How Tivoli Endpoint Manager (BigFix) Is Different
To better appreciate how the Tivoli Endpoint Manager (previously BigFix Enterprise Suite) technology will enable an organization to achieve its goals for an automated patch management solution in a real-time, 24-hour operation, it is important to understand the unique architecture of the Tivoli Endpoint Manager (TEM) platform. When reviewing this document, keep in mind that competing solutions suffer from all the disadvantages of both a scanning based approach as well as a “dumb” agent that simply reports data to a central server for processing.
Problems with other platforms
- they are not scalable due to significant amount of network traffic generated; scan intervals must be increased to achieve any kind of scalability, typically once a day or once a week at TEMt;
- they can gather information from each computer only if the machine is connected at a scheduled scan time or scheduled report time;
- they generate so much WAN traffic that they are not suited to dealing with remote locations or mobile users from a single central server
- the data available for problem detection and configuration analysis as well as any type of reporting is limited to the predefined information programmed by the vendor
- they often work on only Windows NT and above and for only computers within an NT or AD domain
- they have limited ability to provide centralized reporting with delegated administration
- the typical approach to managing thousands of computers across a distributed environment is to set up multiple instances of the management server, creating an expensive infrastructure to deploy and manage.
Tivoli Technology Differentiation
Tivoli Endpoint Manager offers a comprehensive and scalable solution to address the vulnerability and security configuration management needs of an organization. At the heart of the Tivoli Endpoint Manager solution lies a powerful, secure, agent-based platform that enables highly targeted, real-time vulnerability and configuration issue identification, investigation and remediation.
The fundamental difference in the Tivoli Endpoint Manager approach to security and configuration management that sets it apart from all competitors is the ability to distribute the evaluation process to each managed end-node rather than to rely on a central server to determine security or configuration issues. In complete contrast to all other solutions that rely on server-side evaluation to identify problem conditions, the local evaluation of the managed end-node by the TEM Agent dramatically reduces the risk of exposure to security vulnerabilities and misconfigurations:
- Persistently evaluates issues locally, providing real-time identification of vulnerabilities with greater precision, throttled to use less than 1-2% of the CPU.
- Interrogates Registry, WMI, DMI, BIOS, File System, RAM, file contents, etc. for precise identification of issues and complete reporting of asset and inventory data
- Enables real-time communication by reporting only compressed deltas of requested data
- Evaluates end-node policy compliance even when not connected to the network
- Enforces pre-authorized policy actions without joining the network
By relying on server-side evaluation of managed computers based on data retrieved through scanning or locally installed agents, tools such as our competitors provide latent, limited visibility into computers connected to the network, thus increasing risk exposure. Problems caused by server-side evaluation:
- Scheduled scan/report time used to reduce network traffic & increase scalability also increases response time to hours, days, and weeks
- Limited data available on server to precisely identify vulnerability and report status
- Inability to evaluate and remediate off-line computers
In fact, the unique architecture of the Tivoli Endpoint Manager technology provides unparalleled benefits to an organization to implement an effective, real-time Security Configuration Management system as quickly as possible with minimal impact to network, computing, and Administrator/end-user resources.
- By locally evaluating the managed end-node for computer properties and compliance issues and then reporting the results within seconds or minutes of detection, the TEM technology provides real-time results:
- Real-time asset, inventory, and policy compliance discovery
- Real-time remediation for computers regardless of network connectivity
- Real-time reporting for documentation, strategy planning, and regulatory compliance
- The benefits of this approach also enable an organization to provide deep visibility and controlled automation to manage an organization’s security configuration through a light-weight infrastructure:
- TEM Client/Server communication averages less than 20-50 KB per machine per day, minimizing network traffic and enabling real-time communication.
- Distributing the evaluation process to the local computers using available CPU cycles results in light-weight hardware requirements for the TEM Sever, while the TEM Relay infrastructure leverages existing server/workstation hardware to further minimize LAN/WAN traffic
- The TEM technology’s ability to provide immediate, detailed system compliance along with automated control to deploy corrective actions requires far fewer network administrator resources
- The TEM system’s ability to deploy and manage its own software components, enables a complete roll out in far less time than any competing tools.
Because of the minimal impact to network communication as well as the granular level of optimization available to each component of the TEM technology from the TEM Console, a single TEM Server can support well over 100,000 managed end-nodes. An organization will be able to implement the TEM technology using a single TEM Server which will enable centralized reporting with delegated control over the entire enterprise for complete visibility into each asset across the organization.
