Windows Patch Management, BigFix

by Marcin Policht

We continue our discussion of third-party patch management products, this time taking a look at BigFix's server-based BigFix Enterprise Suite and its agent-based client software, the Fixlet messaging component.

The previous article in our Windows Patch Management series began a discussion of third-party patch management products. We continue in this vein, this time concentrating on a versatile and scalable solution that fits equally well in centrally administered, locked-down SMBs; large, distributed enterprises; and unmanaged, Internet-based environments.

One of the main differences between the BigFix products and the Shavlik solution previously looked at is the use of agent-based client operations.

The solution comes from California-based BigFix in the form of its agent-based client software — the Fixlet messaging component — and the all-encompassing BigFix Enterprise Suite (BES). BigFix provides multiplatform support for all versions of Windows, Red Hat and SUSE Linux, Solaris, and HP-UX, and it will soon support AIX. It goes beyond simple product updates to help with system misconfiguration issues and provides detailed reporting capabilities.

One of the main differences between the BigFix products and the Shavlik solution previously looked at is the use of agent-based client operations. The debate over the benefits of agent-based vs. agentless architecture among patch management products has been going on since their inception.

On the one hand, a lack of agents speeds up and simplifies deployment and reduces the number of components necessary to manage and troubleshoot. On the other hand, remote agents running on each system are typically efficient and sophisticated; they can operate independently, collecting detailed information without significant performance impact and detecting periods when a local processor is idling or hovering at low utilization levels. Additional intelligence built into agents enables them to filter redundant or irrelevant data, which can significantly benefit available network bandwidth and spare resources on the central system during inventory collection.

BigFix Enterprise Suite

BigFix Enterprise Suite's (BES') architecture consists of an Internet-based central patch manager library (maintained by BigFix); the company's central BES Server; one or more BES Relay servers; lightweight, agent-based BES clients that exchange data via proprietary network packets called Fixlets (which serve an important role in software distribution); and BES Administrative Consoles, which provide a central management point.

BES Server constitutes the focal point of the software distribution, inventory collection, and management: According to BigFix, it can manage up to 75,000 targets. The server communicates with the BigFix Internet-based central patch library, maintaining up-to-date knowledge about all available software updates (these can be updates released by BigFix or third-party vendors). Corporate administrative teams then decide which of these patches to deploy within the enterprise.

Once the decision is made, appropriate binaries can be downloaded locally to the server and distributed across all BES clients (alternatively, clients can be instructed to obtain patches directly). However, in large, distributed environments with multiple remote offices separated by slow WAN links, direct communication between clients and one central server can consume significant amounts of bandwidth.

To address this issue, BigFix users can fan out communication paths by implementing BES Relay servers (described in more detail at http://support.bigfix.com/bes/misc/besrelays.html), which can be deployed at multiple locations, as the primary interface to local clients and the bi-directional communication forwarder between them and the BES central server (or intermediary BES Relay servers). Its caching ability, useful for inventory collection and package deployment, reduces bandwidth utilization and remediates problems resulting from lost intersite connectivity. BES Relay servers can form a multilayer hierarchy, forwarding packages in one direction and inventorying or reporting data in the other. BES clients are capable of detecting the closest (in terms of network distance) BES Relay server. In addition to having a lowered impact on network bandwidth, this capability provides a level of fault tolerance, since a client can locate a new server if the one used previously becomes unavailable.

Deployment and configuration of BES Relay servers, as well as other administrative tasks, is performed on the BES Administrative Console. Its fairly intuitive interface allows access to each computer within a given environment running the BES client agent software. It reports WMI-based properties reflecting its status. The information retrievable in this fashion is not limited to vulnerabilities or patch levels but also includes a wide variety of other system characteristics, such as: location (defined using subnet ranges), applications and services (installed and running, with name, version, and vendor data), virus scanning products (software revision and its virus definition file dates), network properties (MAC and IP configuration, IP address assignment method, and dial-up settings), operating system data (version and service pack level, uptime, regional settings, and domain/workgroup membership), hardware specifications (number and type of processors, drives, video, network, sound cards, and serial number), file system details (type, total, and free space), or user information (local users defined with last logon date/time and password settings). A comprehensive list of these properties is available at http://support.bigfix.com/bes/misc/retrievedproperties.html. In addition, Web Reports functionality can be used for generating reports listing computer hardware assets, application estate, or security status (via Web Reports).

