AGENT OR AGENTLESS?

WHAT ARE THE APPROACHES, ADVANTAGES AND CHALLENGES OF DEPLOYING TECHNOLOGIES THAT USE AGENTS VERSUS AGENTLESS ONES?

SU KENT RAJPAL SINGH 1E

SEPTEMBER 2011

ABSTRACT: We discuss the issues around deploying either agent-based or agentless technologies for successful IT operations. Companies need to understand the values of both and the operational ability of each approach. The decision reached is usually dependent on the data that needs to be collected, how often it is collected and what you want to do with the data. Purchasing decisions need to be determined by your data needs and the way your network is architected.

All rights reserved. No part of this document shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without permission from 1E. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this document, 1E and the author s assume no responsibility for errors or omissions. Neither is liability assumed for damages resulting from the information contained herein. The 1E name is a registered trademark of 1E in the UK, US and EC. The 1E logo is a registered trademark of 1E in the UK, EC and under the Madr id protocol. NightWatchman is a registered trademark in the US and EU.

Contents
Introduction .............................................................................................................................................................. 3 Why you want an agent working for you.................................................................................................................... 3 Why does running an agent lend itself to power management? ......................................................................... 3 Avoiding dependence on the network connection .............................................................................................. 3 Centralized security model ................................................................................................................................. 4 Minimize network hassle ................................................................................................................................... 4 High scalability ................................................................................................................................................... 5 Precision............................................................................................................................................................ 5 Actions are taken almost immediately................................................................................................................ 5 How to avoid common issues when deploying agents ........................................................................................ 5 Platform specific agents are required ................................................................................................................. 5 Human intervention and objections ................................................................................................................... 6 Myth busting ............................................................................................................................................................. 6 Agents usually place additional load on the network .......................................................................................... 6 Interference with the operating system and applications ................................................................................... 6 Opening up the machines to security vulnerabilities ........................................................................................... 6 Summary................................................................................................................................................................... 7 Telescope or spy? .............................................................................................................................................. 7 References ................................................................................................................................................................ 7

1E 2011 2

Introduction
1E efficient IT solutions, specifically NightWatchman Enterprise and NightWatchman Server Edition, require IT departments to install a software agent (which resides on a workstation or server) and collects data based on a centrally set policy. Agents collect, aggregate and process local data and only communicate changes when necessary. Many other software solutions on the market adopt an agentless approach, relying instead on a central service that interrogates systems remotely to retrieve data, without having a locally installed agent on each client. We look at the pros and cons of each approach and debunk the myths around installing agents. According to Gartner there is already a consensus that neither approach to monitoring is absolutely superior. Each has its strengths in different contexts.

An agent is like a spy in the ranks, giving you a lot more information than you would get from just looking through a telescope (agentless)
Why you want an agent working for you
Why does running an agent lend itself to power management?
An agent running on the system is capable of local data collection, correlation and processing. Taking PC power management as an example, the agent can make better decisions based on activity that happens locally, for example whether the user is active before prompting to power off the system. An agent running on the machine can query the operating system to check when the user last used the machine and whether he is logged on locally or remotely in order to defer or force the low power state. With multiple users logged on, each users documents can be saved before logging off. In summary, user productivity is not disrupted. Using an agent for a server power management solution is the only way to identify whether useful work is being carried out on a server. This is the only way to accurately determine if a server is being used, enabling you to easily discover and decommission the 15% of servers doing no useful work. With agentless technology, there is reliance on remote methods to find interactive user sessions which have a dependency on specific remote accessible APIs that cannot return whether the sessions are really active i.e. user logged on and working. There is also no solution for true useful work detection with an agentless approach as this data is not exposed remotely.

Avoiding dependence on the network connection

Agentless solutions are entirely dependent on network connectivity to obtain any information from clients.. For example, if there is a network problem it may make the assumption that a workstation is in a low power state when

1E 2011 3

it is not. Conversely, without the ability to probe the system for more data, an agentless approach could potentially power down a machine when a user is using it. An agent has a degree of IT autonomy and can cache data and execute actions based on an existing policy even if the management server or its connection fails. It can send the data back to the management server when communication is restored.

Centralized security model

The agentless scenario inherently needs higher access rights. The server has to query the client which means that the local security policy on each machine has to be set up to enable access to the central account that can connect to the machine. An account that has access to local administrator privileges on every machine is required. This account will have almost every right that a domain administrator has and therefore if compromised would allow access to a large proportion of the IT assets of an organization. An agent requires administrative rights only on the machine it is installed on. Authentication and authorization rules are only setup at the server end for policy and reporting. Neither account has access to any more than it absolutely needs.

Minimize network hassle

In an agent-based scenario policies are retrieved and state is reported via outbound HTTP or SSL. Here the agent is sending data to the central server and, as it is the initiator, is inherently trusted. As HTTP is stateless and ubiquitous, network devices and edge firewalls do not have to be configured to allow traffic. A route back to the server is all that is needed which means reliance on the existing DNS/ DHCP/ proxy infrastructure. Since the agents only need to be aware of the server, they can be configured and can report over the internet. An agent on a subnet is responsible for waking its neighbors which means that magic packets are sent via local broadcast. With an agentless solution, there is reliance on incoming connections and the administrator has to set up security on each machine and allow inbound connections. In most cases, the server would be probing a Microsoft Windows machine using WMI (Windows Management Instrumentation) that relies on DCOM (Distributed COM) and RPC, the Service Control Manager, the event log, Perfmon, ADSI, etc. This requires Kerberos authentication and enabling inbound firewall connections. ICMP would be used to query the state of the machine and hence the ICMP firewall rules would need to be modified. SNMP would be used for network devices centralized management of SNMP devices has its own issues. Advances in networking technologies, particularly fault tolerant, dynamic (policy-based) routing make prediction of end-to-end path availability and characteristics exceedingly difficult. This is exacerbated when only a limited part of the network is visible for example, across WAN links or within tunneling protocols. In an agentless environment where the server connects to agents from a central point and in environments where a limited part of the network is visible centrally, you may require the setup of multiple servers which then introduces another challenge of managing roaming machines. Configuration or reporting over the internet is impossible. Routers have to be enabled for subnet directed broadcast which is the only way agentless wakeups can work.