The ability to respond in real-time while maintaining minimal impact to an organization’s infrastructure will be accomplished through the following architectural features:
Intelligent Agent evaluation The unique architecture of the TEM agent evaluating a managed computer locally for security vulnerabilities and configuration management issues gives it the ability to minimize the average daily amount of network traffic from each TEM agent to the TEM server to 20-50 KB, in contrast to the MB’s of data that flow from each in a scanning-based or inefficient agent-based tool in which a central server performs the evaluation. Further, all system components—Server, Relay, and Agent—communicate to and from each other only the compressed differences between their current state and what was sent previously. The ability of the Agent to perform evaluation locally will enable it to detect any changes in network connection type in real-time, so that the respective TEM component can honor the bandwidth limits established for that connection—even as mobile users access the network through different means.
TEM Relay To minimize WAN traffic, the TEM Relay acts as a cache and forward point for both the download files and system communication. Thus, communication from the TEM Server is sent once across the WAN to only the TEM Relay and not across the WAN to each computer individually. Likewise, communication from the remote location is aggregated at the TEM Relay, then differenced and compressed before forwarding it on to the server, again minimizing the traffic other tools would generate with each computer reporting back to the central server directly.
- TEM Relays provide automatic failover so that if any Relay goes down, the TEM Agents will automatically find the next closest relay within your network. Mobile computers will automatically find the closest TEM relay as users move from location to location within your network.
- The TEM Relay is an integrated component of the platform, easily installed, configured and managed from within the Console.
- Because the TEM Relay handles the system communication between the TEM Server and TEM agents, you can manage off-network computers by simply designating an existing server in your DMZ to take on the role of a TEM relay.
As long as mobile users have an Internet connection–no need to VPN in–the TEM agents will be able to report in any non-compliance or misconfiguration issues and you will be able to deploy any necessary updates. Since the TEM agent knows when the computer is on or off the network as well as what type of connection it has, the Agent will automatically throttle traffic to minimize the impact to remote user working from home or any other off-site location. By managing the off-network computers before they return to the office and connect to the local network, you can make sure they are patched, antivirus is up-to-date, and configuration settings in place, minimizing the chance that they might become infected off-line and then start to spread the problem to other computers once they join the internal network.
Bandwidth throttling The TEM platform has an integrated bandwidth-throttling mechanism that allows you to set a specific limit to the amount of bandwidth the system can consume for both communication and file downloads. You can set different limits between each component of the TEM system, e.g., between Server and Relay and between Relay and client. In addition to limit-based throttling, TEM bandwidth throttling also supports percentage-based throttling, so you can limit the TEM communication to a percentage of the available bandwidth. Of course, the limited ability of throttling in other tools is for only the delivery of download files, not system communication
Dual Communications Channels TEM also provides a dual communications channel capability – using this capability the agent can automatically perform two independent downloads at the same time, with different priorities. For example a large service pack may be downloaded via one channel (lower priority), and simultaneously an AV DAT file downloaded via the second channel (higher priority). In this way the TEM Client can perform a long duration download while still allowing smaller downloads (DAT files, new Fixlet messages, smaller patches and file), to continue.
Distribution over time When administrators deploy an action to address a vulnerability or configuration issue, they can specify the amount of time over which any required download files should be delivered through the network. If they’re sending out SP3 for Windows 2000, they don’t want 1000 123 MB files clogging the network at exactly the same moment. The distribution feature will divide the number of targeted machines over the time period specified and use those results to deliver the patches over that time period to prevent this glut from occurring.
Download Manager An important part of dealing efficiently with not only remote machines connected over slow links, but with locally connected computers within the LAN, to minimize network traffic when a connection is lost during a file transfer is the ability to resume the file download from the point at which it was interrupted. If the managed computer is not connected long enough to download an entire file, then the download manager built in to the TEM agent will perform the necessary download restart function.
Because the TEM Client is quietly, and persistently evaluating the managed end-node, it can enable Administrators to group computers by very dynamic values such as the current location of a machine, IP or subnet address; network adapter, Ethernet, Dial-up, Wireless; User group, AD, NT domains, or workgroups, as well as by any physical characteristics of the computer such as installed software, attached hardware, registry settings, BIOS information, WMI data, etc. Moreover, groups can be defined on the real-time state of the machine—logged in user, applications or services running, currently available RAM, disk space, or CPU utilization, etc.