| HP Systems Insight Manager Integration |
| Q1. |
Is HP Systems Insight Manager taking on a totally new role in the systems management space with the integration of Vulnerability and Patch Management pack? |
| A1. |
No. Even though HP Systems Insight Manager was created as a hardware fault management tool, it has evolved into a complete resource life cycle management tool as result of customer interest in using the tool for more than hardware fault management. Using Version Control, HP Systems Insight Manager users are already able to create, deploy and track a baseline of system level software (BIOS, ROM updates, firmware etc). Vulnerability and Patch Management Pack now extends HP SIM functionality to provide users with the ability to create, deploy, and track a baseline of operating system patches. It further raises the bar for systems management, and for HP Systems Insight Manager, it is a natural progression of functionality that meets customer expectations.
|
|
| Q2. |
Which aspects of HP SIM does Vulnerability and Patch Management Pack leverage? |
| A2. |
Vulnerability and Patch Management Pack leverages the discovery, identification, scheduling, role based security, notification, and group-based action mechanisms already available in HP SIM. Leveraging these mechanisms for vulnerability assessment and patch management ensures allows users to optimize the time and labor investments they have made in HP SIM, allows them to deploy the functionality faster, and eliminates the need to implement a stand alone tool. For example, SIM offers the ability to set up notification to operators when certain events occur. Since all the information to contact the operator is already set up, all that needs to be done is to check Vulnerability and Patch Management Pack events for which notifications need to be sent.
|
|
| Q3. |
What changes are happening to the HP Systems Insight Manager interface because of the VPM integration? |
| A3. |
The following additions are being made to the HP Systems Insight Manager interface due to the integration of Vulnerability and Patch Management Pack
- The HP Systems Insight Manager 'systems list' will now feature an additional column titled 'VPM' that will reflect the status of vulnerability on a particular system.
- The 'Options', 'Diagnose', and 'Deploy' menu items will now have a Vulnerability and Patch Management option to drive features particular to Vulnerability and Patch Management Pack
- The 'Scheduled Tasks' list will now list all the tasks scheduled by Vulnerability and Patch Management Pack
- The 'Events' list will now list all events generated by Vulnerability and Patch Management Pack
|
|
| Q4. |
What is the advantage of seeing vulnerability status in the HP Systems Insight Manager Systems list? |
| A4. |
Systems administrators now have a single pane view of their hardware fault status, hardware performance status, system software revision level status and operating system vulnerability status. This view gives administrators a holistic view of the health of their server environment without having to maintain multiple tools. Users that want to manage vulnerabilities on both clients and servers from one single console can also use HP Systems Insight Manager to provide on consolidated view.
|
|
| Q5. |
Which version of HP SIM is required for VPM 2.0? |
| A5. |
HP SIM 5.0 SP2 or later is required for VPM 2.0. |
|
| Vulnerability assessment |
| Q1. |
What is unique about Vulnerability scanning capabilities of Vulnerability and Patch Management Pack |
| A1. |
Vulnerability and Patch Management Pack's vulnerability assessment function is powered by the only Common Criteria Certified vulnerability scanner in the industry (STATŪ Scanner); a certification developed by national security coordinators in the U.S., Europe and Canada to provide assurance that IT security products currently available actually do what their vendors claim they will do.
|
|
| Q2. |
What categories of vulnerability does Vulnerability and Patch Management Pack look for? |
| A2. |
Vulnerability and Patch Management Pack's comprehensive vulnerability scan identifies vulnerabilities in the following categories
- Malware & Tools
- Trojan horses (Netbus, Melissa, SubSeven, Back Orifice.)
- Viruses & Worms (I Love You, Code Red, Nimda, MyLife..)
- DDOS agents
- Remote Access Tools (PC Anywhere, Terminal Services.)
- Password Crackers (Lophtcrack..)
