Beginners Guide to Updating a Network

Updating software is one of the most important aspects of maintaining a secure, smooth-running network. Unfortunately, it is often overlooked because the task can be daunting for large organizations, and when a system is running smoothly, no matter how many times unexpected debacles have occurred in the past, it is difficult to envision problems. This document will guide you in the proper method to update your software with the time you have available.

Identify those computers in your network, which are critical and plan to update those first. Critical hosts are typically those that are most visible to the outside world, those that store the most vital data, and those that provide the most critical resources. A typical network's list of critical resources includes external web sites, firewalls, e-mail servers, DNS Servers, and database servers. By focusing on these hosts first, the problem of updating the software at your site has been reduced tremendously.

Step 2: Updating Critical Resources

Each critical host should be examined at least once a month to determine if it needs to be updated. Any software that an attacker could use to penetrate the host must be updated regularly. Software in this category includes: the operating system, servers or any software that receives network packets, software running as root or administrator, security software (especially virus checkers). Make a list of such software per host and write down the associated version numbers. Find the web page for each piece of software and make sure that you have installed the latest version. Then, find and install the available patches that are to be applied to your version of the software. Each software vendor will have unique instructions on how to install their patches (usually the process is very simple). Be careful to follow their instructions, as patches must often be installed in a set sequence for the entire process to work. Oftentimes, it is difficult to find the web site containing patches for particular types of software. To help you, we have designed this site to contain links to web sites that contain patches. Expect to spend a couple of hours the first time you update software on a host.

Non-critical hosts are obviously less important to protect than critical hosts. However, an attacker may penetrate into your network by breaking into a non-critical host and then use that host to attack critical resources. The level of security of non-critical hosts is important. However, it is a daunting task to update the software on all non-critical hosts in a network. Thus, many systems administrators do not regularly update non-critical hosts but they shield them by using external and internal firewalls. The firewalls prevent outside network traffic from being routed to the non-critical host, which protects them from being attacked. This technique works well but it does not protect against all attacks. Specifically, viruses and Trojan horses (especially those transmitted through e-mail) can still attack non-critical hosts. In order to secure non-critical hosts while being cost effective, we recommend the following security plan. Install firewalls inside your organization to protect groups of non-critical hosts from other parts of the network. This way, if an attacker breaks into a host in your organization, the attacker can not easily spread his influence to other hosts. Install virus checkers on all non-critical hosts that receive e-mail and update these once a month. Many vendors have an automatic update feature to make this easier. This security architecture will protect against the majority of attacks. Then, once every year each non-critical host should be updated as defined in step 2.

Consider using a software management package that allows you to "push" updates to clients across your network from a central location. However, that may be infeasible due to cost constraints. Train users to perform simple updates on their own machine. For example, users can be trained to periodically use the Microsoft "Windows Update" page to automatically fix security holes in the majority of non-critical host operating systems. Also, systems administrators can advertise that new versions of popular software are available for download. Send out periodic e-mails pointing users to patches for software they use.