Fine. I’ve not had anything of any consequence to chat about for a bit (other than trials and tribulations with a pair of teenage boys and maybe that of my grease car habits) – but this thread about Agents and Appliances is threatening to send me over the proverbial network edge.
So – a level setting comment. I’m not knocking or promoting anyone’s particular technology or implementation. My comments in this line are solely those of someone who is sick and tired of the blending of issues and technologies under the guise of “low / no maintenance” (aka “appliances”) or of “low server impact” (ala “no agents to hog your CPU or memory resources”).
First – the concept of an IT/IS “appliance” is crap. Yes – quote me on that one. An appliance is a something heavy, dumb, and generally bisque (hey – it’s not the 70’s anymore – no more Avocado) in color. Examples are: a refrigerator or an oven or a freezer, or if you want to get into some fancy programming – a microwave that just “knows” when the popcorn is done. What are the vendors pushing on unsuspecting IT staffers and users are actually intelligent systems that have: disks (hard drives or flash); memory; something along the line of an operating system like BSD, NT4e, WinXPe, or worse – thinly veiled full Linux distros – or much, much worse – full blown Windows 2000 / XP / 2003 OS’s..
Guess what – it’s *not* an appliance anymore. Anyone who says it is should be taken out to the IT Wood Shed and severely thwacked about the ears with an RS232-C cable (with the D25 connectors still on). If it has an OS – it needs to be patched and maintained. If it’s on the network (otherwise – what’s the point!?!) it needs to play nice with all other systems and comply with standards. Since when do “appliances” have their own web servers and SMTP servers? Most of them do if you look under the covers deep enough. If it smells like an OS, looks like an OS, and talks like an OS, then it needs to be treated *like any other server or PC in your environment*. Period. End of discussion. Any vendor or IT/IS “specialist” that tells you otherwise is: a) an idiot b) a fool, or c) looking for another job (they just don’t know it yet). Strong words? Yes – but the madness has to stop somewhere.
Secondly – “Agents” – yes – no one wants them, but without them you have several very, very serious issues to reconcile. It’s easy – if an agent-less “appliance” needs to get to the innards of that application thingy, how does it do it? Simple – just give it an “application ID”. What do these IDs generally require you ask? Easy – full access. Rarely is there any attempt to design in Least Privilege with these “Safe” agent-less systems. Since it all works if you have Root (or the equivalent), then they get it by design.
Where does this leave us now? We now have an unpatched/unpatchable opering system with no / little documentation of the innards, running around on our internal “secure” networks, gaining access to “secure” systems with absolutely full control. I ask you – what would you rather have? Agents or agentless zombie-wannabes…
Back to lunch… (or to losing it)
No comments:
Post a Comment