Agent-Based Architecture | Vulnerability Management

With agents, it is necessary to install software on every host to be evaluated, with the exception of some agents capable of performing network-based audits of adjacent systems. In some cases, vendors will charge a higher price for server agents versus desktop agents. There is no significant functional difference in the two that merits this pricing model but rather a matter of sales volume and cost recovery. Some VM architecture strategies will deploy agents solely on servers in order to minimize the impact on the network connections with the assumption that the agent itself will not impact other software. Vendors often recognize this and pricing is understandably higher.

The use of agents can become more complex when virtual machines are used. The agent can be installed on several guest OSs, yet they are deployed on a single physical server. The impact on the hardware is multiplied. One should seek some guidance from the vendor on how significantly the agent can impact the CPU and memory resources of a virtual machine and the underlying host OS and hardware. It is also likely that the vendor will charge for each OS and not per CPU core.

Since agents have to be deployed and maintained on every host under assessment, the solution is less prone to network limitations and more a problem of operating the software on every host. It can complicate installation and deployment but virtually eliminate the cost of shipping. Organizations with a large, mobile sales force will benefit greatly from an agent-based system, since the WAN connection speed is unpredictable and the frequency of presence in the local office seldom.

Architecture | Vulnerability Management

The architecture of a VM system is an important part of its ability to work in your corporate physical structure. It also will probably be the largest factor affecting the cost of the system. Considerations such as geography, office size, network equipment, security architecture, WAN bandwidth, and government regulations will impact greatly your decision regarding vendors, type of product, and cost.

The last item, cost, is our starting point for making a decision on vendors. Begin with a survey of the VM market, pricing, and products. Determine what the approximate cost per active IP address would be to your organization. An estimate of the number of IP addresses would be sufficient if you can stay within 10 percent. Multiply the average price per IP in the market by the number of IP addresses in your organization, and then add 20 percent for annual maintenance. Then, add 10 percent for shipping and customs if you have foreign offices, and another 10 percent for consulting services if you have more than 15,000 IPs. For example, 20,000 IPs × $8 per IP = $160,000; then add 10 percent for shipping and 10 percent for consulting = $32,000. Total fixed costs: $192,000. Then, calculate the recurring cost of maintenance: $32,000 annual maintenance (160,000 × .20). Total cost of the system for the first year is $224,000.

This is only a cost estimate and will be impacted significantly by the previously mentioned architectural factors. In an active scanning system, physical scanners must be purchased and installed in good vantage points in the network. In an extreme example, if your environment has 100 offices with the only good scanning point being in each office, that is, no strong WAN links, then you will end up purchasing up to 100 devices. These devices can be expensive, depending on the product. There are sometimes less expensive solutions, including a virtual machine version of the product or the use of host agents with no per-instance charge. However, there will be some hardware costs for the buyer who supplies his or her own. It may be more cost-effective if CPU cycles are available in a virtual machine.

 Passive Architecture

Passive scanners that observe network traffic may even be more subject to this limitation since the traffic on each inspected network switch must be copied to the device. For large but complex central offices, a passive scanner is a very workable solution where connections are typically very fast and can withstand the loads that can be imposed by the remote switched port analyzer (RSPAN) function. For organizations that have several large offices with ample WAN bandwidth, active scanners can be an excellent solution. Since bandwidth is becoming less expensive and more abundant in remote areas of the world, careful planning and scheduling of audits can allow scanning to be more cost-effective with fewer scanners and lower shipping and customs costs.

Centralizing the VM function as much as possible can result in considerable savings.