Friday, September 28, 2007

Custom Checks - Integration with Big Fix for Remediation


BigFix ( is one of the many remediation software solutions available that can work with NAC for a better end user experience. BigFix can enforce that a client has the proper software, patches, and updates on a device. This sounds a bit like NAC, but the missing puzzle piece is how to enforce that bigfix is really on the connecting device and doing its job? This posting will talk about some of checks that may be created to enforce the presence and compliance of bigfix on a device connecting into the network.

***Please note that there are many ways of looking for installed/running software and it is best practice to check in two different manners(e.g. service and application check), but to keep this post more straightforward, I will only shows one of the checks.

Is BigFix Installed:

In order to properly assess if BigFix is installed, the following checks if the BESClient is actually there.

Check Category: File Check
Check Type: File Existence
Check Name: BigFix_Installed
File Path: SYSTEM_PROGRAMS\BigFix Enterprise\BES Client\BESClient.exe
Check Description: Check if BigFix is Installed
Operating System: Windows All

Figure 1 - Check if BigFix is Installed

Using a Link or File type requirement for this check will give administrators the ability to offer the BESClient to users that do not have it installed. This will ultimately save on help desk calls and bring the host into compliance automatically.

Is BigFix Running:

Next, it is good to check if BigFix is actually running. The following custom check looks if the BESClient service is running.

Check Category: Service Check
Check Type: Service Status
Check Name: BigFix_Running
Service Name: BESClient
Check Description: Check if BigFix is Running
Operating System: Windows All

Figure 2 - Check if BigFix is Running

If a user does not have the BESClient running, we can use a Launch Programs requirement type to launch the BESClient. Look back to the blog for a future post on Launch Program Requirements.

Is BigFix Compliant:

Finally, BigFix has the ability to create central policy about what is needed on an end host. If the host has the latest patches, updates, etc. then the BESClient actually reports itself as "Compliant". The following custom check looks if the BESClient is reporting itself compliant.

Check Category: Registry Check
Check Type: Registry Value
Check Name: BigFix_Compliant
Registry Key: HKLM\SOFTWARE\BigFix\EnterpriseClient\Settings\Client\_BESClient_BigNACresult\
Value Data Type: String
Operator: Equals
Value Data: Compliant
Check Description: Check if BigFix is Compliant
Operating System: Windows All

Figure 3 - Check if BigFix is Compliant
This shows how if you already have policy created on your remediation platform, NAC Appliance can leverage that information by enforcing compliance to the policy before entry to the network.


NAC Appliance may leverage the functionality of other vendors' Remediation solutions by using them to remediate non-complaint host. NAC, in some occasions, can even enforce policies or requirements of those solutions to hosts before the device is allowed on the network. This post should help administrators understand that the integration can be preformed and really will help leverage the existing investments made in remediation solutions.

No comments: