Upload
lydieu
View
258
Download
0
Embed Size (px)
Citation preview
© 2017 IBM Corporation
AIX EE bundleIBM Virtual Users Group
27 April 2017
Devaughn RackhamSenior Managing ConsultantIBM STG Power Systems Lab [email protected]
IBM BigFix Lifecycle
2© 2017 IBM Corporation
Siloed IT Operations and Security Teams
IT OPERATIONS
• Apply patches and fixes
• Implement security and operational policy
• Manual process takes weeks / months
IT SECURITY
• Scan for compliance status
• Create security policies
• Identify vulnerabilities
Disparate tools, manual processes, lack of integration and narrow visibility
3© 2016 IBM Corporation
Today’s reality
• Discover and secure all existing and new assets on the network
• Deploy software applications & updates quickly
• Build automation to reduce manual labor
• Patch all servers, Physical and Virtual, including clustered servers
• Reduce Admin overhead for deploying software and onboarding users
• Automate Operating system deployment, migration and re-imaging
• Find a way to do reduce costs while enforcing security policies
The Impossible To-do list
4© 2017 IBM Corporation
What BigFix Offers
The BigFix Unified Management Platform provides real-time visibility and
control through a single infrastructure, single agent and single console
5© 2017 IBM Corporation
IBM BigFix Lifecycle
� Entitlement with AIX Enterprise Edition:
– IBM BigFix Platform
• RHEL(Server x86-64 ver 6 FP3 or higher) / DB2 10.5 ESE
• Windows (Windows 2008 64, Windows Server 2012) / SQL Server
– AIX clients
– Installed Windows console
– Web Reports
� BigFix Products Included with AIX Enterprise Edition:
– Patch Management
– Systems Lifecycle
– Software Distribution
– Server Automation
Now included in AIX Enterprise Edition!
6© 2017 IBM Corporation
Discovery and patchingA single-console management system to identify, patch, and report on multiple
devices and attributes
� Discover and report on every AIX endpoint
� Gain accurate, up-to-the minute visibility
and continuous enforcement of patches
� Manage patches to hundreds of thousands
of endpoints, multiple operating systems
and applications – automatically
� Clients report >98% first pass patch success
Protecting 50,000 PCs, servers and ATMs in 1,800 locations with one console
SunTrust Banks
7© 2017 IBM Corporation
IBM BigFix Lifecycle – Key differentiators
� Continuous compliance
– Intelligent agent evaluates the system to identify the missing or corrupt patches
– Automatically assess the status once the patch is deployed
– Distribute patches and software updates to endpoints around the globe
– Enforce patch policies to achieve continuous compliance
� Visibility
– Centralized reporting of all assets
– Provides an automated, simplified patching process that is administered from a single console
� Scalability
– Scale from 1 to 250,000 endpoints with a single server
8© 2017 IBM Corporation
• Increase first-pass success rates from 60-75%
to 95-99+%
• Reduce patch and update times from weeks
and days to hours and minutes
• Access real-time reporting
• Provide patches to distributed endpoints
regardless of their location, connection type or
status.
• Deliver patches for Windows, UNIX, Linux and
Mac OS and for applications from vendors
including Adobe, Mozilla, Apple and Java.
• Automated self-assessment, no centralized or
remote scanning required
Patch Overview dashboard
Provide status on critical security patch installationWith more critical patches every week, how can I keep up?
9© 2017 IBM Corporation
� Increased coverage of Microsoft product
patches means your administrator can rely
on one solution for all of their needs
�Patch content for multiple Linux distributions
means you can do more with a single tool
�Native tools support ensure flexibility and
reliability in patch deployment
�Ability to rollback patches means less manual
effort for IT
�Deploy updates to existing alternate disk
images for easy Rollback
�Preview deployments of TL and SP fix packs to
reduce patch errors during maintenance
windows
�AIX Deployment wizard now supports NFS to
minimize disk space requirements
�NFS Support for Solaris patch bundles to
minimize disk space requirements
�Patch cluster fixlets for Solaris Live
Upgrade to support cluster patching of
alternate boot environment
�Package install task for Solaris 11 for
improved remote management which
reduces on-site support costs
� Increased coverage for 3rd party application support
�Custom repository support for Java downloads
helps secure a common area of vulnerability
Key Features - More content, Make things faster, Go broader
10© 2017 IBM Corporation
Intelligent Agent: Pervasive Real-time Visibility
� Heterogeneous Platform Support (Managed Assets)
� IBM AIX (6.1 – 7.2)
� RHEL on Power – Big Endian (5.5 – 7)
� RHEL on Power – Little Endian (7.1)
� SUSE on Power – Big Endian (10,11)
� SUSE on Power – Little Endian (12)
� Ubuntu on Power – Little Endian (16.04)
� Windows NT SP6a/95/98/ME/2000/XP/2003/Vista/Windows 7/Windows 2008/Windows 8/Windows 10 (Incl. x86, x64 and Itanium)
� Suse Linux (32 and 64-bit), Suse Linux Enterprise Desktop
� Redhat Linux (32 and 64-bit)
� CentOS x86 (32 and 64-bit)
� Debian x86 (32 and 64 bit)
� Solaris (incl. Sparc and x86)
� IBM zLinux
� HPUX, Mac OSX, VMWare ESX
� Wyse Thinclients
� Visibility into any IP enabled device through network scanning enabled in any BigFix managed asset (Unmanaged Assets)
1
0
© 2016 IBM Corporation
Product Architecture
1
1
12© 2017 IBM Corporation
BigFix Platform Elements
Single Intelligent Agent• Continuous self-assessment
• Continuous Policy enforcement
• Minimal system impact (<2% cpu)
Single Server & Console• Highly secure, highly available
• Aggregates data, analyzes & reports
• Manages >250k endpoints
Powerful policy language (Fixlets)
• Thousands of out-of-the-box policies
• Best practices for ops and security
• Simple custom policy authoring
• Highly extensible / applicable across all platforms
Virtual Infrastructure
• Designate any BigFix agent a relay or scan point
• Built-in redundancy
• Leverage existing systems/ shared infrastructure
An existing BigFix managed asset can become a relay in minutes
13© 2017 IBM Corporation
Publish
EvaluateEnforce
Report
Our Closed Loop Speed is Our Advantage
14© 2017 IBM Corporation
Closed Loop Speed is Our Advantage
Challenge Traditional client/server tools BigFix Platform
Complete the policy enforcement loop Everything is controlled by the server, which is slow Distributed computing with intelligent, universal
agent
Increase the accuracy and speed of your
knowledge
It can take days to accurately close the
enforcement loop
Policy enforcement is accomplished and proven in
minutes instead of days
Scalability cannot be attained without large
infrastructure investments
Administrators are still managing tools instead of
being productive
Distributed processing means scalability is
unlimited
Adjust system policies depending on environment,
location
Scan-based assessment, leading to stale data false
sense of awareness
Real-time situational awareness
14
Report Publish
Evaluate
Traditional
SolutionsBigFix
Enforce Evaluate
PublishReport
Decide
Evaluate
Enforce
Decide
15© 2017 IBM Corporation
BigFix: Content Based Delivery Model
15
BigFix Content Sites
Patch Power SCM Anti-Malware
SW Dist. SW Asset Mgt. OS Prov. Other MInternet
Description and Benefits
•Applications are delivered via subscriptions to content (fixlet) sites (e.g., “cable box” or “iTunes” model)
•Content flows to the BigFix server and through the infrastructure
•No on-premise reinstall
•Speed – distribution is automated
•Rapid, easy testing / POC
•Model is key to account expansion strategy / cross selling
15
16© 2017 IBM Corporation
Single Intelligent Agent
• Performs multiple functions
• Continuous self-assessment & policy
enforcement
• Minimal system impact (< 2% CPU)
IBM BigFix
Single intelligent
agent
Lightweight, robust infrastructure
• Use existing systems as relays
• Built-in redundancy
•Support/secure roaming endpoints
Cloud-based content delivery
• Highly extensible
• Automatic, on-demand functionality
Single server and console
•Highly secure and scalable
•Aggregates data, analyzes & reports
•Pushes out pre-defined/custom policies
Real-Time Visibility
Scalability Ease of Use
BigFix
Platform
Flexible policy language (Fixlets)
• Thousands of out-of-the-box policies
• Best practices for operations and security
• Simple custom policy authoring
• Highly extensible/applicable across all platforms
17© 2017 IBM Corporation
BigFix Message Architecture
17
BES Server
BigFix Fixlet
Publishing Servers
BES RelayBES Clients
BES Relay
BES Clients
Primary Data Center
BES ClientsBES Console
BES Relay BES Clients
DMZInternet
Remote Data Center
18© 2017 IBM Corporation
BigFix Message Architecture
18
BES Server
BigFix Fixlet
Publishing Servers
BES RelayBES Clients
BES Relay
BES ClientsBES ClientsBES Console
BES Relay BES Clients
DMZInternet
Remote Data CenterThe BES Server retrievesFixlets (Policies) from
BigFix Fixlets Publishing Serversautomatically.
Primary Data Center
19© 2017 IBM Corporation
BigFix Message Architecture
19
BES Server
BigFix Fixlet
Publishing Servers
BES RelayBES Clients
BES Relay
BES ClientsBES ClientsBES Console
BES Relay BES Clients
DMZInternet
The BES Server notifies (UDP)its clients immediately of
new Fixlets content
Primary Data Center
Remote Data Center
20© 2017 IBM Corporation
BigFix Message Architecture
20
BES Server
BigFix Fixlet
Publishing Servers
BES RelayBES Clients
BES Relay
BES ClientsBES ClientsBES Console
BES Relay BES Clients
DMZInternet
The notification propagatesthroughout the enterprise
within minutes
Primary Data Center
Remote Data Center
21© 2017 IBM Corporation
BigFix Message Architecture
21
BES Server
BigFix Fixlet
Publishing Servers
BES RelayBES Clients
BES Relay
BES ClientsBES ClientsBES Console
BES Relay BES Clients
DMZInternet
BES Clients retrieve the Fixletsupon connection, and
defined intervals
Primary Data Center
Remote Data Center
22© 2017 IBM Corporation
BigFix Message Architecture
22
BES Server
BigFix Fixlet
Publishing Servers
BES RelayBES Clients
BES Relay
BES ClientsBES ClientsBES Console
BES Relay BES Clients
DMZInternet
BES Clients continuouslyevaluate and enforcereceived policies
Primary Data Center
Remote Data Center
23© 2017 IBM Corporation
BigFix Technology: The Fixlet
� Fixlets are a key part of BigFix Architecture
� Fixlets are a general purpose way to encapsulate:
– Issue identification - RelevanceRelevanceRelevanceRelevance
– Description of an issue – HTML for users
– How to solve it – ActionActionActionAction
� Examples
– Fixlet to identify/fix a critical Interim Fix for an AIX Security Advisory
– Fixlet to identify/fix a java vulnerability
– Fixlet to identify/fix an ssh vulnerability
– Fixlet to identify/upgrade to a new TL level or SP
23
24© 2017 IBM Corporation
Fixlets
� By decomposing problems into Fixlets, it makes it easy to identify, report,
fix, manage issues
� Fixlets are authored by BigFix or partners in FixletFixletFixletFixlet SitesSitesSitesSites
� BigFix and partners offer thousands of Fixlets in dozens of Fixlet sites for
many different areas:
– Patching, security configs, inventory, app deployment, AV management, …
� When BigFix publishes new Fixlets, they are distributed to all customer’s
BigFix Servers within an hour
� Customers can easily create their own Fixlets
24
25© 2017 IBM Corporation
Relevance Language
� Custom made for managing endpoints
� >100 faster than other solutions
Example Relevance
Language vs WMI
showing >100
faster execution
26© 2017 IBM Corporation
Other BigFix Vocabulary
� Analysis: A probe run on one or more systems to collect and summarize properties.
Often a prerequisite for running certain fixlets, tasks, dashboards, or wizards.
� Task: Just like a fixlet, but not fix related (increase storage, reboot system, run inventory,
etc)
� Action: A script that runs on selected targets. Used to fix policy violations, run
configurations steps, etc. Used by fixlets, tasks, and baselines.
� Baseline: A deployment container of fixlets and tasks. Used to apply a group of
fixlets/tasks to one or more systems. Contents applied using predetermined sequence.
� Relay: Creates a tiered hierarchy for transmission of information between BigFix Clients
and the BigFix Server
– Allows BigFix to scale
– Minimizes ports to be opened through a firewall
– Minimizes bandwidth usage – can be set up to serve clients in a separate geographic location
– Serves as a intermediate cache for clients
– Uses minimal computer resources – minimal impact
– Does NOT need to be a dedicated server (NIM Master is often a good choice)
– Can serve up to 1000 clients
© 2017 IBM Corporation
IBM BigFix Patch – AIX Function
28© 2017 IBM Corporation
NIM Support
NIM configuration tasks:
� NIM Filesets Installation
– Install master or client filesets
� NIM Master Configuration
– Manual
– EZNIM
– Basic
� NIM Client Configuration
– From NIM Master
– From NIM Client
– Initialize NIM Client (create
/etc/niminfo)
28
29© 2017 IBM Corporation
AIX Deployment
Deploy Fileset, Package, or Firmware updates
� AIX Filesets
– Retrieve from URL
– Local File
– Local folder
– **NFS path (usually best option)
30© 2017 IBM Corporation
AIX Interim Fix Deployment
� AIX Interim Fix Management wizard provides a capability to install and remove interim
fixes
31© 2017 IBM Corporation
AIX Advanced Deployment Wizard
� Support for Alt Disk features– Create a new alternate disk clone
– Deploy Fix Pack or TL to alternate disk clone
– Update roovg boot device
– Remove alt disk volume groups
� Preview deployments of TL and SP fix packs– Validate fix pack, determine if reboot is
needed.
� Rollback AIX patches– Ability to identify and report on filesets in
an applied based on the fix pack they are associated with
– Reject groups of applied filesets that are associated with a TL / SP fix pack.
– Reject groups of applied filesets that were installed on or after a specified date.
– Reject individually specified fileset(s) that are selected by BigFix user.
31
32© 2017 IBM Corporation
AIX Advanced Deployment Wizard – Multibos
� Support for Multibos features
– Create a New BOS
– Deploy TL and SP to a standby BOS
– Update Boot Logical Volume
– Remove Standby BOS
NEW
32
33© 2017 IBM Corporation
AIX Advanced Deployment Wizard – NFS
Support for NFS repository
management:
� Register an existing endpoint as an
NFS repository
� Download TLs and SPs to a
registered NFS drive, to be used by
BigFix.
� Manage downloaded TLs and SPs
NEW
34© 2017 IBM Corporation
Reduce Costs & Improve Efficiency with Customizable Automation
� Simple UI to build, save and re-use
Automation Plans for higher levels
of automation
� Easily Leverage Thousands of “Out
of the Box” fixlets, Tasks and
Automation Plans to improve IT
Efficiency
� Other uses for Automation Plans:
Physical & Virtual Server builds,
Complex Application deployment,
Re-purposing servers, Advanced
Patching, cross-server sequences
for vulnerability remediation
35© 2017 IBM Corporation
Sample Automation Plans
• Simple sequence of Plan
steps.
• Can include Baselines within
an Automation plan to handle
more complex operations.
