KBOX 1100 Systems Management Appliance

KACE Networks’ KBOX 1000 series of appliances deliver a broad set of standard and optional systems management features. I tested the KBOX 1100, whose key standard features include hardware and software inventory, software distribution, PatchLink-powered patch management from Lumension, and the presentation of information from the AppDeploy Live database of practical systems management information. Reporting, alerting, and role-based permissions are also standard features. The alternative model 1200 offers more standard features and boasts greater processing power, memory, and storage in support of larger organizations. The KBOX 1200 also adds asset and security-policy management as standard features. Help desk features are optional on all models.

The KBOX is also available as a VMware virtual appliance licensed for either three or six virtual instances, depending on model, letting you implement the KBOX on several physical systems. This option might support different company locations, disaster recovery or testing. In addition to Windows clients, KBOX supports Linux, Macintosh, and Solaris clients. There’s a lot to cover in the KBOX, so let’s get right to it!

Architecture
The KBOX is a 1U rackmount system that runs Free BSD. Administrators use a Web-based UI to configure and manage the KBOX. The system utilizes agents installed on each managed system; the agent communicates with the KBOX, returning information about the client system’s hardware and software configuration and managing the installation of patches and applications. The agent also monitors each system for the use of specific software packages in support of license metering and the execution of specific system processes in support of system security.

Many of KBOX’s features operate as scheduled tasks, so you can manage their frequency. Automatic installation of the KBOX agent and the agentless network IP scan are examples of tasks that you might want to schedule after hours.

KBOX administration accommodates distributed environments, supporting roles that limit which KBOX facilities a user can access as well as user-defined Organizations for grouping managed systems. To authenticate access, the KBOX uses locally administered user IDs or Active Directory (AD)/LDAP-based authentication.

Testing
The KBOX requires minimal initial configuration. After attaching a monitor, mouse, and keyboard, I booted the system, then logged on and provided standard IP and DNS configuration information. Next, I connected an Ethernet cable, rebooted the system, and connected Microsoft Internet Explorer (IE) to the KBOX’s integrated management Web site, which was very responsive and easy to navigate. As Figure 1 shows, eight buttons along the top provide access to the various functional areas, and the tabbed interface supports major subfunctions. In the upper-right corner, a drop-down box lets you select the Organization you want to work with (according to the organizational structure the KBOX lets you create). Selecting the System OU displays configuration screens for system-level KBOX parameters.

Perhaps the easiest method for installing the KBOX agent on client systems is to push it directly from the KBOX. After enabling access to the KBOX’s file-system share that supports client installation, I pushed the agent out to a single system. To complete this task, the KBOX needed only the IP address and my administrative credentials. Then, I installed the agent to several more systems, first using a mode that let me push the client to several systems manually, then another mode through which the KBOX automatically scans an IP address range according to a flexible schedule and installs (or reinstalls) the agent on the systems it finds. The KBOX can also automatically update agents as new versions of the agent software become available.

The KBOX offers many more features than I can describe in this space, so I’ll run quickly through my experience with some of the key features. KBOX’s IP Scan can list all the systems it finds in DNS records, as well as those that respond to Ping and SNMP queries, letting you track systems that lack an agent. Once the agent is installed, a system is deemed a managed system. KBOX lets you assign multiple labels to each system as a way to flexibly group systems for various tasks and reporting. The agent collects and maintains detailed information about each managed system’s hardware and software configuration, as you can see in Figure 1. Scan results also contribute to the contents of the Software, Processes, Startup, and Service tabs that you see in the figure. For example, the Software tab might show how many systems have Mozilla Firefox installed, and the Process tab might show how many systems were running Firefox at the last scan. The Startup tab might show how many systems start Windows Defender on startup, and the Service tab might show how many systems have the DHCP Server service installed. The interface lists each distinct version of a product separately. Software lists are linked to other KBOX modules for ease of use. From a product’s right-click menu, you can add it as an asset. From a process’s right-click menu, you can add it as a metered software item, which you can further configure from the Metering tab within the Asset function set.

To set up software distribution, you start by creating or editing an item on the Inventory area’s Software tab to provide KBOX with the location of the software-installation package. (KBOX supports .exe, .zip, and .msi format installation packages for Windows systems KBOX uploads it, then lets you configure how and when KBOX will push the installation out to designated (or all managed) systems. KBOX displays related information from KACE’s AppDeploy.com Web site that can be helpful—for example, it provides the command-line switches that request a silent installation. In my testing, the site recommended installation parameters for Firefox but didn’t know about Spybot, a freely available anti-malware tool in the vein of Windows Defender. KBOX also supports ZIP-based installation packages; you need only specify the full command line of the installation executable within the ZIP file, which the KBOX will run after extracting all the files. I tested this functionality with an immediate installation of Firefox to a single system, as well as a SpybotSD installation to a designated system scheduled to occur when a user was logged on. Both tests worked as expected.

KBOX’s scripting features let you build scripts for administrative tasks. To do so, you use drop-down boxes to select job tasks within a phased structure (i.e., Verify, On Success, Remediation, On Remediation Success, On Remediation Failure), as Figure 2 shows. The drop-down menus make various tasks available, depending on the task phase. Scripting supports both configuration and security policy deployment and enforcement, offering capabilities such as managing registry entries, starting services, and killing processes.

To use the patch-management feature, which is available in the Security area, you subscribe to updates for the OS versions you use and, optionally, related application program patches. KBOX downloads patches nightly and awaits your approval before the patches become eligible for deployment. Once you approve a patch, KBOX runs a “detect and deploy” process either on demand or as you schedule it. Patching is limited to systems that have designated labels assigned to them. When you define a label, you can also define an alternative download location, to which the KBOX will stage the updates for members of that label group. You can disable or enable a patch schedule to phase a rollout of a set of patches. A Detect Only cycle updates the software inventory with the patch status of a managed system. The KBOX supplies descriptive information about each patch to help you along the approval process and provides a set of reports to show the status of patches and systems. This feature is easy enough to configure and use, although it could be improved with the addition of a deployment-status screen. Although the Patching Detect/Deploy Status information on a system’s inventory-detail display shows the status of patches approved and assigned for possible deployment, I often found myself wondering, “Is this running?” or “Did this run?” A time-stamped log of activities and events, displayable by system name or patch-schedule name, would help answer these questions.

The other key feature in the Security area—Open Vulnerability and Assessment Language (OVAL)—lets you scan managed systems for known vulnerabilities. OVAL is an open, community-supported assessment and vulnerability standard consisting of XML schema defining a specific assessment test, the OVAL language and interpreter used to implement assessment on supported platforms, and OVAL repositories used to store and provide access to assessment definitions. A primary OVAL Web site and vetted repository is hosted by Mitre Corporation (http://oval.mitre.org) with funding from the US Department of Homeland Security. OVAL is designed to assess both for the presence of known vulnerabilities and for the presence of related patches.

The KBOX helps you keep its system software up to date by downloading any available updates nightly and applying them when you request. I brought my test unit up to date by downloading an update package, browsing to its location, and applying it. The process took just a few minutes. Annual maintenance subscription for KBOX updates—including patch and OVAL update feeds—is priced at 20 percent of current purchase pricing.

Great Product, Minor Quibbles
The KBOX’s broad feature set is remarkably easy to use and worked well in my testing. I yearned for some kind of event log and list of future scheduled events that might help me understand and manage KBOX’s scheduled tasks. However, this shortcoming didn’t really detract from what the KBOX does well.

End of Article