Agent or Agent-less for endpoint security, backup & F5 LB

Which is better, agent or agentless, in terms of
a) ease of support
b) ease of upgrade/patching
c) stability (as often I've seen agents' status going Offline, Unknown, etc)
d) inteference with apps (have seen agents causing issues to .Net, Java & various apps

For endpoint security (eg: Symantec Endpoint, Trend's Deep Security),
backup (eg: Netbackup, Commvault), and F5 LB?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
For endpoint, agent is recommended as the HIPS need to conduct the scan, on demand and real time scan effectively. Agentless is not possible unless you are saying running as VM AV virtual appliance at hypervisor level.

For backup, in general, agent-based backup can be more effective as it is loaded in the OS stack it offers increased control and visibility of the host system that is not immediately available to an agent-less backup.  e.g. agent-less backups typically need to traverse the file system to determine changes for incremental/differential backups.  This traversal can take longer and be more complex than the agent-based backup which has access at the kernel level.

Also agent-based backups rely on local resources to pre-process and compress data before transmitting data across the network to the storage device (NAS/SAN, local USB drive, or remote host). I will say agent-less backups rely more on network resources to transmit application commands across the network as well as data between the target and storage device. Though both approaches will send data across the network taking up the bandwidth, the additional network traffic from agent-less backups could more likely to load the local network performance. Especially when your local network bandwidth is already trying to meet other Enterprise traffic.

But to put in context where most are in VM environment, the article shared the pro and xons and also agent assisted backup on top of the other two. It helps understanding and selecting the strategy.
http://www.veritas.com/community/blogs/agent-and-agentless-vm-backup-and-recovery-unraveling-myths

For F5, I have not heard there is agent besides the LB being able to be centrally manages if you have the F5 Enterprise Manager or Big-IQ that can save the config etc of each manage F5 device. This is preferred. Otherwise the manual backup via the console to snapshot the config, cert etc to store can still be done. Not so much of agent or agentless as for such application delivery controller, they already have API that can be called from external apps like those I shared. More of hybrid. So the focus should be on having to centrally manage of all your BIG-IP configuration files (UCS) which also serves as to maintain a central repository for BIG-IP configuration and information.

BIG-IQ Security uses snapshots to protect the working-configuration set of the Security module. Thus, at any time, you can back up, restore, and deploy the BIG-IQ working configuration to a specific configuration state, or deploy a specific set of working configuration edits back to a BIG-IP device. You can also compare one snapshot to another, or compare a snapshot to the BIG-IQ working configuration.
https://support.f5.com/kb/en-us/products/big-iq-security/manuals/product/bigiq-security-administration-4-4-0/11.html
McKnifeCommented:
May I assume that you are not familiar with the concepts of using an agent?
Agents "do" something on the remote machine - it could be anything from reading out status info or computer specs to modifying things like updating files or configurations. This could all be done from remote, agentless, too, all commands and procedures can be initiated fro a remote machine. The downside however is, that ports would need to be opened and a the machine controlling all this will be constantly instructing and checking remote machines - maybe it would even become a performance issue.

About your a-d, no answer can be given, it all depends on what particular software we look at and what we expect those agents to do. Normaly, an agent will not make machines instable, normally, it would not iinerfere with other apps.

Again normally, you would not always be given the choice, all endpoint security software that I know work with agents. Backups however can use built-in methods (wbadmin) depending on what you expect your backup to perform, this might be enough, so there's no agent. Some 3rd-party backup software use the task scheduler as control component.

I do as much as I can without extra software (and agents) using built-in methods, instead. Cheaper and mostly very reliable. But you will not always have a choice.
sunhuxAuthor Commented:
> saying running as VM AV virtual appliance at hypervisor level.
Yes, I'm looking into this.

I've been installing/upgrading agents for 2 products, so have some idea.

So for F5 LB, how does it know the % load of a server if there's no agent
in the target servers that it load balances?

> would not always be given the choice, all endpoint security software that I know work with agents.
Not true, I'm using one EP security which is agentless & I heard Commvault backup can be agentless too
btanExec ConsultantCommented:
For F5, the "agent" is its own script (or F5 own tmsh client)  running to handle all the iControls API send by the external interface services like VMware or other providers. So if stats are required on the loading of the servers, besides the normal snmp traps from servers, F5 has its iControls for provider to query further so that they can establish their own dashboard or reporting. DO check out F5 iStats and iControls
To obtain statistics for a resource, this example queries the /Common/my-Pool object for current statistics.
The response that contains the statistical output appears in the second block.
GET https://192.168.25.42/mgmt/tm/ltm/pool/~Common~my-Pool/stats

So for interface stats for example, you could do this:

curl -k -u "admin:admin" https://10.1.0.213/mgmt/tm/net/interface/stats -H "Content-Type:application/json" -X GET

Other than interface, what do you need? Things like CPU and mem are the the sys section, so

curl -k -u "admin:admin" https://10.1.0.213/mgmt/tm/sys/cpu/stats -H "Content-Type:application/json" -X GET

- https://devcentral.f5.com/questions/how-to-get-interface-and-system-stats-that-are-part-of-the-f5-system-mib-via-rest-api

I believe there may be different reading in the term "endpoint security".  My reading is more of HIPS (host intrusion prevention system) that consists minimally the suite of AV, FW, anti-malware, etc. I "restrict" the scope excluding the backup as other form of data protection for availability aspects like what Commvault backup is doing.
The latter "agentless" backup is likely to tap on native deployment (mostly virtual) environment capability and interface using API (analogous to F5 use case) . Commvault agentless solution is likely going through the VM API approach (e.g. VADP (VMware APIs for Data Protection feature set).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.