|
|
TotalCOMMAND® UpdateTM 4.0 White Paper
Cross-platform Security Patch Management
Abstract
Introduction
The TotalCOMMAND Update Solution
Client-side Features
Server-side Features
Scenarios
Managed Desktop and Servers
Managed Data Center
Automatic Client Updates
Recurring Schedule
Proactive Notification
Building Custom Packages
Automatic Replication
Client-Side: Agent Installation
Installing Client Software
Abstract
This white paper describes the features of TotalCOMMAND® UpdateTM 4.0, a new solution for managing and distributing critical patches that resolve known security vulnerabilities and other stability issues in all Microsoft operating systems (95, 98, ME, NT, W2K, XP, .NET), UNIX (Linux, Solaris, AIX, HP-UX, etc.), and Novell Netware. TotalCOMMAND Update 4.0 is the only patch detection and deployment software available for managing these heterogeneous network environments. This paper also includes solutions for customer scenarios which incorporate TotalCOMMAND Update.
TotalCOMMAND is the pioneer in automated patch management technology and has been developing, researching and shipping products for patch management since 1996. TotalCOMMAND�s patent-pending technology is capable of accurately fingerprinting and locating patches and their interdependencies on a variety of platforms using open Internet protocols.
This paper is written for information technology managers and system administrators who want to automatically and securely keep all the computers in their network up-to-date with security patches and other updates.
Introduction
TotalCOMMAND Update is built on proven technology for automated patch detection and deployment for managing and distributing critical patches that resolve known security vulnerabilities and other stability issues with operating systems.
Today, corporations are required to frequently check vendor Web sites to find out about new patches. Upon learning that a vendor has a new software, hardware or driver patch, they have to manually download the relevant patches that have been made available since their last visit to the vendor�s site, test the patch (es), and then distribute the patch (es) manually or by using their traditional software-distribution tools.
TotalCOMMAND Update solves these challenges by providing proactive notification of critical updates to computers whether or not they have Internet access. Additionally, this technology provides a simple and automatic solution for distributing software updates, software packages and any other data to the networked desktops and servers.
TotalCOMMAND Update addresses the need for critical patch-management within any size organization by providing the following features:
a. Automatic content replication service via the Internet using 128-bit SSL
The content replication service is a server-side component that retrieves the latest critical updates and software from the private site known as the TotalCOMMAND Update Master Archive using a 128-bit SSL connection. As new updates are added to the TotalCOMMAND Update Master Archive, their meta data are downloaded automatically. If patches are marked as critical, then they are downloaded and cached for rapid deployment. Each patch has an installer, prerequisite signature and fingerprint identification. Information is sent in one direction only: from the TotalCOMMAND Update Master Archive to the user�s TotalCOMMAND Update Server. All information is encrypted, CRC checked, compressed, digitally signed, and downloaded over a 128-bit SSL connection. The SSL connection validates and confirms the authenticity of the patch source.
b. TotalCOMMAND Update Server (PLUS)
This easy-to-use server application acts as the patch source for client computers. It contains the replication service and administrative tools for managing updates and software packages. It can scan and schedule patch delivery to the clients using the HTTP or HTTPS protocol. This server can also automatically cache the critical patches from the TotalCOMMAND Update Master Archive. Users can utilize the built-in software distribution feature and distribute any software packages to any desktop.
c. Administrator control over updates and packages
After viewing the enterprise report matrix, the administrator controls which updates or packages from the TotalCOMMAND Update Server are to be pushed to client computers. TotalCOMMAND recommends that you test each patch internally before deploying them to your enterprise. Each enterprise is different and an update may act differently in each environment. The administrator has full control over the deployment of the patch or software that gets installed onto the client computer including reboot options. The administrator can set or change client agent policies as well.
d. An intelligent client-side agent on computers (desktops or servers)
The client-side agent checks the intranet-hosted TotalCOMMAND Update Server to automatically determine which updates are needed. It will then report the information back to the TotalCOMMAND Update Server that will create the report matrix for the administrator. The administrator approves the deployment of patches by using the deployment wizard. Administrator-approved updates or packages are downloaded in the background and auto-installed according to the schedule set by the administrator. The rules control the behavior of the patch installation set by the administrator during the patch deployment.
e. Comprehensive patch testing
TotalCOMMAND continuously researches, tests and approves patches before they are released to the public. For example, when a hot fix for W2K is released, it is installed on over 250 different configurations of W2K including standard W2K, W2K with SQL server, W2K with Office, W2K with Exchange, and so on with a variation of other service packs and hot fixes.
