Patching in Federal Government Networks

Tyler Jaeger, Senior ATS Sales Engineer – Public Sector, Ivanti

Ivanti is committed to our customers who uphold the Nation’s highest commitments. To this end Ivanti believes that the mission our customers fulfill should not be impeded or constrained by the security stance they take. In these security conscious situations, it’s considered both mandatory and best practice for nodes within these networks to be either disconnected or entirely air-gapped.

(Context: A disconnected network can traverse its own internal network/intranet but is disconnected from the broader internet. Conversely – an air gapped environment is even further isolated – being entirely independent with no connectivity to either a larger intranet or internet.)

Despite these efforts - the risk of exploitation is not absolved simply by disconnecting or placing nodes into an air-gapped state. Network isolation of these servers & endpoints is only one aspect within a zero-trust security paradigm that these Sys-Admins have to contend with.

Technical administrators of these environments are still responsible for maintaining their systems against on-going vulnerabilities. The patching of these systems acts as a counter measure against insider threats within these systems. These vulnerabilities are more than the standard Patch Tuesday Windows OS vulnerabilities. A significant majority of these vulnerabilities exist in the 3rd party Application Eco-System. According to The U.S. National Vulnerability Database - Microsoft exploits only account for 15% of total vulnerabilities today.

Patching these systems can be extremely tedious and time-consuming, but also manually intensive. This time could be better spent performing strategic security measures, or not spent at all. As a result of this lengthy process critical systems can be impacted and left open to vulnerabilities. A report from the GAO (As detailed in Pg. 46 of the GAO Report 16-501: Agencies Need to Improve Controls over Selected High-Impact Systems) shows that this has historically left even critical vulnerabilities unpatched after a significant time period (In the report – several years). To address these issues, Ivanti assists our customers by automating the remediation of the vulnerabilities found within their system, while also providing a record of truth, and reporting to these workflows.

Ivanti’s Disconnected Patching Capability

Ivanti’s product portfolio not only includes its flagship cloud-based Product Suite, and also a strong array of On-Premise based products. Two products worth highlighting for this are Ivanti Security Controls (ISEC), and Ivanti Endpoint Manager (EPM). Both products have On-Premise deployment options which extend into Disconnected and Air-Gapped Use-Cases.

At a high-level, Ivanti services disconnected / airgapped environments via the use of servers placed within those environments. Those servers then act as a repository for OS patches (Incl. Windows, Linux, and Mac), along with 3rd Party Application Patches. Reference this example diagram of a disconnected instance of Ivanti ISEC. In this example, a central environment is used to download and prepare patches for the environment. Then, one-to-many disconnected environment can then be stood up with patches and management provided via a ‘File Transfer Service’. This service can mean two things: either an approved Media Devices to enable transfers when no connectivity can exist, or a staged approach in which connectivity for a Centralized console is alternated between the Internet and a Disconnected Environment. Where approved, this prevents a direct link between the internet and the disconnected environment.

One additional note with this diagram is that both the Central Rollup Console and Connected Environment can also be connected on temporarily, even if only to update definitions in support the disconnected portions of the deployment.

Ivanti Endpoint Manager (EPM)

On the flipside, we can take the disconnected / connected philosophy we mentioned in ISEC and apply it to our EPM product. Like with ISEC an admin can create multiple EPM consoles, or cores without any additional charges. Those cores can be deployed as disconnected or ‘dark’ cores. Vulnerability Definitions and Patches can then be copied from a connected environment into the disconnected environment via the same preferred ‘File Transfer Client’ of choice. This methodology has been proven amongst our customer base who have effectively deployed this into disconnected and airgapped instances for both ISEC and EPM.

Modernized & Automated Patching Workflows

Modernizing the patching process means reducing the Mean Time to Patch, and strategically securing against vulnerabilities. To that end, Ivanti provides Neurons for Risk Based Vulnerability Management – a Vulnerability Management system that provides contextualization around threats (Ex. ‘Trending’ Vulnerabilities or Vulnerabilities could be executed without physical access to the target).

RBVM also provides the necessary patches and remediation for those vulnerabilities. By integrating our Patching and RBVM we modernize patching into a strategic and automated process. Files containing the vulnerabilities deemed most risky can be loaded into solutions like EPM to determine and provide patches. This workflow can still apply even in disconnected and airgapped use cases. RBVM could connect to the Rollup Core while disseminating patches via the process mentioned above.

How Ivanti can Help

Between Ivanti’s EPM & ISEC products, a System Administrator would have full range to patch the Windows, MacOS, and Linux Servers and Workstations within their environments. Patches also extend to 3rd Party Applications in which a significant portion of vulnerabilities originate. Ivanti also has a team of QA testers that validate the patches within its 3rd Party Patch Catalog to ensure no patches will cause a crash to the system. This patching can apply to both connected, and disconnected environments without any additional charges for scaling your Console Server Deployments.

In the case of ISEC - ISEC can discover and patch endpoints both with an agent and agentlessly. ISEC can also integrate with On-Premise VMware ESXi environments and patch ESXi hosts, as well as images and offline VM’s, thus further centralizing and reducing time to patch across the environment. Conversely – EPM provides users with a full suite of Endpoint Management capabilities in addition to patching including Discovery and Data Normalization, OS Provisioning, Software Distribution, User Profile Management, Remote Control, and Integrated Patching and Endpoint Security.

Additional Resources

For further reading, please consider Ivanti’s Product documentation around this subject. These references can provide additional documentation around how to establish:


About Ivanti

Ivanti was created in 2017 with the merger of Landesk and HEAT software. We are a powerhouse IT solution with over 30 years of combined experience. Ivanti finds, heals and protects every device, everywhere – automatically. Whether your team is down the hall or spread around the globe, Ivanti makes it easy and secure for them to do what they do best.

Ivanti is committed to supporting our customers requiring either Cloud or On-Premise deployment requirements. In both of those deployment paths Ivanti’s Portfolio contains accredited solutions including the following certifications: DoD ATO, Army CoN, Common Criteria, DoDIN APL, DISA STIG, DoD IL2 & IL5 Private Cloud, DoD ATO, NIAP MDM PP v4, NIAP Common Criteria, NSA CSFC, FIPS 140-2, FedRAMP Moderate, & SOC 2 Compliances.

Fill out the form above to connect with an Ivanti representative today and learn more about how Ivanti can support your multicloud initiatives.