Patch Management: The BigFix Is In

BigFix is unique in our testing thus far in that its core patching functionality is an integrated part of a larger framework focused on all aspects of endpoint security and management. This framework, the BigFix Enterprise Suite, can include IT policy management and BigFix's own antivirus product, as well as the patching functionality tested. That makes for a more complex user interface than we've seen in pure patch managers. It took us some time to get a handle on BigFix's modus operandi, but once we did, we found the interface and operations fairly straightforward.

BixFix relies on "sites" for each type of technology you're managing--for example, Solaris or Windows. Sites are bundled into Solution Packs grouped to support the various roles BigFix can play. While each pack comes with a number of sites, you can install only the sites necessary for a particular environment, limiting the resources needed for downloading and storing patching information.

Each site contains "fixlets," BigFix's term for the packages containing the patches, applications, or policies it can deploy. Most of the functionality BigFix Enterprise Suite provides is tied to fixlets, and the term is nearly ubiquitous.

BigFix's structure is entirely agent-based, similar to most enterprise patch management products we've seen. Deployment of agents can be easily automated to Windows systems through a client installation program provided. Happily, packages provided by BigFix for installation on non-Windows systems were also simple to install and well documented. Installed agents can even scan their local networks for devices without agents installed and attempt to deploy agents to those clients.

One area where BigFix stands out is in administrative features. We were able to create baselines of patches that can be assigned to user-created groups, individually specified clients, or groups of clients based on information retrieved by BigFix, such as subnet or OS. Using properly configured baselines can significantly reduce the amount of administrative time needed for patch management. For Windows shops, the default patch setting is "no reboot," even if the patch vendor has specified that a reboot is needed. This is useful for servers that can be restarted only during a maintenance window. We could set up a scheduled task to reboot any clients in the pending reboot state during a designated time frame.WIZARD FIX

Uninstalling a patch was more challenging than with previously tested products as it involved a wizard instead of a contextual option of the patch itself, but the process worked as advertised. A wizard was also necessary to obtain Sun Solaris patches, as that content now requires a login, and yet another wizard was used to set up pre-caching of patch files for deployment.

BigFix's reporting capabilities are provided through a Web reports component, rather than the console itself. The company covers all the bases here.

BigFix can integrate into a configuration management database or other applications, such as a network management system, to help determine if a patch could have caused an outage. This is overkill for desktops but useful for servers. BigFix offers a number of APIs, including for network access control, database access, vulnerability assessment, and inventory integration, and it supports a big roster of operating systems and apps.

The product is a standout for environments that need advanced bandwidth control. Not only can the BigFix server and clients be configured to use limited bandwidth, but relays are configurable for both upload and download usage. The client setting can even be throttled according to either kilobyte per second or percentage of available bandwidth. A related option lets an action be distributed over a user-defined number of minutes, to reduce network load. This was the most advanced set of controls we've seen.

BigFix also offers an easily accessible patch-creation feature. Building a new patch requires use of BigFix's language for action scripting, but the utility enables an internally created or customized patch to be treated much the same as one created by BigFix. We liked that BigFix customers can purchase components via à la carte menu pricing. Total list price for our test environment was $20,250. BigFix has one price for monitored Unix and Linux servers, and one price for monitored Windows servers: At a volume of 450, Linux/Unix servers are $25 each; 600 Windows servers (a mix of real and virtual) run $15 per device. Pricing continues to drop with higher volumes.

Rolling Reviews present a comprehensive look at a hot technology category, including market analysis, product reviews, and wrapping up with a synopsis of our findings.See our patch management Rolling Review kickoff and other patch manager reviews at Rolling Reviews.