Whiteboard

3 Posts authored by: bshopp

There is lots of talk about IPv6 this week, with major ISPs, networking equipment companies, and others around the world enabling IPv6 for their products as services as part of World IPv6 Launch Day.

 

As an IT Management company, SolarWinds is always watching the market and listening to our customers to determine when they need and want IPv6 support in their tools.  You can see the support for IPv6 we offer in our product portfolio here.

Many of our current customers are still in the planning stage, or have implemented a dual-stack environment, so they can run IPv4 and IPv6 simultaneously on their devices. Last year we created this video with tips on how to plan for IPv6 migration with SolarWinds IP Address Manager.


Stepping back and looking at the market as a whole, what we see and hear today has not changed very much from a year ago. We are still seeing IPv6 being pushed and adopted in three primary spaces:


  1. Asia Pacific – places like China and Japan, amongst others are always more technologically advanced and have adopted IPv6 sooner than most of the world
  2. Federal Agencies – we see this not only in the United States, but also other governments’ agencies. They are running dual stack environments for the most part, and want to ensure they are prepared for whatever happens in the future
  3. Internet or Managed Service Providers – folks who provide Internet access to consumers and businesses.

 

Many consumer services, like television and phone, are moving towards IP, increasing the need for IP addresses; sports stadiums are adding WI-FI, energy grids are being built that will transmit information wirelessly back to the power company office. As more components of our daily lives become connected to the Internet, the need for IPv6 is increasing.

 

Some members of our thwack community are concerned that while IPv6 will solve the IP addressing dilemma, it may cause other problems. And not every large consumer brand is embracing IPv6. Apple’s latest version of one of their popular products is no longer compatible with IPv6 while the previous version offered IPv6 by default.

 

Only time will tell what the future holds for IPv6 adoption, but the fact remains that the world will continue to need more IP addresses going forward as we continue to increase the use of wireless-enabled devices.

What are your plans for IPv6 adoption? When if ever, do you plan to move from IPv4 to IPv6? What problems will it solve? What problems will it create?

I was recently reading an interesting article from Eric Parizo at Tech Target  -- “Time to ban dangerous apps?  Exploring third party app security,” and while I agree with a lot of the points he makes in the article, I would argue that his argument that banning common applications is an answer to protecting your organization will not fly in the today’s business world.

As Dan Guido says in the same article, “every single piece of software you have is ****.”  From a hacker/exploiter perspective, there will always be a vulnerable app. When you close down one application with holes, whatever you choose to use instead is going to have similar or other issues attackers can exploit.  

Businesses will also incur the cost and penalty of having to re-train users to use these new applications and if there are dependencies on other software you use -- either COTS (commercial off the shelf) or internal home grown apps --then those need to be updated as well. One example is applications that leverage JRE’s. 

From a business perspective, I recommend that the old adage, “the best defense is a strong offense” should be followed.

Parizo references two patch management solutions in the article, but says that users “either struggle to quickly identify and test high-priority security patches, or simply don't make it a priority.”  Isn’t that what patch management solutions are for? 

The root problem with many of the solutions in the market today is twofold.  First, many are just too darn expensive for most organizations to afford.  Unfortunately, the true cost of being exploited is not realized by many until too late.  

Second is ease of use.  As Parizo writes, Microsoft has gotten much better at protecting its OS’s from a security standpoint.  It is also one of the few vendors out there that has an update service, Windows Server Updates Services (WSUS), as mature as it is, also provides functionality built into their server OS’s to aid in distributing their product patch. However, as Parizo writes, third party applications get left behind and do not enjoy the same luxury. 

I believe patch management should protect both Windows and third-party applications. What about you? Would you ban common third-party apps at your company?

Mike Vizard recently authored a very interesting article “Rethinking Patch Management in the Era of the Cloud” in IT Business Edge. As a patch management software provider, we want to share our perspective.

In the article, patch management automation is positioned as if it is a real possibility. And, when selling a software solution to C-Level executives, this positioning sounds fantastic. What manager wouldn’t love to automate a process that has taken a huge investment of time and money in the past?  In this period of tight budgets, automation sounds like the answer …

But for the actual IT professionals who are down in the trenches doing the work, these words are the **** of many server room jokes.

We completely agree that patch management is vitally important to any organization and is only getting worse with the growth of custom and third-party application updates; however, automation is not the answer.  Let’s also make sure we are on the same page on what automation means.  The software company quoted in the article has a tagline that says, “let us patch you servers’ auto-magically.” To us this means there is some defined intelligence which does things without human intervention -- the ability to schedule a task is not automation.  What consumes a large chunk of engineers’ time is watching for when new patches are released, and then researching what are all the various data points needed for a patch:  e.g., Where are the installers/updates? What are the dependencies with other applications or previous versions?  How do I determine which machines are applicable, etc.?

The problem historically with many patch management solutions is that they are hard to use and require custom scripting and packaging of updates.  They are better than nothing, but just barely.  What IT professionals need is a product that is extremely easy to use and provides them a starting point for managing third party updates and content.  They need software to notify them when new updates are out and to do much of the leg-work on packaging this content and delivering it to them so they can test, tweak and deploy it in their environment.

The reason why automation has no place in real-life patch management is very simple and two fold -- every environment is different and engineers just don’t trust automation.  Now we are not saying automation does not have any place in IT; however, in the scope of configuration management (which includes patch management), to an engineer, this is just a marketing buzz word.  The primary challenge that affects patch management operations is dealing with exceptions and unanticipated dysfunctions, and that mandates extensive testing on any machines that are not what we might call “stock”.    That is, they have line-of-business apps not tested by the patch builder, or they have custom configurations, or they’re simply too critical to be offline for any more than the absolute minimum time required to apply the patch and successfully restart the system.

We were recently speaking with an engineer at a U.S. Federal installation who uses our Patch Manager software, and due to the variety of OS versions, hardware and third party applications, including custom applications; they have a very strict and rigorous lab testing and validation procedure before they ever attempt to deploy an update out to the production environment.  They will NEVER let a piece of software scan their environment and based on rules or policies that push updates out without some form of human intervention and checking.

And don’t get us started on trying to deliver this type of a service in a SaaS based fashion, which in itself is ripe with tons of other issues. Do YOU think patch management can be automated?

Brandon Shopp is SolarWinds' Director, Product Management. He has more than 10 years of experience in the IT technology field either as an Engineer/IT Admin or working for a software company to help makes those folks lives easier.  

Filter Blog

By date:
By tag: