Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Looking at BigFix

From: Jim Moore <jhmfa () CIS RIT EDU>
Date: Wed, 12 Feb 2003 01:24:15 -0500
I asked if anyone in the group had done an analysis of BigFix.  Some
have looked at BigFix as the way to respect privacy, and still require
people to keep their own systems up to date.  We are not doing a
rigorous analysis, but my co-op has done some good research that I
thought I would pass along.

- - - -
From BigFix:

My apologies for the delay in responding to your last email.  We received
your follow-up email request for information this morning, and I thought I
would take this opportunity to respond to both your emails at this time.

To start with, we are able to distribute and update Windows DLLs.  As
far as server
software goes, that all depends on which of our suites you are considering
implementing.  We offer both a Supplier and an Enterprise suite.  The
Supplier Suite utilizes our consumer client, while the Enterprise Suite
utilizes our BigFix Enterprise Suite (BES) client.  The Supplier Client has
a full featured UI, where the end user, and only the end user, can take
actions in a Fixlet message.

The BES Client runs silently in the background of a computer and allows an
administrator to view relevant issues and take actions on computers across
an entire network through a central administrative console
application.  Downloads in our Fixlet messages for our Enterprise Suite are
authenticated using SHA1 hashes.  This ensures that the patch we downloaded
and tested is the patch that you will download as well.

Fixlet messages are authenticated using a Public-key/Private-key
infrastructure, with key pairs typically 1024 bits in length.  During the
creation of a Fixlet message site key pair, the private key is kept by the
vendor, and the public key is sent to us to format and sign.  This creates
a "masthead" file that is distributed to all BigFix Clients that will
connect to that particular site.  The clients will validate that the
masthead signature comes from BigFix and if it is valid, use it to check
the signature on Fixlet message content from then on.

All that being said, I can offer you more detailed information on either
the Supplier or Enterprise suites, depending on which suite fits your needs
better.  If you could let me know which suite seems better suited for you,
I can put you in contact with the appropriate parties in our organization.

I hope this helps!  Please feel free to contact me if you have any other
questions or comments!

Best Regards,

Technical Support
BigFix, Inc.


At 12:06 PM 2/10/2003, you wrote:
>Hello,
>    I am currently reviewing the potential use of your client on our
> campus. Upon evaluating your client I have several technical questions.
> First, what sort of authentication is done on the files downlaoded to
> determine if they are indeed the correct files? are you implementing
MD5,
> SHA1 or another method of checks. Second, what type of restrictions are
> placed on the "fixlets"? how are they prevented from modifing files not
> associated with the program being patched or upgraded? and Third, how do
> you verify identies of participating people writing fixlets so that you
> know they are who they say they are. what form of certificates are you
> using for authentication & verification? Thank you.
>
>--
>Jeremy DuMont
>Computer Security Incident Response Assistant
>Co-op Information Security Office
>Risk Management and Safety Services
>Rochester Institute of Technology
>2455 Wallace Library
>Cell: (585) 414-8857
>Phone: (585) 475-4122
>Pager: (585) 529-1096
>Pager: page-bear () hydrolinux com
>
>The world is full of obvious things which nobody by any chance ever
>observes. -Sherlock Holmes

- - - -  Jeremy found some more detail in the "Fixlets" along with a
disclaimer

They are usuing Mim 1.0 to write the fixlets and using s/mime via pkcs7
to sign them. But I found this buried in one of the sections of Mime
"code" that loads the system. I found it interesting.

X-Fixlet-Site-Assertion: This Fixlet(tm) site has been created under a
  technology license from BigFix, Inc. The publishers of this site
  warrant and agree that:
  (i)   they hold a valid license from BigFix, Inc. to distribute
        Fixlet messages,
  (ii)  they abide by the BigFix, Inc. guidelines for Fixlet
        message creation, and that
  (iii) while BigFix, Inc. provides the technology for making Fixlet
        messages available, it is not responsible for the content or
        function of Fixlet messages published by other parties.

- - - -

P.S. The license to produce fixlets is $32K.  There doesn't seem to be a
key revocation or key update process that has been identified yet.

--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603

Office: 585-475-5406
Fax:    585-475-7950

PGP (jimmoore () mail rit edu): 9C33 0328  CD59 B602 82B8  8521 0B86 0DC9
963C D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: