SAN FRANCISCO (11/17/2003) - Most system administrators have felt the sting of unpatched software. Eliminating vulnerabilities is one of the most daunting tasks IT staff face -- especially at the enterprise level, where administrative divisions, critical system uptime, and sheer physical distance hamper the ability to maintain a secure and stable network.
BigFix Patch Manager 3.1 and PatchLink Update 5.0 address this problem with similar methodologies, pushing updates out to network clients from distribution servers. Their subtly different implementations yield strikingly different results. Thanks to a more informative, task-oriented interface and a more reliable set of tools, BigFix proves itself the far more useful of the two.
Both BigFix and PatchLink make the same promises: reduction of administrative overhead and increased security across a variety of platforms. With agent-based deployment and broad multivendor support, both have a lot in common; but with security, the devil is most definitely in the details. Although PatchLink provides updates for a greater range of platforms, BigFix offers a more efficient interface that eases patch deployment. BigFix also provides greater assistance to Windows administrators, the core market for both packages.
BigFix Patch Manager uses a central download server along with mirror servers to send updates to client agents. BigFix is highly scalable; a single server can support as many as 10,000 clients, depending on network and hardware configuration, and mirror servers can extend deployment throughout a major enterprise. Each client runs an agent that listens for updates from an update server. One or more consoles must also be installed to administer the Patch Manager deployment. Client agents for Windows are typically installed from the console, but as with BigFix's agents for Red Hat and Solaris clients, they can also be installed manually or via a script. Automated installation from the console is smooth and quick but requires Active Directory.
The console, which runs only on Windows 2000 and Windows XP, is the administrative interface to the Patch Manager deployment and the most distinguishing feature of the product. It controls downloading and deployment of software updates and patches, termed "fixlets" by BigFix. Properly speaking, fixlets are scripts that tell the BigFix server how to apply an update; a development kit called the BigFix Development Environment is available to allow BigFix customers to create their own fixlets.
The console provides a sortable view of available fixlets for all supported platforms and vendors. It also shows which computers are eligible for updates, lists the drivers and hardware installed, and provides a summary view of each fixlet. Most updates can be installed onto batches of computers that meet a very granular set of selection criteria, greatly simplifying the installation of updates to large numbers of computers. The console allows administrators to perform multiple installations at once and to monitor them in real time, but it does not provide a great deal of feedback when something goes wrong.
Patch Manager uses Microsoft Corp. SQL Server to track deployment, which nominally provides additional robustness but can increase administrative overhead in the event that something goes wrong. This database should be backed up regularly because its loss may necessitate a complete redeployment of Patch Manager. The database is also a key component of BigFix's Web reports feature, which allows visual analysis of the facts collected by Patch Manager, including statistics on vulnerabilities, available fixlets, and trends over time.
Although generally easy to deploy and use, Patch Manager does have its weaknesses. It is not possible, for example, to schedule installation times, requiring that each update cycle be initiated by hand. The console does not always provide intuitive access to information, nor does it provide any log of what updates have been deployed, although higher-level reports are available from the Web reports tool. Furthermore, although Linux and Solaris support is nominally available, automated installation of these clients is not supported, making the deployment complicated for large, heterogeneous organizations.
Chinks in PatchLink
PatchLink Update also uses an agent-based installation scheme, and the client installation step is similar to BigFix Patch Manager's. I encountered one hitch during client installation that was to become a recurring theme: selecting the "Verify agent status" box caused the entire application to appear frozen while it went to gather information from each and every prospective client. BigFix's client installation has a similar feature, enabled automatically, but the interface remained responsive while it ran.
Unlike Patch Manager, PatchLink Update uses a Web-based interface for centralized management. Although this interface provides console access from any OS that can run Internet Explorer 5 or Netscape 6 or later, the design of the interface all but eradicates any advantage it provides. The initial screen contains a profoundly annoying scrolling display of available patches, and the Help link primarily consists of screen shots and explanations of what they mean rather than information about how to accomplish specific tasks.
The rest of the console is no better. Given the number of vendors and updates supported by PatchLink, the console should provide sophisticated sorting and selection tools, but moving through and selecting parts of a large data set -- such as a group of patches or computers -- inevitably turns into a tedious ordeal of scrolling and clicking. Woe betide you if you should happen to click on the Select All box, which will cause the entire interface to freeze, possibly for several minutes; for Windows users with Internet Explorer, this essentially means that the entire user interface hangs, rendering the computer unusable. Performing even a few relatively simple tasks can become time-consuming and maddening.
Client and patch installations, when they work, are reasonably quick and painless. When they fail -- as they seem to do with depressing frequency -- little information is provided to ease troubleshooting.
Despite my use of an administrator-level account, client installations often failed because of permission problems that were not explained. Information about clients would simply be absent from the console, frequently with status messages indicating the agent was not running. Because PatchLink provides users with no knowledge base for its product, resolving the problems requires either working at length with support personnel or browsing the PatchLink support forums.
One day, system administrators may hail the invention of the perfect patch management tool. Although it doesn't reach that standard, BigFix Patch Manager 3.1 is a solid step in the right direction. By contrast, PatchLink Update 5.0 is barely sufficient to compete with Microsoft's bare-bones Software Update Services, much less the far superior Patch Manager.
If patching Windows machines is your main concern, BigFix is the clear choice. It gets the job done efficiently, vastly simplifying a crucial task.
How I tested
I installed the BigFix and PatchLink server components on Windows 2000 Server and Windows 2000 Advanced Server. Both products were easy to install, although BigFix Patch Manager had an undocumented restriction against installation on a Windows Domain Controller and required the external installation of Microsoft's Data Access Components and reconfiguration to support proxy-based Web access.
When I had overcome that minor hurdle, I tested each product's remote client installation capabilities across a heterogeneous network comprising multiple VLANs with connections ranging from 802.11b to Gigabit Ethernet. My clients included six servers running Windows 2000 Server and Advanced Server at different patch levels, including two domain controllers, as well as workstations and laptops running Windows 98, Windows 2000, and Windows XP. I also tested PatchLink against Red Hat Inc. Linux 7.3 and 9 clients. Testing BigFix Patch Manager against Linux and Unix clients required a component that was not available in the evaluation version, so I was unable to verify its performance on those platforms.
I deployed a large number of patches and software updates using both applications and found that BigFix's product provided a much more rapid and efficient deployment. An effective enterprise patch manager requires a flexible, powerful user interface and a reliable and scalable deployment capability. Although it still has some room for improvement, BigFix clearly outshines PatchLink in both areas.
-- Tom Maddox
Tom Maddox is a Microsoft and Sun certified system engineer based in Menlo Park, Calif.