A network secure enough for a bank

If there were ever a defining case for the need for a well-designed patch management strategy, the Federal Reserve Bank is it. In its New York location alone, the Fed maintains more that 10,000 discrete devices, including AS/400, HP-UX, Linux, Novell NetWare, and Sun Solaris servers, as well as a huge installed base of Microsoft Windows. The awesome responsibility of managing these assets falls on the shoulders of Sean Mahon, the New York Fed’s vice president of system management.

“Our real problem is cross-platform,” Mahon says. “Fortunately, our Unix-based platforms are more stable in regards to new security vulnerabilities. It’s the Microsoft platforms that have become extremely resource-intensive.”

Mahon’s standard routine for non-Microsoft platforms begins by prioritizing each announced patch. “To us,” he says, “these fall into only two categories: security-related, which we act upon immediately, and everything else, with which we can take more time for testing.” After a patch is announced, Mahon’s system administrators test it on a dedicated system and then deploy it using various tools that come bundled with Unix operating systems.

“Our response to Microsoft patch announcements is similar but with added granularity,” Mahon says. Defending against an Internet worm, for instance, is a priority that far outweighs a functional problem in Microsoft Office.

To manage his Windows installed base, Mahon relies on a combination of Microsoft SUS (Software Update Services), SMS (Systems Management Server) 2003, and strict policy rules. “We’ve simply got too much diversity even within Windows to utilize an all-in-one patching umbrella,” he says.

Desktop workstations cause Mahon the most headaches. “We have over 800 bank examiners, and we usually have no idea where they are,” he says. “The challenge with keeping those guys patched is huge, but they have to be patched because if one is infected, he could disrupt everything.”

After patches are discovered, Mahon requires that his staff also adhere to strict validation metrics, although he admits this can be problematic. “Ideally, we always do thorough validation and testing prior to deploying,” he says. “But the fast-shrinking window of opportunity means we have to push them out faster to ensure we’re not vulnerable, and sometimes that outweighs the potential disruption of business systems.”

When asked for his patch management wish list, Mahon is less worried about centralized, cross-platform support than he is about managing mobile users. “We’ve got expert staff in their dedicated platform areas, so aside from the sheer volume of Microsoft patches that isn’t a real problem for us,” he says, adding that managing entry at the periphery of his network has become a critical factor. “We’ve got mechanisms in place, but perimeter is one area we’re always looking to improve.”