Review: McAfee Entercept

Entercept is an intrusion prevention system (IPS). In common with traditional host-based intrusion detection systems (HIDS), Entercept resides on the host itself, but it works at a much lower level than a normal HIDS system.

HIDS reacts to events that have already happened and been recorded in log files. But Entercept monitors, at the operating system or web-server level, events that may be used to create such log entries. By seeing these events before processing by the OS or the web server, Entercept can actually stop them before any damage occurs.

Entercept consists of a number of host agents that are controlled by a single central console. Agents are available for Windows NT 4.0 Server, Windows 2000 (Professional or Server) and Sun Solaris 2.6/7/8. There are also web server agents available to provide protection for Microsoft IIS 4.0/5.0 (Windows), Apache 1.3.6 through 1.3.24 (SPARC Solaris), Netscape Enterprise Server 3.6 (SPARC Solaris) and iPlanet Web Server 4.0, 4.1 (SPARC Solaris).

Each agent communicates with the console via triple-DES-encrypted sessions. If communication with the console is interrupted for any reason, the console displays the agent as 'not connected,' but the agent continues to operate in a standalone mode. Security events are stored locally until connection is re-established. Each console is able to manage up to 5,000 agents. Data can also be sent to third-party consoles for further analysis.

One feature of Entercept is web shielding, which ensures that the configuration, layout, and operation of the web site cannot be altered. Even if someone gained administrative privileges on the server, they still would be unable to modify the web site. Entercept can be used to protect the resources of the OS, SQL databases and other applications. Furthermore, a feature called SecureSelect Vault Mode can be used to lock down the operating system itself.

Alerts are displayed on the console, but can also be delivered via email, pager, SNMP trap, and can spawn processes. Depending on the severity level, a log entry is made and the action can be automatically terminated. A plausible error code is returned to the application causing the alert so that the reason for the termination is not obvious.

For:

Protects

both known and unknown attacks. AGAINST Linux agents are missing at present, but are promised by year end.

Unlike most other web defacement detection systems, Entercept prevents unauthorized modification in addition to alerting on the attempt.