Fulfilling eWEEK Labs prediction that patch management systems would morph into more widely focused asset lifecycle management solutions that address both enterprise security and management needs, BigFixs BigFix Enterprise Suite 6.0 seamlessly blends hardware and software asset inventory capabilities along with best-in-class patch management and fine vulnerability remediation. For successfully making this evolutionary leap, BES 6.0 earns our Analysts Choice award.
During the two years since eWEEK Labs last looked at BES, BigFix has added a drastically improved asset collection, streamlined software delivery and new security features, such as integrated anti-spyware and oversight over third-party anti-spyware and anti-virus solutions.
With all this functionality packed into a platform that requires only a single client agent on each managed machine, BES 6.0—which started shipping in April—is much more an asset lifecycle management platform than a patching platform.
For patch management services, BigFix charges $23 per agent per year for workstations, $69 per year for each Windows server, and $115 per year for Unix or Linux servers. With asset management and software distribution added to the mix, BES 6.0 costs $30 (per agent), $90 and $125 per year, respectively. When you throw in access to vulnerability assessment and third-party anti-spyware management, the costs are $40 (per agent), $120 and $125 per year, respectively. All prices assume a BigFix deployment of 5,000 managed agents.
BES 6.0 is highly modular, allowing administrators to add features as necessary. This is a good thing, given the overwhelming amount of settings, tasks and reports to look at or configure in a fully licensed deployment. Classes of services are added by subscribing to Fixlet Sites, which can include patches for various operating systems, vulnerability remediations and many other types of Tasks (BigFix-ese for “stuff you can do”). Once Fixlet Sites were enabled, we could individually activate the Analysis modules we needed at the time.
For instance, we started our test deployment primarily with patching services for Windows-based clients and then added Fixlet Sites and activated the Analysis modules for hardware and software inventory capabilities, anti-spyware protections, and anti-virus monitoring modules, among others.
As we added and used new features, the management console automatically refreshed to add links to the features in the prominent shortcut bar on the left side of the screen. These shortcuts automatically trigger filters to show only the settings relevant for each feature.
With Version 6.0, BES offers role-based administration and workflow that are much more complex and granular than permissions schemes weve seen with other products. BES allowed us, for example, to customize a junior administrators view—making visible only those settings, fixes and assets deemed necessary for the administrators job.
Designed to manage thousands or tens of thousands of clients, BES 6.0 let us create dynamic computer groups based on a variety of characteristics. We could define criteria to populate groups according to CPU type, IP address ranges, computer naming conventions, operating systems or Active Directory locations, among many other settings. We also could create our own groups for specific groupings.
With BES 6.0, we could create base-line policies that were automatically applied to computers within the groups to which the base line was applied. We particularly liked the ability to nest base lines: We created a base-line patching policy for all Windows XP machines in our network, but we could also create and nest within this policy a secondary patch base line for Microsofts Patch Tuesdays.
The products hardware asset inventory capability has been much improved. After we activated a few Analysis modules and applied a collection task to our clients, we could view each machines make, CPU type and speed, as well as the type of audio, video and network adapters installed. We also could drill down to see the maximum memory supported, the number of memory slots available and even the number of available PCI slots.
BES 6.0s enhanced asset reporting extends to application and services inventory. After the Application Information and Programs Run at Startup analysis modules are activated, BES 6.0 collects each clients installed applications and services daily, enumerating which services are running at scan time and which programs automatically load at start time.
With the new Software Usage Tracking analysis module, we could take application inventory a step further, logging whenever a specified application is used anywhere across the network. This allowed us to identify software licensing requirements across the company.
The Application Usage Information Dashboard listed several common applications we could track (including Microsofts Word and Excel and Apple Computers iTunes, among others), or we could manually list any other process. The Dashboard graphically depicts the number and percentage of clients with that application installed, as well as several customizable views of how frequently the application gets used.
Because large companies will need to leverage inventory data for use with other enterprise applications, BigFix offers several integration options, such as modules that integrate with several help desk applications, including solutions from BMC Software. BigFix also publishes its database schema, allowing customers to suck asset inventory into the application or tool of their choice. Similarly, to use data from other applications, BigFix offers its Asset Connector to import data into BES.
New spyware options
BES 6.0 makes it much easier to deploy software, as well. Although BES has long included the ability for customers to create custom tasks or fixes, BES 6.0 opens things up to make task creation much simpler. Using one of many new wizards, we easily created a software deployment job to deploy a new version of Symantecs anti-virus client and Adobe Systems Adobe Reader, without needing to learn BigFixs action language. However, in a pinch, this language was straightforward enough to cobble something together for actions not explicitly addressed by an existing wizard.
We particularly liked BES burgeoning anti-spyware features. With BigFix AntiPest (only an additional $8 per workstation or $24 per Windows server per year), BigFix has integrated CAs fine PestPatrol technology. Because the AntiPest module runs as a subprocess of BigFix, we could deploy, update and maintain anti-spyware defenses across the enterprise without requiring another management console or client agent.
From the BigFix AntiPest Configuration Wizard, we could easily update the default settings, enabling different types of scans (such as memory, registry and cookie); create exclusion lists; and dictate quarantine behavior. We also could create new scan jobs to apply to targeted groups.
From the new AntiPest Dashboard—one of several new dashboards providing high-level insight into various features with a single click of the mouse—we could easily identify detected spyware activity across the network. BES 6.0 also can create ad hoc groupings on the fly to help administrators identify, locate and remediate systems with outdated or nonexistent anti-spyware protections.
Because no anti-spyware solution detects every known strain of adware or spyware, BigFix offers additional avenues for spyware defense through analysis modules that allow customers to centrally manage and maintain what are normally freely available stand-alone anti-spyware applications.
From the BES 6.0 console, we deployed Spybot Search and Destroy to clients, and we could trigger actions to update detection signatures, run scans and cleaning jobs, or check logs. BigFix also provides the same capabilities for the now-defunct Windows Anti-Spyware Beta 1, but we found the application would not work correctly in our tests, possibly due to the fact that Microsoft no longer supports that old version.
BigFix officials said they may support the latest iteration of Microsofts anti-spyware platform, Windows Defender, but they provided no time frame.
One thing we would like to see in BES is better support for customers navigating regulation-specific compliance issues. Through preconfigured tasks, base lines and reports, BES could help administrators make sense of the exact data and settings needed to comply with the regulations most pressing to their organizations and industries.
Technical Analyst Andrew Garcia can be reached at [email protected].
Altiris Patch Management Solution Altiris offers a wide range of asset management and security solutions, but integration of those applications has been slow (www.altiris.com)
LANDesks Patch Manager 8 LANDesk also offers multiple applications for asset management under one client agent, but the future is unknown as Avocent takes over the portfolio (www.landesk.com)
PatchLinks PatchLink Update Embarking down the same paths as BigFix, PatchLink is a worthy alternative solution (www.patchlink.com)
Marimba Patch Management from BMC BMC offers a slew of client and server management solutions, as well as help-desk applications (www.bmc.com)