Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Sunday, September 14, 2008

Patching Offline VMware Machines

Though NetChk Protect 6.5 is focused only on Microsoft Windows and VMware environments, Shavlik’s products offers IT administrators a way to save time and effort updating offline virtual machines.

Patch deployment to virtual and physical systems just got a lot easier with the Sept. 2 release of Shavlik NetChk Protect 6.5.  With the ability to deploy patches to offline VMware virtual machines, IT managers can now be confident that VMs that are only used occasionally will spin up with the most current patches, hot fixes and service packs.

NetChk Pro 6.5 is focused on the Microsoft Windows/VMware environment, which is counter to the hypervisor cross-platform I’d like to see in a product that receives an eWEEK Labs Analyst Choice award.  Even with this significant lack, IT managers should put Shavlik’s NetChk Pro 6.5 at the very top of any security strategy plan for the labor- and time-saving advantages that come from the ability to automatically and consistently apply updates to offline VMs that are otherwise quite difficult to keep up-to-date.

Both VMware Update and Shavlik NetChk Protect can scan and patch the online and offline ESX Server images.

A Shavlik NetChk Protect license costs a one-time license fee of $75 per server and $35 per workstation, plus 25 percent maintenance per year at quantity 100.

The basic mechanics of working with offline VMs involved placing the machines into a special offline group in the NetChk console.  In my tests, the NetChk scheduler worked as described; updates that were scheduled in the future were not executed until the correct date.  Because I tested NetChk Protect in a VMware infrastructure environment using ESX Servers managed by VirtualCenter 2.5 (see review here), I browsed to my VirtualCenter system and then to the ESX server and selected my virtual images.

This first version of Shavlik’s offline scanning and patching tool isn’t without some blemishes.  They are scanned as part of the traditional scan process that is normally used to manager patching for running systems.  In practical terms, this meant that I got “machine not scanned” messages when normally offline images were part of a scan job, which could be construed as errors by IT operations staff.  Additional funniness was encountered in the UI, including a message that patch databases were being updated from Shavlik’s secure site even when the product was configured to run in disconnected mode.  As well, virtual machines that were online during initial scanning but then were taken offline and subsequently scanned were still assigned the “connected” icon in status monitoring screens, which again caused me some confusion during testing and will likely confuse IT staff.  Role-based administration fundamentally means that patch management can be devolved to lower level staff.

Posted on 09/14