January 28, 2005 4:00 AM PST

Patching up problems

The race to plug network holes before attackers use them is running system managers ragged--so they're throwing up more barriers to stop intruders.

In recent years, the common wisdom has been that keeping up-to-date on software patches is key to safeguarding a company's networks against viruses, worms and other pests. But with dozens of flaws being discovered each week, that approach has turned out to be a Herculean task.

That has network administrators, as well as providers of security products, looking beyond patch management for protection.


What's new:
The race to plug network holes before attackers use them is becoming a heavy burden on system administrators.

Bottom line:
Network managers are returning to an older strategy, which calls for defensive measures on many levels of the network, to meet the challenge.

More stories on this topic

"Five years ago, patch management was not a (priority) for operations people. But then the worms came out, and it was patch everything you can and as fast as you can," said Gerhard Eschelbeck, chief technology officer at Qualys, a security information provider. "Now we've entered a phase of being more selective about patching."

These days, security professionals are returning to an older strategy, which calls for defensive measures on many levels of the network, from the gateway to the employee's PC.

The technique taps into a wide array of new security technologies to throw up multiple barriers to virus writers and online intruders. And there's a bonus: Widespread defenses like these will likely buy system administrators more time to test and apply software fixes.

Quick patch
In some cases, administrators using patch management have to move so fast to install a fix that they aren't able to test it beforehand.

"People often feel squeezed. Sometimes there are cases where they can't patch quickly enough. There may be an exploit out there before you can get your systems patched," said Jason Chan, a moderator of mailing list Patch Management.org who is also a consultant at security company Symantec.

That's despite the fact that patches have frequently caused additional problems within corporate networks by turning off needed functions, or because the fixes themselves have had flaws.

Back in 2004, Todd Towles, a network systems analyst for a medium-size retail chain, was overseeing 40 Windows NT workstations that were a low patching priority, since most security threats focused on Windows XP 2000. One time, he patched the systems before fully testing the fix and immediately encountered problems.

Deeper defenses

Security experts tend to take a multilevel approach to protecting the digital equivalent of a company's crown jewels, defending systems even after an intruder has gained access.

Network: Firewalls and intrusion detection systems protect a community of systems against attack.

System: Antivirus systems and personal firewalls limit attacks on individual PCs.

Data: Encryption, backups and integrity scanning all help to make sure data isn't accessed, changed or deleted by unauthorized users.

Identity: Strong passwords and a second ID check, such as smart cards, are increasingly used to keep attackers out.

Source: CNET News.com

"Five of them blue-screened on reboot, which didn't go over well with the professionals who were using them," Towles said.

He had to rebuild the operating systems on the five workstations himself--a task that convinced Towles to adopt the broader defense strategy.

In addition to patching, that strategy typically involves a combination of technologies, such as host-based firewalls, intrusion detection and prevention systems, antivirus software, and encryption, as well as configuring systems to be robust against attacks.

But there are trade-offs. Experts have argued that this "defense in depth" approach can lead to increased technology costs and complexity, seen as a major burden by IT professionals. "There has to be a focus on easing the administrator's experience," said Richard Threlkeld, an information engineer at Qualcomm, a San Diego-based digital-wireless-technology company. "A lot of tools that are out there are such a hassle to use."

Security product providers are doing their part to help the shift. Many are moving away from signature-based techniques, in which software

Page 1 | 2


Join the conversation!
Add your comment
I believe the real answer lies in...
...hardware security at the edge:

<a class="jive-link-external" href="http://www.wave.com" target="_newWindow">http://www.wave.com</a>
Posted by ordaj (338 comments )
Reply Link Flag
I agree but..
Right up until some nit-wit (your favorite manager here) takes their laptop on the road, using it from every open WI-FI they can find, letting their kids play games on it, you name it, then bringing it back inside the network.
Hardware at the edge is VERY important, but there is no one magic solution.
Posted by catchall (245 comments )
Link Flag
Just waiting for someone to say that Mac OS X is the answer
I'm surprised no one has yet suggested that Macintosh OS X is the solution. Everyone knows that Apple customers never have to download software patches, right?

(In case it isn't obvious, this comment is meant to be sarcastic.)
Posted by rpms (96 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.