The TotalCOMMAND Update Solution
TotalCOMMAND Update consists of both client-side and server-side components for critical patch management and basic software distribution.
Client-side Features
TotalCOMMAND Corporation has a patent pending on its technology and is the leading company in automated patch detection and deployment.
TotalCOMMAND Update is a proactive service that enables administrators to automatically download and install software packages and updates such as critical operating-system fixes and security patches. The features include:
Built-in security: Uses digital security identification to register against the TotalCOMMAND Update Server. Before installing a downloaded update, it verifies the digital certificate, CRC check, compression and encryption on each file.
Patch signature: A technology that can scan the system and determine if the prerequisite for each patch has been met. This is done by checking the proper software version and proper hardware drivers.
Patch FingerprintingTM: TotalCOMMAND Update detection service will scan the system and determine which updates are applicable to a particular computer. Both the patch signature and fingerprints make a detection report, which is viewable in the report matrix. The TotalCOMMAND Master Archives currently host one of the largest automated patch fingerprinting repositories in the world.
Background downloads: TotalCOMMAND Update uses a Secure Background Transfer Service (SBTS), which has built-in bandwidth throttling. The network administrator can decide how the bandwidth should be utilized during large deployments.
Chained installation: The administrator can minimize repetitive rebooting by taking advantage of the Qchain.exe. If multiple updates are installed which require multiple reboots, the administrator, using Qchain, can deploy them with only one reboot. This minimizes the reboot process to increase the uptime for mission critical computers. Qchain rearranges the DLL in the proper order so the latest update will take effect. Administrators can chose this option during the deployment.
Workstation inventory (discovery agent): TotalCOMMAND Update has an inventory discovery agent so it can pinpoint the needed software and hardware drivers for your client computers. The discovery agent also scans the client computer for the necessary signatures and fingerprints.
Resume downloads: TotalCOMMAND Update is capable of detecting interruption and service outage. If the user has a mobile workstation, they can simply disconnect the computer and reconnect at a different location. As long as the TotalCOMMAND Update Server can be accessed via TCP/IP, the service will resume its download from the point at which it got interrupted.
Mobile-user enabled: TotalCOMMAND Update allows administrators to deploy patches and software updates to computers which are not connected to the network at the time of deployment. Once a mobile user connects to the corporate network, TotalCOMMAND Update will automatically scan their system and perform the necessary functions to keep their system up-to-date.
Advanced client agent technology for secure downloads (TotalCOMMAND Agent): TotalCOMMAND Update uses advanced client-side agent technology to communicate with the TotalCOMMAND Update Server. The main reason for using agents is to increase performance and scalability of an enterprise-wide solution. Agents accelerate the performance of a large-scale deployment and a single enhanced Update Server can service literally tens of thousands of Web-based client agents. TotalCOMMAND Update agents can work across firewalls and operate on literally any computer that has a TCP/IP connection to the enterprise network.
- Most major enterprise software management tools use agents, such as Microsoft SMS, Active Directory, IBM�s Tivoli products, Symantec Anti-Virus, McAfee Anti-Virus and Novell Zen. In large networks, agents can �wake up� and report to the server when they have information to report in parallel. In comparison, tools that do not use agents must rely on remote API calls, which must be polled continuously from the server and can be extremely slow and not scalable in large environments.
- Agents can receive compressed files to conserve bandwidth and, for increased security, also identify if the patch has been tampered with. An agent can resume a download when it is disconnected from a network and reconnect at different locations � a necessity for mobile users. Patch tools that lack an agent must download the entire service pack or file every time they are interrupted and rely on a permanent LAN connection to function. They also tend to generate spikes in bandwidth utilization as patches are deployed. TotalCOMMAND Update Server can be tuned to only allocate a given amount of bandwidth per agent connection to take advantage of bandwidth-throttling.
- Patch tools that rely on a domain connection and do not have an agent rely on "Remote Registry" Service. This service provides registry information to a remote computer and may be a security risk in many organizations where client computers are on the Internet. It allows a remote computer to read the registry information of a client computer. TotalCOMMAND Update does not use this service due to security reasons. Also this service is not available on Windows 95, Windows 98, and Windows ME � which describes why patch tools without an agent cannot operate on these platforms. TotalCOMMAND Update covers the entire Windows family securely.
