[osiris-devel] Agent Architecture question

mailing lists thelists at gmail.com
Tue Nov 30 09:49:54 EST 2004 

> 
> > What was the reasoning for having an open port on all agent machines
> > versus one open port on the management system?  Admittedly, it is
> > simple enough to firewall off this port with little to no consequence
> > to other activities, but I'm not fond of having any more open ports on
> > my systems.
> 
> A few reasons.  First, it's a lot easier to manage.  If you decide to
> change scheduling, check status of hosts, update configs, or whatever,
> you can operate on many hosts from a single interface.  Otherwise, you
> would have to perform these operations from each managed host.

I like the idea of a centralized management console; no argument
there, though I'm not sure server->client push is the only way to
implement it.

> Second, it made more sense (to me) in the beginning to initiate the
> connections from the more trusted system, as opposed to receiving them.
>   The management console is critical in that it is to be a secure store
> for all of the monitoring data.  If this is compromised, the whole
> system is almost useless.
> 
> Third, if the agents initiated connections, it could be argued that the
> management console would have a harder time detecting that an agent
> didn't scan when it was supposed to.  That is, it may be easier for a
> broken agent to go unnoticed.

However, this makes Osiris plausible only in static environments.  I'm
not arguing that this is a bad thing -- change management and
intrusion detection of servers is a serious issue that requires more
attention than I think most are willing to give.  What this doesn't
lend well to is the idea of monitoring dynamic environments (at least
not that I can see).  Being able to slap an agent on every desktop in
a corporate environment to detect modification of critical system
files or insertion of prohibited applications would be immensely
useful.  Of course, this is generally all possible without the
introduction of the Osiris agent, but I think it lends itself well to
the framework of the application.

Is it, through some hack or unnamed configuration setting, possible to
monitor hosts with dynamically assigned IPs?  Are there plans to
introduce this feature in the future?  With PKI, this functionality
shouldn't necessitate any less integrity than the present.

> There may be other reasos, but these are the main ones that were
> considered during design and development.  This isn't to say that doing
> it the other way is wrong, it's just not the way Osiris was built.
> 
> > Could the communication not have been done with a client push / pull
> > to the management console instead?  Is it possible to turn off the
> > listening feature of the agent component and force a push within the
> > current framework?
> 
> No, not really.  You could just run a management console on each
> monitored host, tripwire style, but that doesn't scale very well.
> 

I'm not disagreeing with the centralized management console.  That
feature is a requirement in a mature intrusion detection system
intended for any mid-to-large scale deployment.  In fact, I prefer a
console that can be accessed through a secure terminal environment as
opposed to a platform-dependant GUI (though I could settle for a
webpage, which, as a feature of Osiris, I haven't yet checked out).

> -brian
> 
> 


-bill

More information about the osiris-devel mailing list