1E 2011 4

High scalability
Agentless solutions have to ping/ investigate/ poll data from a large number of monitored systems, so there is a natural limit (number of metrics per number of systems at a given polling interval) a server can process. This also adds additional strain to the network. An agent-based approach to management is very scalable. Events are sent asynchronously after local processing and the agent can take decisions to enhance scalability such as only sending up data when it changes, sending differences, randomized time of sending or batching data based on server load all which enable scalability through less server resources. Using stateless configuration and reporting over HTTP allows load balancing the server environment. Numerous architectural patterns exist for scaling HTTP and HTTPs environments and making them highly available.

Precision
Agentless generally means polling. As the polling frequency is increased you get a better understanding of what is happening on the network. An agent doesnt need to poll at all. It simply subscribes to operating system notifications and is informed of any state changes. Reporting can be initialized even before the machine has been allocated an IP address and can be accurate to the millisecond. The state of the machine can be validated through querying multiple data sources before a report is generated. An agent can collect and process data locally and generate a behavior model to make certain intelligent decisions such as powering the machine down when a user has not logged on or if the machine has not been used for a while. The agent can also probe the operating system to model the behavior of the systems idle timers and use intelligent logic to force the machine to sleep saving even more power.

Actions are taken almost immediately

Simple actions such as reporting IP address or subnet changes for wakeups or complex decisions on automatically fixing a failed computer health test can only be done immediately through operating system notification. The agent can ask the operating system to inform it of state changes for example, of the network address, so that the server database can be kept up to date. In an agentless scenario, DNS querying or actively scanning the system would need to be depended upon. By the time a user executes an action from the server, the data could be stale.

How to avoid common issues when deploying agents

Most organizations already have a systems management solution which can be used to install agents. Systems Management best practice can avoid anticipated expenses sometimes attributed to agents, such as the cost of deploying them. In a server environment simple tools can be employed to address the one time installation of a server based power management agent.

Platform specific agents are required

An agent is required for each targeted set of platforms, for example, Windows 32-bit/64-bit, Linux, Unix, Macs. 1E 2011 5

An agentless solution has its own equivalent though, for instance having to support multiple protocols and methods of remote querying, for example, WMI or SNMP.

Human intervention and objections

In general there are more human objections against deploying agents and these complications can be more political than operational. Some IT administrators see a risk in adding an agent which could potentially impact their current service. However risks are managed by following operational best practice of thoroughly testing agents before deploying them. Agentless methods are not immune to impacting performance or availability of systems since a poorly written or buggy remote script still has the capability to damage IT services.

Myth busting
Agents usually place additional load on the network
Agents can employ intelligent data caching and spooling to send up less data than an agentless solution would. The agent can send up data when the status changes or differences only. Reports are batched up and sent up at random intervals, which means that the load on the network is minimized. Agentless servers create data requests centrally to remotes devices, which then reply with data. This bi-directional chatter will generally consume far more network bandwidth.

Interference with the operating system and applications

A low level agent running in the background listening to operating system events has less of an effect on a machine than executing a remote query. Posting data back to the server using HTTP is very cheap. Low resource consumption is claimed for agentless environments which is not strictly true as the server is using technology (WMI, SNMP) on the machine to execute similar queries which causes resource utilization. An advantage of having an agent in this case is that queries can be targeted to the native operating system API and hence can result in less overall resources utilization.

Opening up the machines to security vulnerabilities

A carefully developed agent that considers security in its design (NightWatchman is Common Criteria certified) presents no additional attack surface. Proprietary agent communications are encrypted and use configurable ports, making them far more secure with less effort Most agentless protocols have no additional security, relying on the security of the underlying remote connectivity protocols. However, requiring an account with administrative privileges across all machines is a much bigger security issue.

1E 2011 6

Summary
Telescope or spy?
So what does agentless really mean? Agentless generally means that you will not have to install a software agent to perform any power monitoring. While this might be technically true for a moment, agentless is really a misnomer. Agentless implies that since there is no software to install, it is therefore easier to deploy, manage and maintain. In most cases, the supposed agentless solution simply uses the agents that come with another vendor's product instead, such as: Windows WMI or SNMP Service. The Windows SNMP service is not fully configured or enabled by default in Windows XP and above; you have to manually configure it which is not easy to do. Configuring security for WMI namespaces and enabling DCOM remote access is not trivial either. Although you don't have to install an agent, you may have to spend an almost equal amount of time configuring the built in one. Agent-based technologies are like having a spy in the ranks giving you a lot more information than you would get from just looking through a telescope (agentless). With an agent-based approach you get greater command and control capabilities, more granular information gathering and much less impact on the network. There are the additional benefits in real-time reporting (detecting which workstations are no longer in use or servers that are not being useful) which brings the sought for benefits of Power Management (by powering them down).

References
Further Reading: How to Choose between Agent-based and Agentless Monitoring, Gartner Research, by David Williams 12 July 2010

1E 2011 7