Keeping your infrastructure up to date
As with most products you want to keep them up to date for several reasons, which can include security, availability, reliability or even new features in the product. Keeping products up to date is a process that keeps repeating itself and needs a good plan to keep up with the most recent updates.
A lot of times though you will see that an organization isn’t on top of the update process, either because they aren’t aware of it or just forget to execute the tasks for updating their products.
The following BBC News article shows what might happen when you’re not keeping your system up to date. Several companies have become victims of the the Sasser virus which interrupted their normal operations.
Recently I have been doing a quick look at an VMware ESX infrastructure in which I noticed they did install the VMware update manager. They also had a baseline configured and attached to several ESX hosts and every evening there was a scheduled task to check for new updates available.
However what they did not do was scan the hosts to see if they where missing updates available in the baseline. Several hosts didn’t receive a scan for almost a year, wich is a shame as it could easily be covered with a scheduled task.
So what I did for them is setup a scheduled task that would scan the hosts every week and send an e-mail to the adminisatrators on completion. This way they will be remembered each week to have a look at the updates.
Now it is up to them to make a plan in wich they can maintain the production of the company and keep their products up to date (not only the ESX infrastructure).
Some things you might want to keep in mind when creating your plan are:
- Before installing the patches find out if there are known issues about them. Maybe somebody already had trouble with installing updates and made the issue public.
- Subscribe to newsletters to keep yourself up to date about the products you are using.
- On what day do I want to install updates?
Microsoft for example has patch Tuesday, do you want to install the patches the same day?
- Do I have or want to use a testing environment?
Some companies have a “street” of servers wich lead from Design -> Testing -> Acceptation -> Production, installing updates in the first and slowly test en continue onto the next environment.
- Who needs to be informed when I’m going to update? And what information do I send them?
An example at one of our clients: The provider of the URL filtering service was having a planned maintanence window and also updated their service. However they forgot to inform the client wich resultated in users not beeing able to browse to websites they needed to visit. After contacting the provider they informed us there where new catagories implanted into the filter which we had to approve. It’s a shame that the provider did not let us know this before they updated the service so we could prepare for it.
- Include a rollback plan into your overall plan. Not all updates have the desired effect and you might have to recover to the previous situation to get your services running again.
- Which patches do I want to intstall?
Some patches are for security or stability, others might add extra features and might not be wanted all the time.
No plan is exactly the same because no company is identical and a plan like this should be adapted to the needs of the company.
Hopefully this post will help you with updating your own infrastructure.