Server-side Features
TotalCOMMAND Update is based on TotalCOMMAND�s proven technology for automated patch detection and deployment for managing and distributing critical patches and software packages that resolve known security vulnerabilities and other stability issues with operating systems. The company has successfully fulfilled customer patch requirements since mid-1996. TotalCOMMAND Update Server runs on Windows 2000 Server with Service Pack 2 or later. Internet Information Services (IIS) must be enabled on the server.
The server features include:
Built-in security: The administrative pages are restricted to administrators on the TotalCOMMAND Update Server. The replication uses SSL and validates the digital certificates on any downloads to the update server. If the certificates are not from TotalCOMMAND Update, the server fails and sends an email alert to the administrator. All information is encrypted, CRC checked, compressed, digitally signed, and downloaded over a 128-bit SSL connection.
Support for multi-vendor patches (comprehensive patch scanning): TotalCOMMAND has been building its patch repository since late 1996 and has one of the world�s largest repositories of automated patch fingerprints. This extremely important feature of TotalCOMMAND Update allows the server to scan client computers for patch-related security vulnerabilities from Microsoft, as well as IBM, Adobe, Corel, Symantec, McAfee, Compaq, WinZip, Citrix, Novell and many others. This critical feature provides clients with a more secure network.
Grouping: TotalCOMMAND Update can group arbitrary sets of computers of any OS into a container, which can then be managed by administrators. The product operates in the scope of the selected group and allows for easier management of deployments, fingerprint reporting, inventory reporting, mandatory patch baseline policy and client agent policy. Each computer group has properties that include Members, Client Agent Policy and Mandatory Patch Baseline Policy. Administrators can select any groups including user-definable groups for deployment.
Mandatory patch policy with automatic deployment: TotalCOMMAND Update has a mandatory patch baseline policy for each group of computers. This feature can be used to automatically patch shrink-wrapped operating systems and applications to a particular organization�s standards. Once the mandatory patch policies are set, as new computers become members of a group, all mandatory patches and packages are automatically installed. For example, if mandatory patch baseline policy for a W2K group includes Office 2000, Adobe Acrobat Reader 5.0 and Service Pack 2, then all computers that join this group will have Office 2000, Adobe Acrobat Reader 5.0 and Service Pack 2 installed on them automatically. Patches that are dropped by restoring software from tape backup or reinstalling software are automatically reinstalled. The baseline integrity is maintained by the TotalCOMMAND Update Server.
Patch Compliance Assurance Mechanism (PCAMTM): TotalCOMMAND Update has the ability to lock down the information about a set of patches and update the configuration against a group of computers. If the compliance lock is broken, an email alert will be sent to the selected administrators. For example, a group of W2K computers may be created and called �IIS Servers.� A compliance locking system is used to lock down all OS security patches and IIS related patches. If at any point the related patches or DLLs get replaced, TotalCOMMAND Update will send an email alert to the administrator(s). The computer(s) in question and the reason(s) for incompliance can be identified quickly and easily. The compliance locking system can be used with mandatory patch deployment to automatically patch the system that is incompliant. In this case, as soon as a patch or software is removed, they are reinstalled automatically and the administrator is notified by email.
Content replication: The server replicates the content from the TotalCOMMAND Update Master Archive over a highly secure link. This is done manually or automatically. The administrator can set a schedule or have the replication component of the server do it automatically at preset times.
Software distribution: Administrators have the flexibility of creating software packages. They can then deploy these packages in the same manner as other TotalCOMMAND packages to the client computers. For example, a package could contain Office 2000 and be deployed to every desktop.
Content import/export: For updating computers on networks that are not connected to the Internet, the server allows the hosted content to be exported and then imported into another TotalCOMMAND Update Server. This is useful for highly secure networks such as within the military
and government.
Building custom patches: Administrators who have custom applications can use the �package create� option to create and rollout custom applications and patches. This feature allows any corporate application to be rolled out to any applicable operating system.
Recurring distribution task: TotalCOMMAND Update Server has the ability to distribute corporate data such as white pages or Anti-Virus definition files to any operating system. Using the recurring schedules, a database or document can be continually distributed to all computers inside and outside of the enterprise, including to mobile users. This feature is useful when users have data files that need to be continually updated such as Anti-Virus definition files.
