A network scanner is a must for every organization. An important feature in this great network security tool is patch management. Irrespective of which network scanner you use, there is a certain procedure that one should follow when handling patch management in order to avoid future problems.
The first thing a system administrator should do in the patch management process is create a test environment. This can either be done on physical machines that mirror the different categories of machines one finds on the network (such as workstations, mail servers and web servers), or, if on a tight budget, it can be replicated on a virtual machine. Testing on a virtual machine is better than doing no testing at all, but keep in mind that some patches can conflict with hardware. If testing is carried out in a virtual environment, you will not be alerted that a patch/hardware conflict exists.
Testing is necessary to ensure that the patch that is about to be deployed does not conflict with the software and hardware currently installed on your network – this is why the test environment needs to mirror the exact setup on the network. A good network scanner can help with this task because it performs both a hardware and a software inventory. Scanning the network will tell us what software we need to install on our test environment so as to mirror our live environment.
Once the test environment is ready, we should configure our network scanner to automatically scan the network for missing patches. The next step may differ from network to network, but the concept is the same. If your network scanner supports it, enable auto deployment of patches (provided they have been approved) and configure the scanner to notify you when new patches are needed. Once you receive a notification, sort the required patches based on how critical they are and then begin testing.
During testing, each patch should be deployed on the test machine, restarting the test machine and checking each application to see that it is functioning properly. The administrator may want to test patches in batches (most critical first) and then push each batch to the live network.
Whichever method is adopted – in line with the organization’s patch management policy – the approved patches are either deployed manually or automatically.
It is very important that once deployment is done, your system can, either automatically or manually, confirm that the patches were deployed successfully. This generally means running another scan.
Finally, have a disaster recovery plan in place. Even if tested thoroughly things can still go wrong, and it is good to know what needs to be done is something goes wrong. If the software you use allows for patch rollback, that can be part of the recovery plan. Keep in mind though that even if your software has patch rollback functionality, it is important to not rely exclusively on it for the recovery strategy. Patches sometimes make the whole system unusable and if you cannot boot your operating system your network scanner will not be able to roll back the patch. In such cases, ensure you have backup and a good backup recovery strategy.
Deploying a network scanner can make life so much easier! Administrators can be tempted to simply set their solutions to download and automatically install patches without any testing. There is risky. Following basic steps and leveraging the power of the network scanner can make the process simple and effective – and done the right way.
This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Read more on why your organization needs a network scanner.
All product and company names herein may be trademarks of their respective owners.