BigFix Patch Manager ripe for the plucking

See correction below

For many organizations, systems remain at high risk because overwhelmed IT departments lack resources to keep abreast of the latest security threats. When a critical patch is located, testing and packaging it for distribution and then deploying across even a modestly sized enterprise is time consuming and costly.

BigFix Patch Manager 4.0 is a significant product that goes beyond software distribution solutions such as Microsoft SMS (Systems Management Server) and IBM Tivoli. For example, BigFix tracks Microsoft security alerts and the latest fixes for your IT staff, delivers prepackaged and tested patches, reports whether or not fixes were successfully installed, and ensures that patches stay intact.

Together, Microsoft’s Software Update Services and SMS 2003 do offer some of these capabilities. However, BigFix is a single, more easily managed product that also supports Linux and Unix (mainly for maintenance releases, because weekly or monthly fixes are rare on these platforms). As such, BigFix Patch Manager is well worth the small per-client cost.

The well-conceived BigFix Patch Manager offloads the work of identifying security bulletins, hot fixes, and services packs. BigFix staff monitor vulnerability announcements, create Fixlet messages (small communications that contain intelligence to detect and repair problems), and post them on the company’s Enterprise Security Fixlet Server.

Inside your firewall, a BES (BigFix Enterprise Suite) server monitors the Fixlet server and retrieves new Fixlets after verifying their authenticity. Desktops, laptops, and servers run a small-footprint agent that evaluates the Fixlet messages and reports back to the BES server if a Fixlet is relevant. As a final step, administrators authorize the agent to take remedial action.

I am keen on BigFix Patch Manager for many reasons, starting with setup. Installing my BES server (which supports up to 75,000 clients) and agents on 30 systems was quick and trouble-free. For businesses with Microsoft Active Directory servers, the BES Client Deploy Tool automatically delivers BigFix Agents to several thousand systems in a few hours.

BES Console, the visible part of this solution, emphasizes security. The console software may run on any computer with access to the BES server, but log-in is restricted by a password and private key. After initializing my server, it imported about 750 Fixlet messages, sent them to BES Client machines, and displayed their responses — all in less than five minutes. For added security, all Fixlet message content (including patches) and events sent to BigFix Agents are digitally signed.

Tabs and windows within the BES Console offer a network-wide view of your systems, along with vulnerabilities and suggested fixes. BigFix Patch Manager has a lot of capabilities, which could overwhelm first-time users. However, it didn’t take me long to master the workflow. For example, the right-hand panel lists all Fixlet messages, but you can easily filter them by severity, greatest number of computers affected, and other criteria.

Central to this solution is the ability to fix one or many computers — a process I found intuitive. For instance, I highlighted the Fixlet message for critical Microsoft bulletin MS03-049 and clicked a link at the bottom that triggered the Take Action dialog. BigFix Patch Manager automatically targeted all computers needing this patch; from there, it’s easy to narrow the list, perhaps to a group of test systems.

Then I was given several options concerning the deployment, such as showing users a message to save their work because a reboot would be initiated after the fix was installed. Deploying multiple fixes at once is equally straightforward.

BigFix Patch Manager is also unusually thorough in the feedback it provides administrators. For instance, the console displayed detailed, real-time information as a patch was deployed. As a result, I had confirmation within a few minutes that the majority of systems were successfully patched; the exceptions were a few laptops which were subsequently updated automatically as users logged on to the network.

As another valuable feature, BigFix continuously monitors systems for compliance. So for instance, if a user reinstalls a software package that negates a patch, BigFix will recognize the change and retarget that system to receive the fix again.

BigFix Patch Manager appears well-suited even for large deployments. If you have many locations, it’s simple to designate client computers as BES relays, thus reducing network traffic and load on the main BES server.

Any investment of this scale should provide other systems management functions. I was therefore pleased BES Patch Manager let me compile detailed and executive-level reports about computers on my network, including operating system and network settings. 

You can round out BigFix by subscribing (at extra cost) to additional Fixlet content. This includes remediation for the SANS Institute Top 10 Windows vulnerabilities; Registry Vulnerability Solutions for Windows; BixFix Client Manager for Anti-Virus; and BigFix Configuration Manager.

Overall, BigFix Patch Manager delivered on all its promises. Generally easy to use and scalable, it should significantly reduce the burden on IT staff to keep up with the sharply rising volume of security notes — and enable them to quickly verify and deploy corresponding fixes to Microsoft OS-based systems. It’s also one of the few solutions supporting Linux and Unix platforms. The only item on my wish list would be BigFix Agents for HP-UX and IBM AIX, which BigFix indicated should be available early this year.

Correction

In this review, we originally misreported the number of clients a BigFix Enterprise Suite server can support. A single BES server can support as many as 75,000 clients, according to the company.