[osiris-devel] Agent Architecture question
Alexei_Roudnev
Alexei_Roudnev at exigengroup.com
Wed Nov 24 13:17:00 EST 2004
This port is open only when managemenbt system is not connected to the
agent.
And it is not any problem to restrict this port on firewall, as you wish.
Remembering that osirismd server is usually in high security zone, and
agents are spread around, current approach is even more secure vs. open port
on central server (which I must to allow access from all systems around).
----- Original Message -----
From: "Brian Wotring" <brian at shmoo.com>
To: "mailing lists" <thelists at gmail.com>; "Osiris Developers"
<osiris-devel at lists.shmoo.com>
Sent: Tuesday, November 23, 2004 10:15 PM
Subject: Re: [osiris-devel] Agent Architecture question
>
> > What was the reasoning for having an open port on all agent machines
> > versus one open port on the management system? Admittedly, it is
> > simple enough to firewall off this port with little to no consequence
> > to other activities, but I'm not fond of having any more open ports on
> > my systems.
>
> A few reasons. First, it's a lot easier to manage. If you decide to
> change scheduling, check status of hosts, update configs, or whatever,
> you can operate on many hosts from a single interface. Otherwise, you
> would have to perform these operations from each managed host.
>
> Second, it made more sense (to me) in the beginning to initiate the
> connections from the more trusted system, as opposed to receiving them.
> The management console is critical in that it is to be a secure store
> for all of the monitoring data. If this is compromised, the whole
> system is almost useless.
>
> Third, if the agents initiated connections, it could be argued that the
> management console would have a harder time detecting that an agent
> didn't scan when it was supposed to. That is, it may be easier for a
> broken agent to go unnoticed.
>
> There may be other reasos, but these are the main ones that were
> considered during design and development. This isn't to say that doing
> it the other way is wrong, it's just not the way Osiris was built.
>
> > Could the communication not have been done with a client push / pull
> > to the management console instead? Is it possible to turn off the
> > listening feature of the agent component and force a push within the
> > current framework?
>
> No, not really. You could just run a management console on each
> monitored host, tripwire style, but that doesn't scale very well.
>
> -brian
>
>
>
> _______________________________________________
> osiris-devel mailing list
> osiris-devel at lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris-devel
>
More information about the osiris-devel
mailing list