Lumension Security PatchLink Update 6.4
ABOUT THIS ROLLING REVIEW:
We're testing patch management products at our Windward IT Solutions Real-World Labs. Assessment areas include breadth of platforms supported, how well a product uses subscription services to discover patches, how thoroughly it discovers our environment, what rollback capabilities are available, testing and staging capabilities prior to production, reporting, and network bandwidth control.
OTHER VENDORS INVITED:
BladeLogic, BMC Software, CA, Configuresoft, Ecora Software Corp., IBM, Kaseya Corp., LANDesk Software, Novell, Opsware, Symantec Corp.
We were pleased to find PatchLink's agents a breeze to install. For Windows, the Agent Management Center can automate deployment with remote registry and file and print sharing enabled. Command line silent installs speed deployment on non-Windows systems.
Initial scan results were available almost immediately, and organizations that need customization will find plenty of options. Lumension's patch repository was quick to respond to requests for new package downloads. Communication between update server and patch repository is over a secure protocol, with each package verified by the server.
One aspect we didn't like is how the application deals with network bandwidth: PatchLink let us control bandwidth only indirectly, by configuring consecutive or concurrent deployments. While the number of concurrent deployments is easily set, there's no other way to throttle bandwidth usage. In addition, the process to roll back patches wasn't as clear-cut as we'd like.
COMPLIANCE AND COST
Lumension's policy-based administration scheme will be a good fit for organizations using a best-practice framework for process control and regulatory compliance; PatchLink will let them ensure that all systems meet a mandatory baseline policy.
We didn't test scalability, but the PatchLink architecture should let large organizations easily distribute the product.
PatchLink doesn't use a perpetual license model. The server software is a one-time fee of $1,695. Beyond that, PatchLink comes with a per-server cost that's renewable yearly: 300 Windows physical servers cost $19 per node, for 200 Linux servers you'll pay $40 per node, and 150 Sun Solaris physical servers run $40 per node. If you have virtualization enabled, 100 VMware ESX virtual servers running 300 instances of Windows operating systems cost $19 per node, again renewable yearly. For our environment, we would spend about $27,000 for the first year, then have $25,000 in recurring costs. We understand the logic around this--Lumension does an extensive amount of testing on new patches--but it's something to factor into the budget.