Agents Advantages and Disadvantages



A significant advantage of this agent approach is the scalability gained from its distributed nature. Since the number of agents deployed is only limited by the number of compatible hosts and licensing costs, it is theoretically possible to perform an audit of every machine without generating any network activity except to configure the agent and report results. Although the audit is not performed over the network, the communication between the agent and the server is not always minimal. Depending on the complexity of the host and vulnerabilities, considerable reporting traffic can be generated. Nevertheless, the scan does not take place over a network link.
Some obvious advantages are that there need be little concern for deploying additional hardware, and there is less concern that sufficient bandwidth and scanner resources are available.
Agents are encumbered, however, by a few basic problems:
  • They may conflict with other applications running on the target. This is a common problem for all software running on complex computer systems today. Testing is the only solution.
  • They may not have sufficient privileges in local security policy to audit every configuration item.
  • They may have errors that cause them to terminate and notification of failure may not come to the management server for some time, during which an audit window could be missed.
  • Agents may not be available for the OS maker and version in use. Almost everyone makes an agent for Microsoft Windows®, but far fewer will support Linux®, FreeBSD®, or Solaris.
  • Imbedded systems such as cash registers and other point-ofsale devices are tightly built and leave no accommodation for agents. Yet, payment card industry (PCI) security standards require file integrity monitoring on these systems.
  • Given the limited size, space, and performance of an agent, it will not likely have the ability to cover the thousands of possible vulnerabilities.
  • On virtual machines, there can be many agents running simultaneously, which can adversely impact the performance of the underlying hardware and host OS.
  • The agent itself can become a target of an attacker as a result of a vulnerability. Since agents typically listen on the network for instructions from a server, an opening is available for exploitation.
The vulnerability audit agent has many advantages over other methods:
  • It sees all vulnerabilities, some of which are not available over the network unless the scan is authenticated.
  • The agent can run even when the system is not connected to a network.
  • It does not actively engage with the software installed on the system to find a vulnerability, thus minimizing the chance of disrupting operations.
  • Since it does not operate over the network, it will not draw the attention of a network intrusion prevention system (IPS), nor will it create excessive network traffic. In fact, the total traffic load is likely far less than typical Web surfing activity.
  • As locally running software, it can extend functionality into more active end point security functions.

0 comments:

Popular Posts