June 2010
Agent-less versus Agent-based: the debate continues
Systems, infrastructure and IT asset management affect the whole organisation. It is not uncommon for organisations to have a multitude of management tools, each used by a subset of the organisation, often with an overlap in functionality providing distinctly separate views of the same assets. These systems may be agent-less or agent-based depending upon the purpose and functionality of the software. Creating a balance with each technology overcomes this.
To understand the debate further, there are three main areas that any chosen software needs to be capable of, whether this be an IT asset management, security or configuration management system:
- Discovery - identification of devices or assets
- Inventory - capture more detailed information on assets
- Management - software delivery, patch and configuration management
Discovery
All types of devices on a corporate network need to be identified from switches, routers and firewalls to PCs, servers and mobile devices. It is here that agent-less systems are the only possible option. An agent-less system will need to use multiple protocols, for example, SNMP, ICMP and Netbios, and no authentication to the device is required, other than the SNMP community string.
Performing a discovery using agent-less technology requires firstly for the device to be switched on and secondly any local firewall configured to allow the discovery traffic. With staff holidays, home working, sickness and inter-company working it is not uncommon for less than 60 per cent of an organisations devices to be switched on, on any one day.
Configuring local firewalls in a heterogeneous environment with multiple domains and workgroups can be extremely difficult and requires specialist skills. However, if an agent is used to perform the inventory it can be deployed by other methods meaning that discovery of the asset is not necessary.
Taking feeds from other databases such as DNS and DHCP servers, also helps identify assets that have recently been connected to the network without the need to perform a discovery. Deploying an agent-based system via other means also reduces the chances of the device not being discovered the next time it is connected to the network.
Agent-less discovery can cause network problems on Class A subnets due to the proliferation of ARP traffic. Where organisation have a Class A subnets an agent based system may be the only option.
Using agent-less discovery across firewalls, for example, DMZ and Site to Site VPN, requires firewall ports to be open to allow the discovery traffic through. This can often be an issue from a security perspective. However, with an agent-based system the agent can be deployed manually in secure areas and configured to upload over allowed ports to overcome this issue.
Inventory
Once a device has been identified a full inventory of the device may be required. The inventory data captured will be different dependent upon the type of device, for example, a switch, PC or printer.
Most organisations go through periods of change, mergers and acquisitions, centralisation and decentralisation. These circumstances often increase the level of complexity within an organisation and it is not uncommon for organisations to have more than 10 active directory domains or forests, multiple local administrator passwords, SNMP community strings and workgroups. This makes performing an inventory problematic.
Agent-based systems can easily be deployed via other means, such as login scripts, group policy objects and imaging techniques. Once the agent is deployed to the target system it does not matter if the authentication changes or the local firewall is enabled as the agent will continue to report back its inventory regardless.
With an agent-less system the inventory is run from the server side. This means that the device will need to be connected to the network when the server carries out the scan. It may therefore be missed if the device is not connected to the network at the time of the scan. With an agent-based system the agent does all the work. The agent can usually be configured to perform an inventory on boot or at regular scheduled intervals which reduces the need for constant network scans. An agent-based system guarantees that an inventory will have been performed if it has been attached to the corporate network, something that cannot be achieved using an agent-less system.
Agent-based systems in many cases can also be configured to upload an inventory over the internet or via VPN ensuring that devices can be tracked whether or not they are connected to the corporate network. With an agent-less system, performing an inventory on devices not connected to the corporate network, such as home workers, is almost impossible.
There is a current trend for Software as a Service (SaaS) solutions. An IT Asset Management or Systems Management can only be provided via SaaS using agent-based technologies.
Many organisations have computers that are not connected to the corporate network. It is necessary to perform an inventory of these assets and it is not possible with an agent-less solution.
Management
Once a network device has been identified and an inventory of the device has been obtained, it may be necessary to perform different management activities such as software delivery, patch management and remote control.
Patch management is necessary from a security perspective and software delivery and remote control reduce the need for desk side visits. Management of devices is one of the main reasons for purchasing this type of software as the business case and ROI is straight forward. Software delivery and patch management is incredibly hard to achieve without a deployed agent.
