
  • 184
  • 1
  • 11
IAmTimCorey
  • 203
  • 3
  • 12

4 Answers4

2

I've used Lumension Patchlink for Windows machines, but I see it supports most modern client OSes. It worked just fine; any of these products has the potential to be moderately complex, however.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • Thanks for the feedback. I'll look into Patchlink. I understand about the potential for complexity. I just want to avoid the very complex systems. I've looked over System Center, for example, and that seems ridiculous. They try to do everything, which means nothing is simple. I want something more targeted towards a business like mine (small with a small staff to manage it). – IAmTimCorey Jun 24 '11 at 15:30
2

For Windows, I'm using WSUS the same way you are, and WPKG (link to another plug I made for WPKG) for other software updates.

WPKG has a good Wiki where people have contributed their settings for various packages, but ultimately you're responsible for verifying and/or working out the install, upgrade, downgrade, and remove commands for each package as needed.

For the Macs, I'd look at either Apple Remote Desktop or Puppet.

Mike Renfro
  • 1,281
  • 1
  • 8
  • 11
  • Interesting link on WPKG. I'll have to look into that as a supplemental system. I would rather have an automated system if possible for the majority of my patch configuration and deployment. However, it is a very interesting solution. Thanks. – IAmTimCorey Jun 25 '11 at 21:54
  • WPKG is automated in that you can run a service, a computer startup script, etc. that will ensure the right packages and latest versions are on given classes of machines. Not sure what other kind of automation you'd be interested in. – Mike Renfro Jun 25 '11 at 22:53
2

I think Secunia CSI may be worth a try, although I'm not sure about the pricing fitting your scale.

Edit: Secunia CSI is in fact a network vulnerability scanner, but it provides the links to the patches corresponding to the vulnerabilities it finds, including third party ones, and then lets you apply them almost automatically on your network through your WSUS or SCCM.

joechip
  • 668
  • 3
  • 6
  • Thanks for the information. From what I can see, this is more for vulnerability scanning rather than patch management. It looks like you have to develop your own patch packages to put into this system. Am I correct or did I miss something? I would prefer a system that would say "Check this box to keep Adobe Reader updated" or something like that (like what WSUS does). I would like it to download the patches and apply them automatically (if I allow it from the console). – IAmTimCorey Jun 28 '11 at 20:38
  • Secunia CSI does not distribute the patches itself, but rather it very easily packages the third party patches into your WSUS or SCCM by just pointing and clicking. Watch [this](http://www.youtube.com/watch?v=OPoCNhuLxsU) at around 4:20. – joechip Jun 28 '11 at 21:44
  • got it. Thanks for the update. I'll look into this solution further. Thanks. – IAmTimCorey Jun 28 '11 at 23:38
2

You mention having checked out Shavlik Netchk but have you looked at it.shavlik.com. It is their SaaS patch management offering. The cost for 250 machines is $1500 per year and currently they are offering a 3 year subscription at $2250.

We use the Netchk product to do patch management on about 1100 workstations. We are extremely happy with it. It is very easy to setup and maintain. It really takes very little effort on our part. The patch management engine is great and in fact most other products out there actually license and use the Shavlik engine.

TimS
  • 2,136
  • 13
  • 8
  • Thanks for the information Tim. Is their a client you install? What type of management is involved with the patching? Have you found that their are areas that you are missing (not being patched)? Does it work well with laptop users who aren't always connected? – IAmTimCorey Jul 01 '11 at 15:04
  • Shavlik supports both agentless and agent based scanning. We use a mixture of both. We also use Shavlik on our servers and for the majority if these we do not install the agent. Some servers exist in network segments where the needed ports for agentless can not be opened and for these we do install the agent. On the workstations we use the agent. Agentless does scans at a frequency you define and if a workstation is disconnected (such as a traveling laptop) or has been shutdown the scan will fail. With the agent the agent does the scan and contacts the server, so it solves this issue. – TimS Jul 01 '11 at 19:52
  • Our biggest gripe for the longest time was that it didn't support patching Adobe Air. The latest versions do and the gripe is gone. We are patching a variety of Microsoft products, Acrobat, Flash, AIR, Java, Skype, Firefox, and Safari. That covers 98 - 99% of our apps. The rest we address using another tool. Shavlik could be used to push out custom patches for these but mostly for historic reasons we don't do so. Occasionally we do hit patching failures on particular machines but they have always been due to an issue on the machine versus any Shavlik issue. – TimS Jul 01 '11 at 20:08
  • Thanks so much. That is exactly the kind of feedback I was looking for. It makes it much easier to make a clear decision. – IAmTimCorey Jul 01 '11 at 23:58