Novell ZENworks Patch Management Design, Deployment and Best Practices Steve Broadwell Sr. Solutions Architect sbroadwell@novell.com Allen McCurdy Sr. Technical Specialist amccurdy@novell.com
Agenda General Patch Management Intro The Patching Cook Book The Near Future 2
Introduction
Patch Management Challenges Issues STILL facing today's organizations: Increasing Threats Faster Threats (Reverse Engineering) Number of Exploits and Vulnerabilities are still Growing Patch Tuesday Policy Compliance Regulatory Compliance Patch Testing 4
Patch Decay Machines become unpatched over time: New machines added Machines re-imaged Old software upgraded or removed New software installed or patched Patches are installed Virus attack User error 5
ZENworks Patch Features Extensive pretesting ZENworks single modular agent Advanced signature recognition Multiple Languages Multiple Operating Systems Multiple Vendors Flexible reporting Auditing ZERO Effort Patching 7
The Process
Patch Management Process 1. Pre-Patching Decisions 2. Enable Patch Management 3. Identify and Assess the Vulnerabilities 4. Obtain the Relevant Patches 5. What Needs to be Patched 6. Testing 7. Patch deployment 8. ZERO Effort Patching 9
Pre-Patching Decisions
Limit the Scope Be Vendor Specific One Operating System Starting Point Start with a specific service pack Post Starting Point Patches Patch impact Prioritize patches What Languages do I need to support? Document 11
Enable Patch Management
Turning on Patch Management What is Patch Activation? 60 day evaluation License Verification Disable Patch Management Agent Features Manage by Exception Staged Roll out Limits available Vulnerabilities Administration Roles Audit Management 13
Getting Available Patch Information Patch Subscription Service What? When? How Long? Configuration Questions What Communication Interval should I use? Is a dedicated Patch server required? Status 14
Identify and Assess the Vulnerabilities
The Vulnerabilities Research the Patches Detailed Patch Information Search and Filter DISABLE all unnecessary vulnerabilities Accurate reporting Agent scan time Bandwidth utilization Use Filters to disable in bulk Stop NEW Patches from Specific Vendors What about custom patches? 16
How Do I Stay on Top of New Patches? Dashboard Recently Released Patches ZCC Released On column Automatic Email Notification Patch Management Status Page New ZENworks Reporting Server ( ZR5 ) Vendor Security Mailing lists and Web sites The National Vulnerability Database Third Party Vulnerability Mailing list The US-CERT Cyber Security Alerts 17
Obtain All Relevant Patches
Cache the Patches Only cache REQUIRED Patches Check the Status on the Status Tab Patch is Cached Patch needs to be Cached (downloaded) Patch is in download process Patch is Disabled Patch is a part of a Baseline Patch could not be Cached (error) What is a Remediation bundle? 19
Patch Replication ZENworks Configuration Manager (ZCM) Primary Servers? ZENworks Sync Schedule Replicate patch bundles at a folder level ZCM Satellite Satellite replication schedules 20
What Needs to be Patched?
Which Patches does a Device Need? Discover Applicable Update ( DAU ) bundle Download Analyze Report Scheduled when and how often? Automatically Assigned When was it last run? Manual force the scan? 22
Testing
Test, Test and Test Again Test Environment Initial Patch Activation Configuration settings ZCM System Updates Test Area in the Live Zone Real life machines UAT Test Scenarios Documentation 24
Patch Deployment
Assign Patch Remediations ZENworks Assignment Bundles Assignment Wizard Group/Folder Association Does not enforce a patch Reboots are honored even if patch is not applicable Patch Deployment Status ZENworks Reporting Server (ZR5) Bundle Status Agent Show Progress Local log files 26
ZERO Effort Patching
Patch Polices Automatic Patch ENFORCEMENT Rule Based Mandatory Baselines on Steroids Automatic applicable patch caching Manual / automatic policy rebuild Multiple Associated Polices Enforcement schedule Configurable Reboot / Prompts Automatic Testing Process 28
The Near Future 29
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Novell, Inc. may make improvements in or changes to the software described in this document at any time. Copyright 2014 Novell, Inc. All rights reserved. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States. All third-party trademarks are the property of their respective owners.