IT networks are subject to a myriad of demands generated by the growing number of mission critical services which must be provided throughout an organization. Applications such as supply chain management, VoIP, and financial reporting must be reliably and securely provided to users throughout the enterprise. Unfortunately, even while the network must continue to consistently offer current and future services, the network itself is under siege.
Security issues and threats are beginning to impact networks with rising frequency. Security issues have increased in importance to such an extent that they are even now being discussed in the executive suite. One of the most pressing security issues is that posed by the increase in viruses and worms which utilize security vulnerabilities that exist in network device operating systems.
In hopes of addressing these issues, network device vendors have begun to release numerous patches to their device operating systems. In fact, one of the leading networking companies now releases several security-related image updates every month. For already overburdened and understaffed IT departments, this growth in the amount of patches released by vendors can almost be worse than the attacks themselves.
The challenges are numerous. First, IT staff and security departments must filter through numerous alerts, deciding which patches need to be applied. Second, they must determine which devices need to be updated. Third, they need a well defined and simple process for updating those devices. And finally, the network must be constantly monitored to assure that those versions of insecure software never return.
Furthermore, in today's networks, it is common to find an environment that contains devices from multiple manufacturers, spread over many disparate locations. For example, data centers in Seattle and San Diego may use firewalls from one manufacturer while using routers from another manufacturer. Even in those organizations with a single equipment vendor, it is probable that there will be multiple devices running at least several device images. In this type of an environment, the difficulty of tracking image requirements and insuring trouble-free deployments almost guarantee extensive time and resource demands.
For the network engineer it is extremely important to "remain ahead of the curve"; to maintain a reliable networking infrastructure that is resistant to network attacks. At the same time, the workload of the network engineer has spiraled ever upward. The network engineer needs a process by which to triage the necessity of device image updates, while at the same time reducing the time that it takes to perform those critical updates that are deemed as necessitating an immediate response.
IT executives are also keenly aware of the need to rapidly address security issues on network devices, but at a higher level. Service level agreements, uptime metrics, and best practice compliance are among those measures that are used to gauge the performance of those individuals at the top of the IT organization. As a result, the risks of security vulnerabilities must be balanced with the needs of fulfilling the daily service demands of the entire enterprise.
Any effective patch management process must have a means by which to ascertain the criticality of any device image update. The vulnerability must be gauged against the corporation's exposure and overall security posture: It is often not necessary to deploy every device image update from every device manufacturer. For instance, a recent vulnerability in OpenSSL only affected those organizations which had left HTTPS enabled as a means to manage the affected devices. Of course, this also means that to enable this "triage process," organizations must have procedures and tools in place that can provide them with extremely accurate device configuration information. Without this, a patch management process loses much of its effectiveness.
For those vulnerabilities which cannot be blocked through means other than an image update, it is necessary to develop an official yet efficient series of steps to rapidly implement a staged rollout of the image update. This rollout should begin with those devices that are the most susceptible to a security threat (e.g. Internet facing firewalls with an SSH vulnerability that use SSH for CLI management).
By performing this update in a staged manner, the organization can ensure that even the most rapidly deployed image updates are given at least an abbreviated test cycle prior to an enterprise-wide deployment. To enable this process to be performed in a timely and cost-effective manner, it is essential that organizations take advantage of tools that enable centralized, group-based image updates throughout an entire infrastructure.
In today's swiftly changing IT environment, true security and reductions in risk can only be provided through a balance of security policies and supporting technologies. A vigorous patch management process, supported by powerful, centralized tools can go a long way toward ensuring the health of a network far into the future.
About the author:
Eric Vasbinder, CISSP, is a senior product manager at Rendition Networks with more than seven years of experience in information technology and security. He specializes in information security policies and procedures, auditing, network security, regulatory compliance, network management, and disaster recovery planning.