- Port Checking
- Checks for 500+ Known Bad Ports
- Service Checking
- Checks for All Known Good Services
- Any Unknown Service Found is Documented
- Password Cracker
- Checks for vulnerable passwords
- Customer Dictionary May be added
- Software patches, version levels (security related)
- Denial of Service Vulnerabilities
- Privilege Escalation Vulnerabilities
- Password and Event Logging Policies
- Unsafe Code - Arbitrary Code Execution
- Configuration Settings
- Shares, Log-on/off settings, Permissions, Guest Accounts
|
|
| Q3. |
What benefit does the customization of vulnerability scan definitions provide? |
| A3. |
Vulnerability and Patch Management Pack ships with pre-defined vulnerability scan definitions that can be customized. There are several OS level configuration settings that might adversely affect applications when changed. Users can define vulnerability checks that are tailored to their specific environment, and are not forced to deal with excessive information.
|
|
| Q4. |
How does Vulnerability and Patch Management Pack get the information on the latest vulnerabilities and patches? |
| A4. |
From the Options menu in HP Systems Insight Manager, Vulnerability and Patch Management Pack can be configured to automatically download the latest vulnerability scan definition files from an HP web site where it is hosted, and the latest patches from OS vendor web sites where the patches are hosted. Vulnerability and Patch Management Pack automatically downloads this data to a central repository, and an event is generated and sent to HP Systems Insight Manager notifying it that a new update has been downloaded.
|
|
| Q5. |
How often are vulnerability updates provided? |
| A5. |
Vulnerability updates are provided on an ongoing basis and the frequency depends on the criticality of the vulnerabilities that have been announced. Minor vulnerabilities are usually grouped and released as often as once a week. When a critical vulnerability is announced, the update is usually released in a matter of hours. Users can schedule Vulnerability and Patch Management Pack to check for these updates at the frequency of their choosing.
|
|
| Patch Management |
| Q1. |
What is unique about the patch management capabilities provided by Vulnerability and Patch Management Pack? |
| A1. |
The patch management functionality of Vulnerability and Patch Management Pack is powered by HP OpenView Configuration Management Patch Manager, a component of the HP OpenView Configuration Management Suite, a comprehensive solution for automating the management of the entire server software stack including operating system, patch, applications, content and configuration settings.
The unique desired-state automation that powers these products not only ensures that a patch is deployed and installed correctly, but it also verifies that the patch continues to remain installed. If any changes are detected, the desired-state process will reinstall the patch automatically
When multiple patches are being deployed to a system, the reboots for each patch install can be suppressed until the last patch is installed, eliminating the need to reboot the target system after each patch install. Administrators can also defer the reboot so that they can deploy the patches immediately and then reboot the system during a maintenance window.
|
|
| Q2. |
How does 'desired-state' management work? |
| A2. |
In its simplest form, desired-state management works much like a thermostat. You set a desired temperature on the thermostat, and the thermostat manages the heating and cooling to maintain that desired temperature. This is essentially how 'desired-state' works on software. The administrator sets a policy to establish the desired patch levels on each target system (or groups of systems) and the underlying software makes it happen and continuously verifies and maintains the correct state. The desired-state approach allows the replacement of manual intervention with automation, eliminating the need for lists, scripts and the manual effort associated with other tools.
|
|
| Q3. |
Is the HP OpenView Configuration Management Patch Manager available without purchasing Vulnerability and Patch Management Pack? |
| A3. |
Yes, HP OpenView Configuration Management Patch Manager, is available for purchase as a standalone tool or part of a comprehensive software management solution without purchasing Vulnerability and Patch Management Pack. Ideal customers for HP OpenView Configuration Management Patch Manager are medium to large enterprise customers who want to implement an enterprise-wide patch management solution potentially as part of a comprehensive software change and configuration management strategy.
