Patch Management for Air Gap Networks
Air gap networks are closed networks with no interface connected to the outside (Internet) world. The resources are generally kept in an isolated network to protect them from vulnerabilities. Hence, if a machine is placed in such a network, a physical medium, like CD/USB drive, is required to transfer the data manually between them.
Now, let's understand its architecture and procedure to know more about patch management in such an environment.
Architecture
As shown above, when the ServiceOps application is installed in a closed network,
- The Patch Sync Application should be installed in a separate machine having an Internet connection.
- Once installed, sync the patch database to download the patches for the required OS.
- Copy the database to a physical drive like a CD/USB drive and manually move it to the ServiceOps server.
- In ServiceOps, the missing patches will be scanned and discovered. Then, copy these into the physical drive and export the missing patch details to the patch sync application.
- Download the patches from the Internet, copy them to the physical drive, and then transfer them to the ServiceOps server again.
Here, the Patch Management Utility application is installed in a computer having an Internet connection to import and download the patches for the ServiceOps application located in the Closed network.
Procedure
To perform patch management in a closed network, follow the below steps:
Download the PatchManagementUtility.exe file on the computer that has an Internet connection.
noteThe free space required in the target machine is based on the patches to be downloaded.
Run the .exe file with administrator rights.
The following screen appears. Register the user by entering the below details:
- Name: Name of the client.
- Email: Email address of the client.
- Activation Code: Agent activation code can be taken from the ServiceOps > Admin Settings > Organization > Account > License Details page.
Once done, click Register, and a confirmation message "User Registered!" will appear. Click OK, and the following screen appears.
In the Patch Sync tab,
Create a folder in the 'C' drive of your system to store the Patch DB Dump.
noteThe folder name should not contain spaces.
Once created, select the location (1) where the Patch DB Dump should be downloaded. Here, the "PatchDownload" folder is used.
Select the OS (2) for which you want to download the Patch DB Dump. You can select multiple OS.
Click Get DB (3) to start the Patch DB download process. Once the patches are downloaded from the Central Patch Repository, you will get a .7z file. Copy the file into a physical drive and upload it to the ServiceOps server.
tipPatch Sync configuration is a one-time process.
In the ServiceOps server, upload the .7z file at the below location.
/opt/flotomate/main-server/config
Unzip the file using the below command:
Syntax for Ubuntu:
--- 7z x {filename}
Example: --- 7z x airgappatch.7z
Grant fmt user permission to the file using the below command.
Syntax:
chown -R fmtuser:fmtusergroup {filename}
Example:
chown -R fmtuser:fmtusergroup {airgapaptch}
In ServiceOps, sync the patch database manually using the Update Now button from Admin > Patch Management > Patch Settings > Update Patch Database tab.
noteSchedule and Third-Party patch flags must be disabled.
- Once the patch sync process is completed, add Computers to the End Points Scope.
- Next, navigate to the Patch Management > Patches page. Check for the missing Patches and download them by clicking the Download Patch icon. A JSON file containing the list of patches will be downloaded.
In the Patch Sync application, in the Patch Download tab,
Select the JSON file received from ServiceOps, using the Browse button (1), and click Import (2). Here, the "unix_centos.json" file is used as an example. Once done, the patch list will appear in the below pane (3).
- Next, create a folder (folder name should be without spaces) to save the downloaded patches in the 'C' drive of your system. Here, the "PatchDownload" folder is used.
- Select the patches to be downloaded (1), click Browse (2) to select the Download Location (3), and click Download. The imported patches will get downloaded in the selected folder.
- Once downloaded, you can view the report by clicking the View Report button. Also, you can view the failed patches by enabling the Show Failed Record option.
Next, on the ServiceOps server, navigate to the filedb folder located at
/opt/flotomate/file-server/filedb
and check if the tenant folder has been created. If the folder does not exist, create it using the command below and grant it the appropriate fmt user permissions.Syntax:
mkdir {tenant-name}
Example:
mkdir apolo
Once the tenant folder is created, create the patch folder in it using the below command.
Syntax:
mkdir {patch-folder-name}
Example:
mkdir patch
Next, you can take the downloaded zip file in a physical drive, upload it to the main server, and move it to the ServiceOps application in the Air Gap network at the below path.
Path:
/opt/flotomate/fileserver/filedb/{tenant_name}/patch
Example:
/opt/flotomate/fileserver/filedb/apolo/patch
Next, unzip the file using the below command.
Syntax for Ubuntu:
--- 7z x {filename}
Grant fmt permission to the tenant folder using the below command:
chown -R fmtuser:fmtusergroup {tenant_name}
- Now you can deploy the patches and carry out the patch management process in a closed network.