Fully automatic disaster recovery: The �advanced disaster recovery� option allows the administrator to automatically recover from system failure such as hard disk crashes and server hardware failure. In the event of such failure, administrators simply create another server with the same DNS name and reinstall the TotalCOMMAND Update software with the same serial number. All agents will connect automatically and repopulate the system.
Multiple operating system support: TotalCOMMAND Update Server is designed on open architecture and protocols to support such operating systems as the Windows family, UNIX family and NetWare. This product makes use of HTTP, HTTPS, XML, SSL and other Internet-standard protocols.
Automatic Caching System (ACS): TotalCOMMAND Update Server will automatically cache packages that are marked as critical. This feature allows administrators to have the critical and security-related patches available for rapid deployment. During the Code Red and Nimda attacks, the Microsoft Web site was overwhelmed by users. Some users tried for hours to connect and download the related patches. TotalCOMMAND�s technology will automatically download the critical and security-related patches in the background and store them on the TotalCOMMAND Update Server. Then it will automatically scan for the computers that need the related patch. As administrators are notified about the critical patch vulnerabilities, the package is also cached. Administrators can tell which packages are cached and which are not by simply looking at the related icons or selecting the detailed information on the packages. Other non-critical patches are automatically cached when they are first deployed.
Intelligent Multiple Patch Deployment (IMPDTM): IMPD technology allows the proper patches to be deployed on the correct operating system. For example, Microsoft may have a bulletin for MSxx-xxx that has several different patches for various platforms. In this situation, administrators can simply select MSxx-xxx for deployment and then select all required computers regardless of the OS. The IMPD ensures that the patch gets installed on the proper operating system � the patch for the 9x platform would install on the 9x OS, the patch for NT would install on the NT OS, the patch for W2K would install on the W2K OS, and so on. This unique feature is used to speed up the patch deployment process so administrators do not have to determine which patch is for which platform.
Applicable patch detection and patch interdependency: This very important feature will help administrators select only the applicable patches for the client computers, eliminating the task of sorting through hundreds of unrelated patches. TotalCOMMAND Update will present the user with only the applicable patches for their specified environment. For example, TotalCOMMAND Update will show administrators the IIS related patches only if they have IIS installed on a client computer. For each patch, the application is first detected by using signatures and then the proper fingerprints are run against the application. This patent-pending process guarantees that when a patch is deployed, the client has the application and can install the patch. TotalCOMMAND Update will automatically calculate the interdependencies of patches against client computers. For example, on a W2K platform, TotalCOMMAND Update will recommend Service Pack 2 and once Service Pack 2 is installed it will then recommend Security Rollup for that client since �Security Rollup� has a dependency on Service Pack 2. TotalCOMMAND Update reads both the registry and the file information for the correct fingerprinting to validate the patch identification.
Directory Neutral: TotalCOMMAND Update is platform neutral and does not require a directory such as NDS, Domain or Active Directory to operate. However, the product is extremely flexible and can easily integrate with any network architecture.
Selective patch or software: Patches are not automatically installed unless they are part of the mandatory patch baseline policy for a given group. Once administrators have tested and gained a level of confidence in a patch, they can add it to the mandatory baseline for a group. This will enable the patch to automatically deploy when a computer � a member of that group � indicates that it needs the patch. The master report view will show the matrix of all selected patches against all known computers. Computers are automatically grouped by that patches that they require.
Anti-Virus compatible: TotalCOMMAND Update fully supports and is capable of patching and updating the definition and data files for Anti-Virus applications. This feature is used to make sure all corporate users including an organization�s mobile workforce are updated with the latest Anti-Virus definition and data files.
Software inventory change control: TotalCOMMAND Update has the ability to lock down the information about all of the installed software at client workstations within a group of computers. This feature is used to inform administrators about users who install new software or remove existing software on their computers. As new software is installed or existing software removed, an email alert is sent to the selected administrators to inform them of the changes. The email includes the client computer name and the modifications done to that client computer.
Service change control: Administrators can lock down the information about all of the services at client workstations within a group of computers. This feature is used to inform the administrator about users who stop or start certain services without their knowledge. As users change the status of their services, an email alert is sent to the selected administrator(s). The email includes the client computer names and the modifications done to the client computers.
