Rolling Review: BigFix Enterprise Suite 7.0.7.96

BigFix is unique in our testing thus far in that its core patching functionality is an integrated part of a larger framework focused on all aspects of endpoint security and management. This framework, the BigFix Enterprise Suite, can include IT policy management and BigFix's own antivirus product as well as the patching functionality tested. Not surprisingly, that makes for a more complex user interface than we've seen in pure patch management products. It took us some time to get a handle on BigFix's modus operandi, but once we did, we found the interface and operations fairly straightforward.

BixFix relies on "sites" for each type of technology you're managing, for example, Solaris or Windows. Sites are bundled into Solution Packs grouped to support the various roles BigFix can play. While each pack comes with a number of sites, you can choose to install only the sites necessary for a particular environment, limiting the resources needed for downloading and storing patching information.

Each site contains "fixlets," BigFix's name for the packages containing the patches, applications, or policies it can deploy. Most of the functionality BigFix Enterprise Suite provides is tied to fixlets, and the term is nearly ubiquitous.

Big on WindowsBigFix's structure is entirely agent-based, similar to most enterprise patch management products we've seen. Deployment of agents can be easily automated to Windows systems through a client installation program provided. Happily, packages provided by BigFix for installation on non-Windows systems were also simple to install and well documented. Installed agents can even scan their local networks for devices without agents installed and attempt to deploy agents to those clients.

One area where BigFix stands out from other patching products reviewed is in administrative features. We were able to create baselines of patches that can be assigned to user-created groups; individually specified clients; or groups of clients based on information retrieved by BigFix, such as subnet or OS. Using properly configured baselines can significantly reduce the amount of administrative time needed for patch management in any size environment.

For Windows shops, the default patch setting is "no reboot," even if the patch vendor has specified that a reboot is needed. This is useful for servers that can be rebooted only during a maintenance window. In the reporting interface, you will see a "pending reboot" state after these patches. Additionally, we could set up a scheduled task to reboot any clients currently in the pending reboot state during a designated window.

Rolling Reviews present a comprehensive look at a hot technology category, including market analysis, product reviews, and wrapping up with a synopsis of our findings. See our kickoff and other reviews in this patch management series at Rolling Reviews.

Wizard FixUninstalling a patch was a bit more challenging than with previously tested products as it involved a wizard instead of a contextual option of the patch itself, but the process worked as advertised. A wizard was also necessary to obtain Sun Solaris patches, as that content now requires a login, and yet another wizard was used to set up pre-caching of patch files for deployment.

BigFix's reporting capabilities are provided through a Web reports component, rather than the console itself. The company covers all the bases here, with out-of-the-box reports on vulnerability assessment, agent and client statistics, specific action results, and console operation. The capabilities provided by baselines are also reflected here, as reporting on baseline effectiveness can be an easy way to create relevant and useful reports.

BigFix can integrate into a CMDB or other application, such as a network management system, to help determine if a patch could have caused an outage. This is overkill for desktops, but useful for servers. BigFix offers a number of APIs, including for network access control, database access, vulnerability assessment, and inventory integration.

Enterprise PlayerBigFix is a standout for environments that need advanced bandwidth control. Not only can the BigFix server and clients be configured to use limited bandwidth, but relays are configurable for both upload and download usage. The client setting can even be throttled according to either KB per second or percentage of available bandwidth. A related option allows an action to be distributed over a user-defined number of minutes, to reduce network load. This was the most advanced set of controls we've yet seen in our testing. As mentioned, BigFix Enterprise Suite has an impressive list of supported operating systems, including Windows, Mac OS, Solaris, HP-UX, AIX, SUSE Enterprise Linux, Red Hat and even VMware ESX. Don't get too excited, however: The list of OSes with patch content varies slightly from the roster of operating systems supported by BigFix. In addition, patches are available for a wide array of applications. To keep critical antivirus products up to date, there is a separate "Client Manager for Anti-Virus" repository that includes updates for AV products from Symantec, Sophos, eTrend Micro, McAfee, and eTrust.

Bigfix also offers an easily accessible patch creation feature. Building a new patch requires use of BigFix's language for action scripting, but the utility enables an internally created or customized patch to be treated much the same as one created by BigFixWe liked that BigFix customers can purchase components via a la carte menu pricing. Total list price for our test environment was $20,250. BigFix has one price for monitored Unix and Linux servers, and one price for monitored Windows servers: At a volume of 450, Linux/Unix servers cost $25 each; 600 Windows servers (a mix of real and virtual) run $15 per device. Pricing continues to drop with higher volumes.