From Stratacache: Reducing Zero-Day Attacks with Simultaneous SMS Patch Distribution
Microsoft Server Management System (SMS) is Microsoft’s response to the rapid appearance of new Windows server security attacks. With SMS, network administrators receive security updates on Patch Tuesday and ad other times, in response to zero-day attacks. But SMS distributes patches to one server at a time, so the “patched state” of all servers varies widely across the enterprise at any given time. The challenge for IT administrators in large enterprises is to speedily distribute and reliably install critical patches simultaneously across all servers in the corporate network.
In this article, we’ll look at a new way to immediately distribute SMS patches from a centralized data center to any number of Windows servers. The approach significantly improves security by ensuring that all servers are patched simultaneously and rapidly after a new patch arrives, and it also has the benefit of reducing patch distribution overhead.
Standard SMS patch distribution
When used for patch distribution to servers located across a WAN, SMS typically uses TCP-based, non-parallel distribution. As a result, the same file is sent from the central site server to each and every destination server. Often, these distributions occur in small batches, first to a one small group of servers, then to the next group, and so forth.
Server scaling, file size, and/or network bandwidth can all introduce significant delivery delays in such a scheme. Depending on the size of the patch and the number of destination servers, it can take a significant amount of time to get such patches delivered throughout the WAN using this standard technique. For Zero Day patches, these delays also introduce added risk because many servers remain unpatched for longer than necessary.
For example, if you are sending a 100 MB file over a 1.544 Mb link to 100 remote sites, it would take 14.4 hours to deliver the patch to all sites if sent sequentially using normal SMS protocols. Using IP multicast, it would take about 9 minutes to deliver the patch to all sites, which means that enhanced security protection is enabled a full business day sooner.
Simultaneous patch distribution
With the correct WAN infrastructure and distribution software that takes advantage of it, these security and network throughput problems can be totally eliminated, leading to truly simultaneous patch distribution to an arbitrarily large number of servers. The speed of distribution is limited only by network bandwidth.
The patch file is sent once and only once from the central site server, no matter how many end point servers are targets. The file traverses the network only once, eliminating any network bottlenecks caused by sending the same large file simultaneously over a non-parallel distribution scheme.
Figure 1. Resources needed to distribute a 100MB file to 100 remote sites
|
|
Distribution with Standard SMS |
Distribution Time with IP Multicast |
|
|
Time to deliver |
14.4 hours |
9 minutes |
|
|
Bandwidth used |
10 gigabits |
100 megabits |
|
The patch file reaches all targeted servers at the same time, therefore delivering time-critical patches in the shortest possible time. In addition, the entire transaction requires only one session, delivering a 99 percent reduction in the bandwidth required.
Implementing simultaneous patch distribution
OmniCast for SMS uses IP multicast technology to enable simultaneous, Zero-Day Patch delivery within the normal SMS architecture in the shortest possible time. The user installs a new sender which uses OmniCast’s multicast distribution technology to add these improvements transparently to SMS.
Requirements are as follows:
- Standard SMS 2003 architecture (a Primary site delivering packages across a WAN to Secondary site/Distribution Point servers)
- A multicast-enabled WAN*
- OmniCast for SMS deployed on a standard Windows server.
* Note: If multicast is not available, this solution can operate over unicast UDP or TCP, with some benefits, although the greatest scalability and time-to-delivery benefits are achieved in multicast networks.
OmniCast for SMS is delivered as an InstallShield package, and is installed on each primary and secondary site server involved in the distribution architecture.
Several SMS properties pages in OmniCast for SMS allow administrators to configure the distribution parameters, at which point OmniCast for SMS appears as another available SMS sender.
Once OmniCast for SMS is installed and running, the process for deploying patches is very straightforward:
- Create the same package you normally create for server patching in SMS.
- Select the OmniCast for SMS sender for the package.
- Initiate the distribution.
Assuming use of multicast distribution, OmniCast for SMS ensures that all servers will simultaneously receive the patch. It is easy to monitor this by watching either central site server activity or network activity - administrators will notice that no matter how many servers are targets, the file is transported once and only once, dramatically scaling down the resources required.
By integrating multicast distribution to ensure simultaneous patch distribution to all servers with SMS, administrators gain the following key benefits:
- Reduced IT monitoring of patch distribution
- The fastest possible simultaneous patch delivery to an arbitrarily large number of servers
- Ensuring the absolute minimum usage of hardware and network resources
Thus, using multicast distribution for SMS reduces IT staff time and network overhead in all patch distributions, and more importantly, it helps close the window between Zero-Day attacks and server vulnerability.
By Steve Bannister, vice president of engineering, Stratacache www.stratacache.com
e-mail: sbannist@activia.net