Still can't find what you're looking for?
Cloudhouse Guardian (Guardian) offers two methods for scanning nodes; Agent-based or Agentless. The following content describes each method, providing an overview of the benefits and drawbacks of each approach. However, for best results, Cloudhouse recommend using a mixture of both scanning methods. This information can be used to inform the deployment method you choose for your instance of Guardian.
Overview
Guardian performs its node configuration scanning by running commands on the node to gather configuration data. The commands can be performed by an Agent that is installed on each node, or Agentlessly, via a remote connection that is performed by a Connection Manager. The results of each scanning method are the same and, as such, you can choose to use any combination of Agent-based or Agentless collection methods in your environment, see below for more information.
Note: Some node types can only be scanned Agentlessly, see Add Nodes for more information.
Agent-Based
For Agent-based scanning, the Agent must be installed on each of your target nodes. The service then scans the node it is installed on and polls the Guardian appliance over HTTPS port 443, checking if there is any work to be completed every 10 seconds. The Agent scans one node per instance. For more information, see Guardian Agent.
.png)
Use Cases
This method of scanning can be especially useful if you have a node that cannot be accessed remotely, but can communicate with the appliance over HTTPS port 443. Likewise, if you have a node with an unreliable connection to the appliance or Connection Manager, scans may not run as expected and so installing an Agent directly on the node can produce more consistent results. Finally, if you are otherwise unable to deploy a Connection Manager to a specific node, deploying an Agent in lieu can solve that problem. Oftentimes, people will utilise a mixture of Agent-based and Agentless scanning of nodes to meet their needs.
Benefits
There are various benefits attributed to Agent-based scanning, as described below:
| Benefit | Description |
|---|---|
| Improved troubleshooting |
With Agent-based scanning, a single node can be isolated for improved troubleshooting. For example, when a timeout needs to be changed. |
| No Virtual Machines required |
Besides the Guardian appliance, no extra Virtual Machines are required to use as Connection Managers. |
| HTTPS port 443 |
Enables communication with node types that otherwise cannot be accessed remotely. |
| Windows users |
No service account is required, as the 'Guardian' service can run as a Local System. |
| Linux users |
For scanning files as root, no connections need to be made to the system as root, as the Agent can run as root. |
Drawbacks
Likewise, there are potential drawbacks attributed to Agent-based scanning, as described below:
| Drawbacks | Description |
|---|---|
| Required installation |
Required to install the Agent on each node that is added. |
| Time-consuming deployment |
Deploying and updating each Agent can be time-consuming. |
| Slow configuration |
Updating the configuration file can be a slow process. For example, when changing a timeout. |
Agentless (Default)
For Agentless scanning, a Connection Manager is used to connect to your target nodes remotely. Essentially working as a connection proxy, the Guardian Connection Manager provides a single point of management for all configuration, logging, and updating of nodes. Once deployed, the Guardian Connection Manager has the capacity to scan more than a hundred nodes remotely. Depending on the node type, the Connection Manager can connect via an SSH connection, a WinRM connection, or an API. The Connection Manager can also be deployed to the Guardian appliance or deployed as a satellite Connection Manager. For more information, see Connection Managers.
Use Cases
This method of scanning requires less management overhead when deploying and maintaining nodes in Guardian. Likewise, configuration changes are trivial and only happen in one location; the Connection Manager. The Connection Manager also provides the easiest method of adding nodes with the most efficient deployment and configuration. With Connection Managers, the Guardian appliance does not need direct access to your entire network. For the best results, we encourage you to distribute Connection Managers throughout your network to allow for fine-grained network access control.
Benefits
There are various benefits attributed to Agentless scanning, as described below:
| Benefit | Description |
|---|---|
| One location |
Configuration changes happen on the Connection Manager only. |
| No set up required |
By default, the Guardian appliance contains a built in Connection Manager that requires no set up. |
| Less management overhead |
Less management overhead when deploying and maintaining nodes. |
| Easiest method of adding nodes |
Add new nodes easily, without having to install any software on the node. |
| Efficient deployment and configuration |
No software deployment or configuration occurs on the nodes. |
Drawbacks
Likewise, there are potential drawbacks attributed to Agentless scanning, as described below:
| Drawback | Description |
|---|---|
| Connection Manager required |
A Connection Manager is required to access the nodes. For Windows and Linux users, the corresponding Connection Manager is required. |
| Windows users |
A service account is required with local administrator rights on all nodes. |
| Linux users |
For scanning files as root, the remote helper is required. |
Note: The remote helper allows connections from the Connection Manager as root. However, this is only used during scans (on average, once per day) and so the risk is limited.