by Eric Vasbinder
Previous Guest Columns

Policy-based networks: Why not further along?
by Steve Pettit
July 2004

Solve the bandwidth dilemma
by Teejay Riedl
June 2004

 Identify your storage options
by Paul Mayer
May 2004

Visualize the virtual network
by James Leach
April 2004

Maximize the power of fax
by Tom Linhard
March 2004

Who will dominate Web conferencing?
by Ian Widger
February 2004

NAS gains traction
by Joe Disher
January 2004

Focus on data context, not content
by D. Keith Denton
December 2003

Are you ready for Web-age collaboration
by Robert Moore
November 2003

DNS growth has just begun
by Paul V. Mockapetris
October 2003

Has convergence innovation been stifled?
by Iain Milnes
September 2003

Manage VoIP quality and performance
by Robert Massad
August 2003

Is "wireless security" an oxymoron?
by Michael Sutton
July 2003

Pick a provider in 10 easy steps
by Dave McCandless
May 2003

A necessary evolution
by Tom Harper
March 2003

Seek certification of outside partners
by Lindell Wilson
February 2003

Choose a systems integrator
by Judy Matthys
December 2002

 

The patching game

Scalable processes and automated supporting tools are needed for effective patch management.

As networks have grown in complexity and businesses have, in turn, grown more reliant on their IT infrastructures to support critical business processes, network staffs have been faced with the additional problems posed by malicious attacks and reliability issues. Device vendors, in a furious race to solve these issues as they arise, have increasingly resorted to the “patch cycle” tactics that seem familiar to those people experienced with similar issues on the desktop and server side of the IT house.

This, unfortunately, creates the new and nearly as problematic concern of OS image management: how can time– and resource-constrained network personnel now manage the myriad of updated images that are available, detect which devices need to be updated in a timely fashion and then quickly update them? These issues are made worse when considering that many enterprise networks are not restricted to one geographical location, but to several data centers housing network devices from many manufacturers.

Even organizations with one approved equipment vendor may have multiple devices running at least several device images across each model type. In this type of an environment, the difficulty of tracking image requirements and ensuring trouble-free deployments almost guarantees extensive time and resource demands.

Addressing these issues in a cost-effective manner is a paramount need for IT. Solutions can be reduced to two main concepts: scalable processes must be in place that can enable both a quick triage of vulnerabilities and infrastructure, while automated supporting tools must be used to alleviate the manual task load of patch management.

To preserve the reliability and stability of the network, IT environments should maintain a high level of “patch freshness.” Equally important is that IT resources be allocated based on both the criticality of the data and network infrastructure being protected, as well as the projected frequency and impact of the threats themselves. This “risk-based approach” can help network staff effectively triage the various device image updates, while at the same time reducing the time needed to perform updates.

An example is a recent vulnerability in OpenSSL that only affected those organizations that had left the hypertext transfer protocol over secure socket layer (HTTPS) enabled as a means to manage the affected devices. Those organizations disabling that management protocol as a matter of policy did not need to go through the image update fire drill–they merely had to ensure that the policy to disable HTTPS was consistently enforced.

Additionally, as the prevalence of service-level agreements between business partners and departments increase, senior management needs to support the network patch-management processes and to provide guidance for balancing the needs of fulfilling the daily service demands of the entire enterprise with the security risks posed by vulnerabilities.

While triaging vulnerabilities and evaluating the criticality of infrastructure can eliminate redundant and unnecessary network patch-management activities, it cannot reduce the amount of labor inherent in the process of managing and upgrading OS images across the many devices in a distributed environment; centralized, group-based management is a must.

To enable this triage process, organizations should have procedures and tools in place that can provide them with timely and hyper-accurate device-configuration information. Without this information, a patch-management process loses most of its effectiveness. Additionally, these technical solutions and tools should provide organizations with the ability to automate many of the manual steps that take place when upgrading device images and tracking device versions over time.

To enable a resilient IT environment, organizations should ensure that internal security best practices relating to patch management are applicable to network devices, scalable and flexible enough to be applied in a rapid manner to those areas of highest concern. Finally, true cost-effective security and reductions in risk can be provided through powerful, centralized tools that directly enable the organization’s processes.

For more information from Rendition Networks: www.rsleads.com/408cn-257

Eric Vasbinder is a senior product manager at Rendition Networks, Redmond, Wash. He specializes in information security policies and procedures, auditing, network security, regulatory compliance, network management and disaster-recovery planning. Send comments for publication to guest@comnews.com.