Hardware inventory change control: TotalCOMMAND Update has the ability to lock down the information about all of the installed hardware at a client workstation within a group of computers. This feature is used to inform the administrator about users who add or remove hardware on their computers. If this feature is used, then as hardware is added or removed from the workstation, an email alert is sent to the selected administrator(s). The email includes the client computer name and the modifications done to that client computer.
Uninstall and rollback an entire patch deployment: TotalCOMMAND Update can take advantage of the patch uninstall capabilities and provide full rollback functionality to undo or �roll back� an entire deployment of a patch to the network. This function is used to uninstall a patch that has generated problems.
Configurable agent policy with hours of operation for mission critical servers: The configurable agent policy allows administrators to define the agent communication interval and operating hours. Agents are capable of communicating with the TotalCOMMAND Update Server even if they are behind a firewall. This is done with no modification to the firewall by taking advantage of HTTP and HTTPS protocols. Each client agent can have one or more policies active at a given time. This feature allows administrators to set up mission critical computers to only receive patches within a given time frame. For example, administrators may want policies set to only roll out patches to production servers between the hours of 12:00 AM and 2:00AM.
Status by email notification: The TotalCOMMAND Update Server has email notification that provides for each alert in the system to be sent to one or more administrators. These alerts include status of the deployment, new patches, low disk space and other errors that may happen during normal operation.
New Patch arrivals: As new patches arrive into the system, the fingerprints are sent to the proper client agents to be scanned. An email is then sent to the administrator, which includes the patch impact and description of the patch.
Scenarios
Managed Desktop and Servers
As new patches are released, the TotalCOMMAND Update Server downloads the proper fingerprint from the TotalCOMMAND Update Master Archive and then checks to see if there are any computers that meet the profile by sending the fingerprints to the workstations to be scanned. The administrator is then notified of the new patch and its impact to the work environment. The report matrix quickly informs the administrator which computers or groups need the patch and which do not. The administrator simply selects a group or individual computers and deploys. The administrator can set the time of the deployment and decide whether or not to reboot after the patch installation.
Managed Data Center
In a managed data center, the administrator creates a group for each cluster of servers. This will help the administrator manage thousands of computers easily. Administrators can test all critical updates published from the TotalCOMMAND Update Master Archive service before they are deployed to client computers on the network. After the testing has been successful, the administrator can then deploy the patch to all or just a group of computers. The use of agent policies will help the administrator to setup the hours of operation for each group of computers.
Automatic Client Updates
From time to time, TotalCOMMAND Corporation creates a patch for its own software. Administrators can select the TotalCOMMAND client HotFix (just like any other patch) and update all client software.
Recurring Schedule
TotalCOMMAND Update allows for recurring schedules to be created using the deployment wizard. Using recurring schedules, a database or document can be continuously distributed to all computers inside and outside the corporation including mobile users. Recurring schedules can also be used to reboot servers. For example, the administrator can create a recurring task that would reboot specific servers every Sunday at midnight.
Proactive Notification
The administrator is automatically notified whenever anything changes in their patch, hardware, software and installed services configuration.
Building Custom Packages
An administrator using a custom application may choose to update that application from time to time. Using TotalCOMMAND Update, the administrator can build a custom software package, patch or policy-specific script and then rollout to selected computers eliminating the need for additional software distribution products.
Automatic Replication
The replication service is a server-side component that retrieves the latest critical updates from the private TotalCOMMAND Update Master Archive. As new updates are added to the TotalCOMMAND Update Master Archive, their meta data is downloaded automatically. If patches are marked as critical, they are downloaded and cached for rapid deployment. Each patch has an installer, prerequisite signature and fingerprint identification. Information is sent in one direction only; from the Master Archive to the user�s TotalCOMMAND Update Server. All information is encrypted, CRC checked, compressed, digitally signed, and downloaded over a 128-bit SSL connection. The SSL connection validates and confirms the authenticity of the patch source.
Client-Side: Agent Installation
Installing Client Software
Client agent software can be installed by running a wizard that allows it to be pushed to all computers in the domain. Administrators can select all or individual computers to install the client agent software. The Client Agent has a control panel, which can be used to see the status of the agent software.
|
Home � Purchase Center � Virus Center � Support Center
total command Total command
|
|
|