Educause Security Discussion mailing list archives
Looking at BigFix
From: Jim Moore <jhmfa () CIS RIT EDU>
Date: Wed, 12 Feb 2003 01:24:15 -0500
I asked if anyone in the group had done an analysis of BigFix. Some have looked at BigFix as the way to respect privacy, and still require people to keep their own systems up to date. We are not doing a rigorous analysis, but my co-op has done some good research that I thought I would pass along. - - - - From BigFix: My apologies for the delay in responding to your last email. We received your follow-up email request for information this morning, and I thought I would take this opportunity to respond to both your emails at this time. To start with, we are able to distribute and update Windows DLLs. As far as server software goes, that all depends on which of our suites you are considering implementing. We offer both a Supplier and an Enterprise suite. The Supplier Suite utilizes our consumer client, while the Enterprise Suite utilizes our BigFix Enterprise Suite (BES) client. The Supplier Client has a full featured UI, where the end user, and only the end user, can take actions in a Fixlet message. The BES Client runs silently in the background of a computer and allows an administrator to view relevant issues and take actions on computers across an entire network through a central administrative console application. Downloads in our Fixlet messages for our Enterprise Suite are authenticated using SHA1 hashes. This ensures that the patch we downloaded and tested is the patch that you will download as well. Fixlet messages are authenticated using a Public-key/Private-key infrastructure, with key pairs typically 1024 bits in length. During the creation of a Fixlet message site key pair, the private key is kept by the vendor, and the public key is sent to us to format and sign. This creates a "masthead" file that is distributed to all BigFix Clients that will connect to that particular site. The clients will validate that the masthead signature comes from BigFix and if it is valid, use it to check the signature on Fixlet message content from then on. All that being said, I can offer you more detailed information on either the Supplier or Enterprise suites, depending on which suite fits your needs better. If you could let me know which suite seems better suited for you, I can put you in contact with the appropriate parties in our organization. I hope this helps! Please feel free to contact me if you have any other questions or comments! Best Regards, Technical Support BigFix, Inc. At 12:06 PM 2/10/2003, you wrote: >Hello, > I am currently reviewing the potential use of your client on our > campus. Upon evaluating your client I have several technical questions. > First, what sort of authentication is done on the files downlaoded to > determine if they are indeed the correct files? are you implementing MD5, > SHA1 or another method of checks. Second, what type of restrictions are > placed on the "fixlets"? how are they prevented from modifing files not > associated with the program being patched or upgraded? and Third, how do > you verify identies of participating people writing fixlets so that you > know they are who they say they are. what form of certificates are you > using for authentication & verification? Thank you. > >-- >Jeremy DuMont >Computer Security Incident Response Assistant >Co-op Information Security Office >Risk Management and Safety Services >Rochester Institute of Technology >2455 Wallace Library >Cell: (585) 414-8857 >Phone: (585) 475-4122 >Pager: (585) 529-1096 >Pager: page-bear () hydrolinux com > >The world is full of obvious things which nobody by any chance ever >observes. -Sherlock Holmes - - - - Jeremy found some more detail in the "Fixlets" along with a disclaimer They are usuing Mim 1.0 to write the fixlets and using s/mime via pkcs7 to sign them. But I found this buried in one of the sections of Mime "code" that loads the system. I found it interesting. X-Fixlet-Site-Assertion: This Fixlet(tm) site has been created under a technology license from BigFix, Inc. The publishers of this site warrant and agree that: (i) they hold a valid license from BigFix, Inc. to distribute Fixlet messages, (ii) they abide by the BigFix, Inc. guidelines for Fixlet message creation, and that (iii) while BigFix, Inc. provides the technology for making Fixlet messages available, it is not responsible for the content or function of Fixlet messages published by other parties. - - - - P.S. The license to produce fixlets is $32K. There doesn't seem to be a key revocation or key update process that has been identified yet. -- Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Office: 585-475-5406 Fax: 585-475-7950 PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0B86 0DC9 963C D0C0 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Looking at BigFix Jim Moore (Feb 11)