HP Configuration Management Suite allows users to manage the complete life cycle of all the software assets in their enterprise.
|
|
| Q4. |
Can customers upgrade from Vulnerability and Patch Management Pack to HP OpenView Configuration Management Patch Manager? |
| A4. |
A direct software upgrade from VPMP to HP OpenView Configuration Management Patch Manager is not available. However, HP will protect the investment customers have made in VPM as they upgrade to HP OpenView Configuration Management solutions.
|
|
| Q5. |
What considerations should customers take into account in choosing between Vulnerability and Patch Management Pack and HP OpenView Configuration Management Patch Manager? |
| A5. |
The following table highlights the customer characteristics and their requirements in making the appropriate choice
| |
Insight software Vulnerability and Patch Management Pack |
HP OpenView Configuration Management Patch Manager |
| Size |
Small and medium-size customers, or departments in larger enterprises |
Medium to large enterprises looking for an enterprise-wide patch management solution |
| Tools |
Looking to leverage existing systems management tools for vulnerability assessment and patch management |
Considering new tools, potentially as part of a comprehensive software change and configuration management strategy. |
| IT team |
Do not have dedicated resources for vulnerability assessment and patch management |
Sophisticated IT organization with good knowledge of security |
| Scalability |
From tens to hundreds of servers and desktops in a single location. |
From hundreds to thousands of desktops and servers in a single or distributed environment. |
| Extensibility and usage |
Need very easy to install product with limited configuration choices |
Need highly extensible product with many configuration choices to adapt to very specific needs such as in heterogeneous environments with multiple platforms |
|
| General |
| Q1. |
What integration does Vulnerability and Patch Management Pack have with products from other vendors? |
| A1. |
Vulnerability and Patch Management Pack automatically collects new patches directly from vendor sources, such as Microsoft's web-based patch depository and RedHat Network. Vulnerability and Patch Management Pack does not integrate with Microsoft's MBSA, SUS or SMS tools or RedHat's distribution tools.
|
|
| Q2. |
Why would a customer, who may be using the Insight Rapid Deployment software to deploy patches, adopt Vulnerability and Patch Management Pack |
| A2. |
RDP provides only a small part (deployment) of the functionality required in a vulnerability assessment and patch management tool. Vulnerability and Patch Management Pack provides additional key features such as the automated gathering of vulnerability data, schedule scans to identify vulnerabilities, automated acquisition of patches, correlation of patches with the vulnerabilities, schedule deployment of patches, and assurance that patches remain installed on an ongoing basis.
|
|
| Q3. |
What platform other than ProLiant servers does Vulnerability and Patch Management Pack support as target nodes? |
| A3. |
Vulnerability and Patch Management Pack will support any IA-32 server, desktop, laptop and workstation running supported 32-bit Windows and Red Hat Linux operating systems. For a complete listing of the operating systems supported, please see the QuickSpecs.
|
|
| Q4. |
Does Vulnerability and Patch Management Pack integrate with HP SIM Version Control? |
| A4. |
Vulnerability and Patch Management product does not currently integrate with HP Systems Insight Manager Version Control, but this integration is under investigation for potential delivery in future releases.
|
|
| Q5. |
What are the key new features in different versions of Vulnerability and Patch Management Pack? |
| A5. |
The following new key features have been added to v2.0:
- New Patch Installation Status reports
- By patch
- By system
- By search filter - Patch advisory or CVE
- Support for Microsoft SQL as database
- Support for new Microsoft patch repository (Microsoft Update Catalog) - User experience to acquire new patches remains unchanged
The following new key features have been added to v1.1:
- Vulnerability scanning and patching of client devices (desktops, laptops and workstations) running Windows XP Professional and Windows 2000 Professional - Customers who want to identify and resolve vulnerabilities for servers and client systems from one single central console can now do this with version 1.1 and higher
- Import of acquired patches and vulnerability updates without connecting the VPM server directly to the Internet - For customers whose infrastructure security policy restricts acquisition of http and ftp content directly from the Internet from inside the firewall, the new VPM Acquisition Utility can be installed on a desktop or server with unrestricted access to the Internet to acquire the updates. These updates can then be imported into the VPM server, thus enabling updates to be acquired without connecting the VPM server directly to the Internet.
- Deferring of reboot after patch installation - With version 1.1 and higher, VPM now allows administrators to postpone the reboot after installing a patch. This will enable administrators to push patches out as soon as possible and then reboot the server during the next available maintenance window.
|
Printable version
