Advantages and Disadvantage of agent technology

written by: Paula Oberman; article published: year 2009, month 10;


In: Root » Electronics and communication » Network security » Advantages and Disadvantage of agent technology

Dutch French Spanish Portuguese Italian German Japanese Chinese Korean Russian Arabic Bookmark and Share this Article

A significant advantage of this agent approach is the scalability gained from its distributed nature. Since the number of agents deployed is only limited by the number of compatible hosts and licensing costs, it is theoretically possible to perform an audit of every machine without generating any network activity except to configure the agent and report results. Although the audit is not performed over the network, the communication between the agent and the server is not always minimal. Depending on the complexity of the host and vulnerabilities, considerable reporting traffic can be generated. Nevertheless, the scan does not take place over a network link.

Some obvious advantages are that there need be little concern for deploying additional hardware, and there is less concern that sufficient bandwidth and scanner resources are available.

Agents are encumbered, however, by a few basic problems:

They may conflict with other applications running on the target. This is a common problem for all software running on complex computer systems today. Testing is the only solution.

They may not have sufficient privileges in local security policy to audit every configuration item.

They may have errors that cause them to terminate and notification of failure may not come to the management server for some time, during which an audit window could be missed.

Agents may not be available for the OS maker and version in use. Almost everyone makes an agent for Microsoft Windows®, but far fewer will support Linux®, FreeBSD®, or Solaris™.

Imbedded systems such as cash registers and other point-ofsale devices are tightly built and leave no accommodation for agents. Yet, payment card industry (PCI) security standards require file integrity monitoring on these systems.

Given the limited size, space, and performance of an agent, it will not likely have the ability to cover the thousands of possible vulnerabilities.

On virtual machines, there can be many agents running simultaneously, which can adversely impact the performance of the underlying hardware and host OS.

The agent itself can become a target of an attacker as a result of a vulnerability. Since agents typically listen on the network for instructions from a server, an opening is available for exploitation.

The vulnerability audit agent has many advantages over other methods:

• It sees all vulnerabilities, some of which are not available over the network unless the scan is authenticated.

• The agent can run even when the system is not connected to a network.

• It does not actively engage with the software installed on the system to find a vulnerability, thus minimizing the chance of disrupting operations.

• Since it does not operate over the network, it will not draw the attention of a network intrusion prevention system (IPS), nor will it create excessive network traffic. In fact, the total traffic load is likely far less than typical Web surfing activity.

• As locally running software, it can extend functionality into more active end point security functions.

Agents have a far more integrated view into the inner workings of a host. They are placed in a position to be aware of any changes to the system as soon as they occur. Although implementation does not always take this approach, doing so brings it much closer to sharing capabilities with end point security agents.

File checksums, the contents of registry entries, and configuration files are analyzed for vulnerabilities. Since the type of host is well-known to the agent, the specific set of necessary vulnerability checks are known in advance. Since the agent typically runs as a system process, it has access to all of the files and even memory space necessary to make an accurate assessment the instant a change takes place. Only updates need be sent to the agent from a central server to continue accurate detection. Network scanning methods may require more time to detect the changes since they do not typically scan a single host constantly.

Some agents also possess the ability to perform some networkbased active scanning checks against other targets in the network. Most configuration plans allow only for scanning of adjacent systems on the same physical network.

Disclaimer

1) E-articles is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringement, please read the terms of service and contact us to investigate the problem.
2) E-articles is not responsible for inaccuracies, falsehoods, or any other types of misinformation this article may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here.

link to this article