Windows Patch Management, BigFix
September 29, 2004
The basis of the communication framework within the BigFix environment is a messaging component called Fixlet. Fixlet is a message packet containing instructions that BigFix client agents on target systems use to assess their status and pinpoint issues, such as a vulnerability or a misconfiguration, and take corrective actions to resolve. Depending on agent configuration, such an action can be triggered automatically or it may require explicit user permission to proceed. Agents are also responsible for delivering installation status back to the BES server after checking all pertinent information immediately following the Fixlet deployment.
Fixlets are versatile. They allow patches and anti-virus software to be distributed, and common software packages to be deployed. In particular, Fixlets are extremely helpful with potential problems related to the installation of recently released Windows XP Service Pack 2, such as managing firewall settings, configuring Internet Explorer pop-up blockers, and resolving compatibility issues with third-party anti-virus software.
The majority of Fixlets are created and maintained in a central repository by BigFix (via BigFix Tech Support and Fixlet Central Web sites), but their format and creation mechanism are also licensed by a number of third-party vendors, such as hardware manufacturers and resellers (e.g., eMachines, which distribute its hardware with BigFix agents pre-installed free-of-charge). BigFix customers can also create customized Fixlets using the BigFix Configuration Manager. To ensure security, the BES infrastructure authenticates them using digital signatures. These characteristics make BigFix suitable for any type of environment, ranging from those with tight central control to those that are entirely non-managed (such as PCs with direct Internet connections), where the decision to update is left entirely to end user.
Obviously, the effectiveness of this approach depends on a number of hardware and software vendors accepting BigFix's software update management methodology and the vendor's diligence in keeping its Fixlet central repository up to date.
The efficiency of agent operations keeps laptop users in mind. Configurable policies governing agent behavior remain in effect whether or not clients are connected to a corporate network. The policies, defined via supplemental product Mobile Security Manager, provide templates that can be used to ensure most secure options are implemented. Patches can be downloaded directly from the patch originator (e.g., Windows Update Web site) via the Internet, if desired.
Agents are also configurable in terms of bandwidth throttling. Appropriate values can be assigned on a per-site and per-connection basis (e.g., dial-up, wireless, LAN, or WAN), with separate settings for uploads and downloads (matching typical DSL characteristics). The BigFix download/upload manager delivers functionality similar to the Microsoft Background Intelligent Transfer Service (BITS) and is capable of resuming interrupted downloads without requiring the entire process be restarted. In addition, agents can perform simultaneous independent downloads with different priority levels. This enables smaller (but potentially more urgent) Fixlets to be obtained during lengthy downloads of larger software packages (e.g., Windows Service Pack installations).
BigFix is, without a doubt, one of the leaders in the patch management arena. It boasts of a significant number of satisfied corporate customers that include TRW, Corning, and Pitney Bowes. If you're looking to learn more about BES in action, the BigFix Web site offers downloadable case studies.