BigFix bringing security to laptops

BigFix next month plans to upgrade its patch and configuration management software to support mobile laptops and help customers check computers for security holes before letting any devices onto a network.

BigFix next month plans to upgrade its patch and configuration management software to support mobile laptops and help customers check computers for security holes before letting any devices onto a network.

The company will ship its Mobile Security Manager, an agent that sits on a Windows-based laptop and monitors patch, anti-virus and system configurations and keeps them up to date. The company also is introducing the BigFix Client Compliance API, which will let BigFix agents talk with software that assesses the state of a computer before letting it log on to a network.

The two new products are part of the BigFix Enterprise Suite, a platform for vulnerability assessment and remediation.

BigFix is part of a movement to bring mobile computers under the wing of patch and configuration management tools designed to keep a network secure. Laptops and other devices that are randomly connected to a network can introduce viruses and other malware if not properly monitored.

The company competes with the likes of Ecora, PatchLink, Shavlik Technologies, Configuresoft and St. Bernard Software.

“BigFix also is part of a broader trend to enforce policy before a machine connects to the network,” says Trent Henry, an analyst with Burton Group. “Because of their flexible architecture, they can do vulnerability and patch management for mobile computers.”

The flexibility comes from BigFix Fixlets, which are small messages that contain the intelligence to detect certain issues with computers and automate the repair of those issues. BigFix agents contain any number of Fixlets.

The Mobile Security Manager has nearly 50, including one that requires a laptop’s screen saver to have a password and another that forbids the installation of file-sharing software. The Mobile Security Manager installs on the client laptop, and because it stores the Fixlets locally, it continues to monitor the system even while it is offline. The agent also can direct a user to a third-party Web site to download patches or virus signatures when a laptop has only a connection to the Internet and not the corporate network.

While BigFix can find and correct problems, it can’t enable or disable access to a network if a machine is not secure. To bridge that gap, BigFix is introducing an API that will let other products such as network access gear or an operating system talk to its agents. The agents will be able to communicate whether a laptop meets security and configuration policies as defined by BigFix. The network gear or operating system can use that information to grant or deny access. Companies such as Cisco already have such “network admission control” software, and Microsoft plans to add similar capabilities it calls “isolation” to its operating system. The intent is to keep computers off the network if they can’t prove they are secure and have installed up-to-date anti-virus and patch software.

“What we need is another agent to ask us if the BigFix agent is done and then provide the controls to enable or disable access,” says Gregory Toto, vice president of product management for BigFix.

While BigFix’s mobile software works only with Windows laptops initially, Toto says the company plans to add support for mobile phone and PDA platforms in the future.

Both the Mobile Security Manager and the Client Compliant API, which isn’t expected to ship for another two months, are priced at $5 per year, per endpoint.