A number of administrative tasks can be optimized to meet the requirements of larger environments with thousands of computers. For example, major operating system upgrades (such as service packs), which typically consume substantial amounts of bandwidth, can be performed in stages. To do this, BES server designates the total amount of time within which a particular task should be completed. BES server then uses this value to spread out a distribution across all managed systems. Similarly, distribution targets can be identified dynamically based on the list of property-based criteria defined by an administrator. BigFix agents assess values of properties in real time and, if the match is found, apply the installation to a local system. Otherwise, the package can be maintained in local cache and be rechecked periodically in case criteria have been modified.

>> Fixlets


The basis of the communication framework within the BigFix environment is a messaging component called Fixlet. Fixlet is a message packet containing instructions that BigFix client agents on target systems use to assess their status and pinpoint issues, such as a vulnerability or a misconfiguration, and take corrective actions to resolve. Depending on agent configuration, such an action can be triggered automatically or it may require explicit user permission to proceed. Agents are also responsible for delivering installation status back to the BES server after checking all pertinent information immediately following the Fixlet deployment.

Fixlets are versatile. They allow patches and anti-virus software to be distributed, and common software packages to be deployed. In particular, Fixlets are extremely helpful with potential problems related to the installation of recently released Windows XP Service Pack 2, such as managing firewall settings, configuring Internet Explorer pop-up blockers, and resolving compatibility issues with third-party anti-virus software.

Obviously, the effectiveness of this approach depends on a number of hardware and software vendors accepting BigFix's software update management methodology and the vendor's diligence in keeping its Fixlet central repository up to date.

The majority of Fixlets are created and maintained in a central repository by BigFix (via BigFix Tech Support and Fixlet Central Web sites), but their format and creation mechanism are also licensed by a number of third-party vendors, such as hardware manufacturers and resellers (e.g., eMachines, which distribute its hardware with BigFix agents pre-installed free-of-charge). BigFix customers can also create customized Fixlets using the BigFix Configuration Manager. To ensure security, the BES infrastructure authenticates them using digital signatures. These characteristics make BigFix suitable for any type of environment, ranging from those with tight central control to those that are entirely non-managed (such as PCs with direct Internet connections), where the decision to update is left entirely to end user.

Obviously, the effectiveness of this approach depends on a number of hardware and software vendors accepting BigFix's software update management methodology and the vendor's diligence in keeping its Fixlet central repository up to date.

The efficiency of agent operations keeps laptop users in mind. Configurable policies governing agent behavior remain in effect whether or not clients are connected to a corporate network. The policies, defined via supplemental product Mobile Security Manager, provide templates that can be used to ensure most secure options are implemented. Patches can be downloaded directly from the patch originator (e.g., Windows Update Web site) via the Internet, if desired.

Agents are also configurable in terms of bandwidth throttling. Appropriate values can be assigned on a per-site and per-connection basis (e.g., dial-up, wireless, LAN, or WAN), with separate settings for uploads and downloads (matching typical DSL characteristics). The BigFix download/upload manager delivers functionality similar to the Microsoft Background Intelligent Transfer Service (BITS) and is capable of resuming interrupted downloads without requiring the entire process be restarted. In addition, agents can perform simultaneous independent downloads with different priority levels. This enables smaller (but potentially more urgent) Fixlets to be obtained during lengthy downloads of larger software packages (e.g., Windows Service Pack installations).

BigFix is, without a doubt, one of the leaders in the patch management arena. It boasts of a significant number of satisfied corporate customers that include TRW, Corning, and Pitney Bowes. If you're looking to learn more about BES in action, the BigFix Web site offers downloadable case studies.

This article was originally published on Wednesday Sep 29th 2004
Mobile Site | Full Site