{"id":9155,"date":"2024-01-31T15:31:00","date_gmt":"2024-01-31T20:31:00","guid":{"rendered":"https:\/\/www.carahsoft.com\/wordpress\/?p=9155"},"modified":"2025-04-03T12:07:15","modified_gmt":"2025-04-03T17:07:15","slug":"ivanti-patching-federal-government-networks-blog-2024","status":"publish","type":"post","link":"https:\/\/www.carahsoft.com\/wordpress\/ivanti-patching-federal-government-networks-blog-2024\/","title":{"rendered":"Patching in Federal Government Networks"},"content":{"rendered":"\n

Ivanti is committed to our customers who uphold the Nation\u2019s highest commitments. To this end Ivanti believes that the mission our customers fulfill should not be impeded or constrained by the security stance they take. In these security conscious situations, it\u2019s considered both mandatory and best practice for nodes within these networks to be either disconnected or entirely air-gapped.<\/p>\n\n\n\n

(Context: A disconnected network can traverse its own internal network\/intranet but is disconnected from the broader internet. Conversely \u2013 an air gapped environment is even further isolated \u2013 being entirely independent with no connectivity to either a larger intranet or internet.)<\/p>\n\n\n\n

Despite these efforts – the risk of exploitation is not absolved simply by disconnecting or placing nodes into an air-gapped state. Network isolation of these servers & endpoints is only one aspect within a zero-trust security paradigm that these Sys-Admins have to contend with.<\/p>\n\n\n\n

Technical administrators of these environments are still responsible for maintaining their systems against on-going vulnerabilities. The patching of these systems acts as a counter measure against insider threats within these systems. These vulnerabilities are more than the standard Patch Tuesday Windows OS vulnerabilities. A significant majority of these vulnerabilities exist in the 3rd party Application Eco-System. According to The U.S. National Vulnerability Database – Microsoft exploits only account for 15% of total vulnerabilities today.<\/p>\n\n\n

\n
\"Ivanti<\/figure><\/div>\n\n\n

Patching these systems can be extremely tedious and time-consuming, but also manually intensive. This time could be better spent performing strategic security measures, or not spent at all. As a result of this lengthy process critical systems can be impacted and left open to vulnerabilities. A report from the GAO (As detailed in Pg. 46 of the GAO Report 16-501: Agencies Need to Improve Controls over Selected High-Impact Systems<\/a>) shows that this has historically left even critical vulnerabilities unpatched after a significant time period (In the report \u2013 several years). To address these issues, Ivanti assists our customers by automating the remediation of the vulnerabilities found within their system, while also providing a record of truth, and reporting to these workflows.<\/p>\n\n\n\n

Ivanti\u2019s Disconnected Patching Capability<\/h2>\n\n\n\n

Ivanti\u2019s product portfolio not only includes its flagship cloud-based Product Suite, and also a strong array of On-Premise based products. Two products worth highlighting for this are Ivanti Security Controls<\/a> (ISEC), and Ivanti Endpoint Manager<\/a> (EPM). Both products have On-Premise deployment options which extend into Disconnected and Air-Gapped Use-Cases.<\/p>\n\n\n\n

At a high-level, Ivanti services disconnected \/ airgapped environments via the use of servers placed within those environments. Those servers then act as a repository for OS patches (Incl. Windows, Linux, and Mac), along with 3rd Party Application Patches. Reference this example diagram of a disconnected instance of Ivanti ISEC. In this example, a central environment is used to download and prepare patches for the environment. Then, one-to-many disconnected environment can then be stood up with patches and management provided via a \u2018File Transfer Service\u2019. This service can mean two things: either an approved Media Devices to enable transfers when no connectivity can exist, or a staged approach in which connectivity for a Centralized console is alternated between the Internet and a Disconnected Environment. Where approved, this prevents a direct link between the internet and the disconnected environment.<\/p>\n\n\n\n

One additional note with this diagram is that both the Central Rollup Console and Connected Environment can also be connected on temporarily, even if only to update definitions in support the disconnected portions of the deployment.<\/p>\n\n\n\n

Ivanti Endpoint Manager (EPM)<\/h2>\n\n\n\n

On the flipside, we can take the disconnected \/ connected philosophy we mentioned in ISEC and apply it to our EPM product. Like with ISEC an admin can create multiple EPM consoles, or cores without any additional charges. Those cores can be deployed as disconnected or \u2018dark\u2019 cores. Vulnerability Definitions and Patches can then be copied from a connected environment into the disconnected environment via the same preferred \u2018File Transfer Client\u2019 of choice. This methodology has been proven amongst our customer base who have effectively deployed this into disconnected and airgapped instances for both ISEC and EPM.<\/p>\n\n\n\n

Modernized & Automated Patching Workflows<\/h2>\n\n\n\n

Modernizing the patching process means reducing the Mean Time to Patch, and strategically securing against vulnerabilities. To that end, Ivanti provides Neurons for Risk Based Vulnerability Management<\/a> \u2013 a Vulnerability Management system that provides contextualization around threats (Ex. \u2018Trending\u2019 Vulnerabilities or Vulnerabilities could be executed without physical access to the target).<\/p>\n\n\n\n

RBVM also provides the necessary patches and remediation for those vulnerabilities. By integrating our Patching and RBVM we modernize patching into a strategic and automated process. Files containing the vulnerabilities deemed most risky can be loaded into solutions like EPM to determine and provide patches. This workflow can still apply even in disconnected and airgapped use cases. RBVM could connect to the Rollup Core while disseminating patches via the process mentioned above.<\/p>\n\n\n\n

How Ivanti can Help<\/h2>\n\n\n\n

Between Ivanti\u2019s EPM & ISEC products, a System Administrator would have full range to patch the Windows, MacOS, and Linux Servers and Workstations within their environments. Patches also extend to 3rd Party Applications in which a significant portion of vulnerabilities originate. Ivanti also has a team of QA testers that validate the patches within its 3rd Party Patch Catalog to ensure no patches will cause a crash to the system. This patching can apply to both connected, and disconnected environments without any additional charges for scaling your Console Server Deployments.<\/p>\n\n\n\n

In the case of ISEC – ISEC can discover and patch endpoints both with an agent and agentlessly. ISEC can also integrate with On-Premise VMware ESXi environments and patch ESXi hosts, as well as images and offline VM\u2019s, thus further centralizing and reducing time to patch across the environment. Conversely \u2013 EPM provides users with a full suite of Endpoint Management capabilities in addition to patching including Discovery and Data Normalization, OS Provisioning, Software Distribution, User Profile Management, Remote Control, and Integrated Patching and Endpoint Security.<\/p>\n\n\n\n

Additional Resources<\/h2>\n\n\n\n

For further reading, please consider Ivanti\u2019s Product documentation around this subject. These references can provide additional documentation around how to establish:<\/p>\n\n\n\n