HPE Community
Server Management - Systems Insight Manager
1822147 Members
4292 Online
109640 Solutions
New Discussion юеВ

VMP via WSUS

 
SOLVED
Go to solution
Dmitry_70
Frequent Advisor

тАО09-03-2005 06:18 AM

тАО09-03-2005 06:18 AM

VMP via WSUS

Dear colleagues,
I plan to use Microsoft Windows Server Update Services for Microsoft updates and SIM with Version Control Repository for HP updates. Could you explain me, please, if I can get any benefits from Vulnerability and Patch Management Pack in this case? Is there any reason for Vulnerability and Patch Management Pack installation?
0 Kudos
Reply
11 REPLIES 11
David Claypool
Honored Contributor

тАО09-03-2005 09:41 AM

тАО09-03-2005 09:41 AM

Solution

Re: VMP via WSUS

Acquiring updates and causing the bits to be installed is a rather simple task; that's why Microsoft is giving it away.

There are 2 ways that the Vulnerability and Patch Management Pack differs from SUS:

First, VULNERABILITY. Attacks on systems are not all based on exploits that can be patched to close, such as a buffer overflow error. There are numerous configuration issues such as guest accounts without passwords, insecure file shares and many more that can leave a system vulnerable. VPM incorporates security threat avoidance technology by integrated in Harris Corporation's STAT Scanner, the industry's only Common Criteria Certified (a DoD standard) vulnerability scanner. These scans have pre-set criteria plus you can create your own. This alone could save $$$ as part of a SarBox compliance program.

Secondly, VPM incorporates the industry-leading desired state technology HP acquired when we acquired Novadigm and their RADIA patch management solution. Through this, VPM knows what is supposed to be on each system and if it deviates from that (harmless user error or through an accidential downgrade), VPM can bring that system back into compliance automatically.

Finally, VPM is an integral part of HP SIM, so you don't have to learn another system and keep it maintained.
Reply
Rob Buxton
Honored Contributor

тАО09-04-2005 08:33 AM

тАО09-04-2005 08:33 AM

Re: VMP via WSUS

You can supplement the lack of vulnerability assessment of WSUS with the free MBSA from MS.

VPM pulls everything into HPSIM, which is nice for visibility, but it costs. The WSUS / MBSA option is still free.

Of course, WSUS and MBSA is solely MS, so that might also be a restriction for you.
Reply
Dmitry_70
Frequent Advisor

тАО09-04-2005 05:25 PM

тАО09-04-2005 05:25 PM

Re: VMP via WSUS

Thank you for your replyes!
I tried VPM and it├в s fine. Moreover I have 5 servers only with Windows Server 2003 and 5 free licenses are enough for me. Could you answer one more question, please: if I use VPM for analyze and patch my servers, is there any reason for update the same servers with WSUS?
Thanks again.
0 Kudos
Reply
Rob Buxton
Honored Contributor

тАО09-05-2005 12:45 PM

тАО09-05-2005 12:45 PM

Re: VMP via WSUS

Only as a check.
In my testing I found VPM was a bit behind WSUS. There were also a couple of issues where patches were not seen by VPM and an update yo VPM itself was needed.
As VPM was still very new at the time this may have just been teething problems.
Reply
Dmitry_70
Frequent Advisor

тАО09-05-2005 07:07 PM

тАО09-05-2005 07:07 PM

Re: VMP via WSUS

Thank you very much.
Could you answer, please, could VPM download Microsoft updates from WSUS? I will use VPM for servers updates and anyway I should use WSUS for workstation updates. If it is possible to download updates from WSUS by VPM, the traffic can be much lower.
Thank you.
0 Kudos
Reply
Eric_237
Frequent Advisor

тАО09-06-2005 03:37 AM

тАО09-06-2005 03:37 AM

Re: VMP via WSUS

I'm interested in VPM too. However, we don't need it for vulnerability assessment.

We just want an easier way to patch the Microsoft Critical updates.

From my looking at VPM so far, there didn't seem an easy way to just use it to patch servers with the latest MS critical updates.

Am I missing something -- how do you do this?
0 Kudos
Reply
Rob Buxton
Honored Contributor

тАО09-06-2005 08:10 AM

тАО09-06-2005 08:10 AM

Re: VMP via WSUS

Dmitry,
I think VPM may well get the patches it needs from the same source. The problems I saw were the fact it didn't recognise the need for the patch, hence it didn't pull the patch down.
Eric,
If you do not need vulnerability assessment and are a MS only shop you may want to look at WSUS. It will mean a separate management tool and interface but it is quite simple and it is free.
Why not download, install and test them both. As I noted above, VPM would give a clear assessment against vulnerability visible in HPSIM. But, once you have more than 5 Servers it costs.
0 Kudos
Reply
Eric_237
Frequent Advisor

тАО09-07-2005 02:47 AM

тАО09-07-2005 02:47 AM

Re: VMP via WSUS

We actually already have a tool for MS patching -- we use HFNetChk Pro.

However, we were thinking of using VPM, since it ties directly into Insight Manager.

Currently I have to create text file lists of our servers and import them into HFNetChk Pro before scanning and patching (so I can avoid scanning entire subnets).

So if I can get VPM to work easily for Microsoft patching, I would prefer it. It is nice to see everything in one interface too.

So is there a way to use VPM for just Microsoft server patching?
0 Kudos
Reply
Dmitry_70
Frequent Advisor

тАО09-07-2005 05:57 AM

тАО09-07-2005 05:57 AM

Re: VMP via WSUS

Eric, yes, of course. VPM can download and deploy Microsoft patches for those issues it found on your computers.
Dear Rob, I agree that most probably VPM gets patches from the same source. I asked another question: can I change location VPM download patches from? This answer is interesting for me because I have to use both solutions ├в VPM for servers and WSUS for other computers. And I├в m afraid that both VPM and WSUS will download the same patches. If I could change location VPM download patches from, the Internet traffic could be lot lesser.
0 Kudos
Reply
Rob Buxton
Honored Contributor

тАО09-07-2005 09:55 AM

тАО09-07-2005 09:55 AM

Re: VMP via WSUS

Ahhh... get VPM to get its patches from your WSUS Server?

I no longer have VPM installed so cannot really look further. But I don't think you can change the location, from memory it was just the Proxy Settings etc. that could be changed.
0 Kudos
Reply
Jennifer_74
Frequent Advisor

тАО09-13-2005 11:00 AM

тАО09-13-2005 11:00 AM

Re: VMP via WSUS

VPM downloads patches directly from the patch vendors. It can not access patches on a WSUS server.

VPM will always pull down the latest available patches from a vendor (via a scheduled or manually run acquisitition). In the past there were a few patches that could not be downloaded temporarily due to the way they were released. This issue was fixed.

Updated VPM scans will be a few days behind patch releases. In the meantime, you can always use the "Patch without a Scan" menu to deploy patches. The patch agent validates the need for the patch before applying it, so if the patch is not needed or applicable to the system, it won't be applied.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.