Many server and IT systems monitoring solutions require that you install “agents” on the machines that are being monitored. This blog post explains why, in today’s security environment, agents introduce unacceptable risks. FrameFlow avoids these risks with our 100% agentless monitoring approach, which means that you never need to install anything on the systems being monitored. We chose this model because agents are problematic in many ways. They circumvent network security, present management problems at upgrade time and can interfere with the operation of the systems they are designed to monitor.
We often get questions about how FrameFlow Server Monitor works, compared to other products in the same market. The primary difference has to do with our agentless monitoring engine; whereas, other products tend to rely on agents. Many vendors will try to coach you, telling you that agents are a necessary item for server monitoring.
We strongly disagree. This post gives four good reasons why agents are a bad thing, and explains how FrameFlow Server Monitor’s agentless monitoring engine avoids many of these pitfalls.
Many network and server monitoring solutions use what are called “agents” to get values from the machines they are monitoring. Agents are programs that run on the remote machines and communicate with the main monitoring system. Some vendors try to hide the fact that they use agents. They’ll say things like: they “deploy” to remote systems or use other terminology, but it all boils down to installing custom software on the remote machines.
The agent software runs on the remote machine and therefore affects its operation. In many IT environments, especially governments and larger corporations, you simply cannot install agent-based software on critical machines without going through an arduous evaluation and approval process. Even if you have complete control over your machines, before installing agents you need to verify that they don’t conflict with other applications running on the system, use excessive memory, overly tax your CPU, generate port conflicts, etc.
Installing agents on remote machines has the potential to open these machines up to security vulnerabilities. The agent is running on each remote machine and needs to do things like: read security logs, check files on disk, monitor processes, etc. The agent needs administrative privileges for many of its operations. Unless the agent software has been very carefully developed and is using high-grade security technology, there are serious security questions that need to be answered and may need to be addressed.
Agents are difficult to maintain. As the monitoring solution is updated, the agents will need to be periodically updated as well. Some vendors will downplay the difficulty of keeping your agents up-to-date. If you have a large number of systems, some of them might not be available when it’s time to upgrade… and then they’re running outdated versions. Agents might be hiding on VM images that were down when the upgrade was done, and only come to life days or weeks later. Over the course of few updates, you can end up with a mess of different agents on different machines.
This is the most severe problem with agents: Agents circumvent network security configurations. Agent-based monitoring software often requires you to open a particular port so that the monitoring system can communicate with the agents. These open ports can present a significant security risk as data starts to flow out of them. Information about disk and CPA usage may seem harmless, but there can be sensitive information in the contents of event log records, security events and log files, which are typically protected by your network security policies, but sometimes bypassed by agents.
Many vendors use agents because it’s easy. It gives them a clear window into your remote machines and they don’t have to worry about security configurations, firewalls or any of the other policies and rules that are in place to protect your network.
So how is agentless monitoring different with FrameFlow? The big difference is that we never install anything on the machines that we monitor.
FrameFlow Server Monitor uses standard protocols to do all its monitoring. Instead of using agents, FrameFlow contacts systems using standard network protocols such as HTTP, DCOM, WMI, SNMP and more. Since various protocols generally use their own custom set of ports, it’s important to understand how these protocols work if it becomes necessary to use FrameFlow through a firewall or other security system. Our Support Portal is great place to find details about the ports used by FrameFlow, and many other technical aspects of FrameFlow software that you might be interested in for the specific needs of your organization or IT team.
The big benefit with our approach is that when it comes to your security configuration, we’re playing by the rules. You can be confident that nothing has circumvented your domain policies, firewall rules and other security measures.
Our commitment to agentless technology certainly makes a lot more work for us, especially as each new version of Windows introduces enhanced security upgrades. We believe that the benefits to our customers are very clear, and worthwhile, especially in today’s digital environment where each batch of newly discovered security vulnerabilities can often wreck a great deal of havoc, on critical servers, IT systems and remote machines.
To fully appreciate this concept, we invite you to take a free 30-day test drive of FrameFlow, no credit card or commitment required!