BigFix Finds, Fixes Flaws Across Nets

BigFix's BES 4.0 takes vulnerability detection and remediation across platforms, but it can quickly get expensive in non-Windows shops.

With BigFix Enterprise Suite 4.0, BigFix Inc. builds on its extensive patch management experience to present a well-designed, all-encompassing vulnerability identification and remediation platform. Administrators who require a multiplatform patching solution that can also track and maintain anti-virus software and security-related registry settings will find BES 4.0 well worth a look.

At the heart of the updated suite, which shipped last month, is BigFix Patch Manager, an outstanding patch remediation solution for Windows and various other operating systems. Version 4.0 offers a greatly improved reporting mechanism and increased scalability through an easily deployed relay architecture.

BES uses client agents to identify and install missing patches. These agents dig deep into the client and report hardware, registry and file system information to the server, enabling a powerful mechanism that groups computers according to a slew of attributes.

BES remediates problems via Fixlets—chunks of code that are specific to a particular patch or vulnerability. Fixlets provide client agents with the intelligence to identify vulnerabilities and missing patches; serve descriptive information regarding the patch and vulnerability for the administrator; and activate scripts that download the appropriate files (if necessary), verify their authenticity and install them according to administrator-defined behaviors.

BES 4.0s price is based on the volume of client licenses and the services needed. For a network using only the base module, BigFix Patch Manager, pricing is $21.50 per Windows client per year, and $58 per non-Windows client. A network with 5,000 managed agents can expect to pay $16.50 per Windows agent per year for Windows clients and $44.50 for each non-Windows machine.

We installed the BES Server and BES Console components on a Windows 2000 server running IIS (Internet Information Services) 5.0, using the included MSDE (Microsoft SQL Server 2000 Desktop Engine) database. Companies that need greater scalability or multiple simultaneous console sessions are advised to use their own installed version of SQL Server instead.

Installing a BigFix agent on our Windows 2000 and XP clients was a snap. The agent deployment tool can target individual host names or Active Directory organizational units for centralized distribution from the console.

One of BES 4.0s greatest strengths is its multiplatform support, although the price difference makes BES a more feasible solution for servers over desktops. BigFix provides client agents and Fixlets for Sun Microsystems Inc.s Solaris Versions 7, 8 and 9; Red Hat Inc.s Red Hat Linux 7.1 and 8.0; and SuSE Linuxs SuSE Linux 8.0. Support for Hewlett-Packard Co.s HP-UX and IBMs AIX is in the works, officials said.

Client distribution to our Red Hat Linux 8.0 clients was not as smooth as to Windows clients, however, requiring several calls to BigFixs tech support, which eventually provided us with an updated version of the Agent Installation RPM. Wed like to see BigFix beef up its online support Web site, which is not as comprehensive as PatchLink Corp.s and provides next to no information for Linux deployments.

In tests, we quickly identified Windows 2000 machines that were missing MS04-007 and MS03-039 patches. We then scheduled a job that installed both patches, ran Microsofts QChain to resolve any DLL mismatches and rebooted the machines. We updated only the SSH (Secure Shell) package on our Linux machines, but many more Fixlets are available for non-Windows machines.

BES 4.0 allows the administrator to tag Fixlets so that they automatically install to new clients as they join the network. This is done on a per-Fixlet basis. Wed like to see BigFix improve on this ability, further allowing administrators to create templates spanning multiple patches or vulnerabilities that can be assigned as a single object to a group of computers. Competitive products from PatchLink offer this capability.

BES Console provided excellent real-time reporting on the status of each job, letting us know where each client stood. We also liked the ease with which we could specify whether the patch should be automatically redeployed if a machine fell out of compliance again.

However, the way the console links between screens as the administrator moves around leaves a mess of windows open in the background, making it somewhat difficult to retrace steps.

BES Console also provides access to a wealth of Web-based reports. This separate application uses BES Servers IIS 5.0 Web server to distribute reports that range from high-level executive overviews to granular updates on individual machine status.

We liked how BES 4.0 obviates deploying multiple BES servers by using relays to increase scalability throughout the enterprise. From the console, administrators can easily designate any client as a relay, which automatically mirrors all patches cached on BES Server. Clients can then be manually directed to a specific relay or to find the closest relay, thereby easing bandwidth concerns over slow WAN links.

Through the optional VIR (Vulnerability Identification and Remediation) Manager (up to an additional $5 per agent annually), BigFix moves beyond basic patch management to the larger realm of vulnerability management and application deployment. VIR Manager activates Fixlets that identify and address The SANS Institutes Top 10 Vulnerabilities to Windows Systems and many other registry-based weaknesses.

Using VIR Manager, we quickly identified Windows 2000 machines with POSIX and OS/2 subsystems still enabled and removed the subsystems.

VIR Manager includes BigFix Client Manager for Anti-Virus, which ensures clients are running anti-virus software from major players Symantec Corp., McAfee Security, Trend Micro Inc. or Computer Associates International Inc., but Panda Software Inc. and Sophos plc. products are notably unsupported. When BES Console detected that one of our clients was missing anti-virus software, we could quickly deploy an installation script to the offending machine.

For managers seeking to deploy their own fixes and packages, BES 4.0 offers BigFix Configuration Manager (which we did not test). This option provides an authoring tool and development environment, allowing managers to create their own Fixlets.

Technical Analyst Andrew Garcia can be reached at