|
<<
Back to Network & Internet Security
_____________
Background
Patch management is the process of identifying
a set of required patches, applying the patches, and then
verifying the patch installation was successful.
Berkeley Lab recommends
the use of a vendor's automated patching solution (i.e., Windows
Automatic Updates, Macintosh Auto Update, and Redhat up2date)
when appropriate.
The patch management process at Berkeley Lab
is specifically designed to handle a large heterogeneous computer
environment, continuous arrival and departure of computer
systems (due to visitors and students), and decentralization
of system administration. Below
is an outline of the process:
Implementation
Berkeley Lab performs patch management as follows:
- A set of required patches are identified.
- Hosts are probed to determine if required patches are
installed.
- If required patches are not installed, notification is
sent to the user with information regarding the patch, a
download location for the patch, and a timeline in which
the patch must be applied.
- Most systems apply the patch within the timeline. Systems
found without the required patches in place by the deadline
specified in the timeline are isolated from the network.
- Systems isolated from the network are redirected to a
Web site that shows the reason for the isolation, provides
the patch, and gives instructions for removing the system
from isolation. A list of currently isolated systems is
available from NETS.
- Hosts are checked daily.
Prioritization
The System and Network Security Group (SNS)
of Berkeley Lab meets weekly to discuss additions to the list
of required patches. Patches are added to the required list
on the basis of severity of the vulnerability fixed by the
patch and the risk exploitation. In some situations, SNS may
make patch requirement decisions via email and send notice
to users with a very short timeline.
|