Dynamic Baselines allows you
to create a single Automation
plan, update the baselines
within a site, and re-run the plan
monthly.
• Default Actions included to
simplify the amount of time it
takes to create a plan
OOTB Automation Plans Cover capabilities Like: • Patch Operating systems in clusters• Patch middleware in clusters• Build physical servers (individual and hypervisors) • Build virtual servers (vmware and AIX LPAR’s)• Install Complex Applications (WAS, DB2, Oracle)
36© 2017 IBM Corporation
UI Features Simply Automation Plan Tasks
• More Elegant Failure
Handling by running
baselines instead of just
simple fixlets & tasks.
• Simplified modification of
Automation Plans – Quickly
Insert, move ANY step.
• Create Single or Parallel
paths within an automation
plan to accelerate operations.
37© 2017 IBM Corporation
Email Notification
� For Automation Plans and for Deployment Tasks in the WebUI
38© 2017 IBM Corporation
Web Reports
� Easily create your own reports, or use/modify one of the 70+ default reports
� Use labels (think tags) to organize reports the way you want
� Set the visibility of reports to be public or private
� Schedule reports to be automatically executed and emailed on a recurring schedule
� Import/Export reports
39© 2017 IBM Corporation
Web Reports – Example Reports
40© 2017 IBM Corporation
Web Reports – Scheduling a Report
41© 2017 IBM Corporation
IBM BigFix Lifecycle Enablement (AIX EE)
Features:� Our consultants will assist your team to implement IBM BigFix Lifecycle in a proof of concept environment to
demonstrate the benefits of the rich patch function.
� Features implemented include
– Single console to identify, patch and report on AIX endpoints in your environment
– Provides accurate, up-to-the minute visibility and continuous enforcement of patches
– Scales from small environment to hundreds or thousands of AIX partitions
– Provides a foundation in which BigFix can be upgraded to support other Enterprise endpoints and other BigFix modules.
� The deliverable is a BigFix engagement summary document outlining:
– Brief overview of your environment
– Summary of BigFix installation and configuration work performed.
– Next steps
Service Benefits:
� Helps improve overall operational efficiency by providing a single console to identify, patch and report on endpoints
Implement enterprise patch management for AIX partitions
Service Overview:
Helps install, configure and exploit the capabilities of the IBM BigFix Lifecycle components of IBM AIX Enterprise Edition.
41
Contact:
Devaughn Rackham, [email protected]
42© 2017 IBM Corporation
Security fix coverage and native tool support for Linux OS
� Broad patch coverage for Linux OS– Covers all security and critical fixes
– RPM deployment wizard to facilitate deployment of RPM packages
� Flexibility and reliability in patch deployment by supporting native tools– Native tools such as Zypper for Suse and Yum for Red Hat are
used for resolving dependencies
– Deployment wizards such as RPM deployment wizard for Red Hat and CentOS to facilitate deployment of packages
– Improved performance and reliability in installing security patches
� Bandwidth savings and improved patch deployment performance using custom repository management on Suse and Red Hat– Leverage existing local repository mirrors for patch deployment
– Eliminates dependency on the single subscription management tool server
– Deploy custom software hosted in local repository
43© 2017 IBM Corporation
New patch content, easy rollback and visibility in patch history
� New patch content
– CentOS 5
– CentOS 6
� Rollback of RHEL patches
– Use YUM transaction history dashboard to
manage YUM transactions for RHEL patches
– Supports rollback, undo and redo actions
� Patch history on RHEL
– Ability to see the installed patches on each
endpoint
– YUM logs analysis retrieves the YUM transaction
logs from RHEL endpoints
� Rollback of SLES patches
– Use Btrfs/Snapper Rollback dashboard to
rollback patches in Btrfs with snapper
management configurations
� Patch history on SUSE
– Ability to see the installed RPM package
list on each endpoint
– Analysis retrieves the Zypper transaction
logs from the SUSE endpoints
NEW