Patch proxy eases update pressure

Patch proxy eases update pressure

By Fred Kost

The pressure to patch servers is increasing as regulatory requirements drive rapid patch deployment. Many organizations have deployed patch-management systems to simplify and manage rollouts of security patches, yet they’re still left with the need to test and verify that patches will not disrupt critical applications.

Patch-proxy technology offers a solution to the challenge of quickly responding to new patches. Patch-proxy companies offer functional substitutes for the original vendors’ security patches, in effect providing proxies for actions of the vendor patches. Instead of testing and installing vendor security patches on servers, a patch proxy can be deployed to mimic the actions of patches that are not installed.

A patch proxy can be deployed in a network or on a host. The technology is primarily software, though it also can be delivered in an appliance form factor. Patch proxies rely on frequent updates to stay current with patch releases from operating system and application vendors. These updates are pulled down automatically and deployed, much like anti-virus updates.

In a network configuration, the technology resides inline, monitoring client/server interactions, intervening when traffic accesses an unpatched server application or operating system, mimicking how the patch would perform had it been installed on the server. The patch proxy performs the same function as the patch, fixing an error in the original program, but in this case making a change in the session on the wire and forwarding the traffic to the server. The inline patch proxy makes changes to apply the necessary patches for sessions between a client and a server; therefore, it must maintain all TCP/IP session handshaking yet remain transparent to the server and the client.

To read this story in its entirety, please click here.