Category: Web intrusion prevention software
Name of tool: Entercept Web Server Edition V. 2.01
Company name: Entercept
Price: $4,995 for the console; $1,595 per Web server agent
-- Console: Windows 2000 or NT Server with at least Service Pack 4 and with at least 128M-bytes RAM.
-- Agents: Entercept sells two different agents. One monitors general operating system information and is available for either Windows NT/2000 Workstations and Servers or Solaris servers. This is a prerequisite for the second agent, which monitors Microsoft IIS, Apache and Netscape/iPlanet
** = A tad shaky to install and use but has some value.
Locks down numerous Web server vulnerabilities, regardless of the patches applied by administrators.
Monitors and prevents attacks to your Web server normal operations.
A bit complex to install and operate.
Will take some work to customize product and learn what alarms need immediate attention.
Automatic signature updates won't work on nonroutable IP address ranges.
If you are looking for a solid way to tighten up your Windows and Solaris Web server security, a good place to start would be to purchase Entercept's Web Server Edition software. If you harbor any doubts that your network administrators can keep up with the various security vulnerabilities of your Web server software, give this product consideration.
I usually try to recommend inexpensive products in these reviews, but given the number of Code Red and Nimda exploits as of late, it is worth asking yourself what several thousand dollars buys you. The answer is: quite a lot. If your Web server was running this software, chances are good that these viruses and other attacks would not have entered your network.
Web servers, and especially Microsoft IIS Web servers, have been the preferred means of spreading trouble by many hackers as of late. Buffer overflow exploits, granting system administrator privileges without properly authorization and directory traversal techniques have been well documented over the past few years. Even with the news about these and other exploits, many network managers run outdated or vulnerable code on their Web servers, making their systems ripe for attack.
Entercept works by installing a software agent on each Web server machine. The agent intercepts Web browser's requests for pages before the Web server itself processes them. If they fit various profiles of commonly known exploits, these requests are blocked and recorded to a log file so that you can see who was trying to do something funny on your site. Legit requests are left alone and processed by the server without any interference. It is a great idea and one that is worth further exploration.
The trouble with this product is staying ahead of the bad guys, while limiting the number of false alarms that the software might detect. I was surprised at how many different situations/attacks Entercept detected and repelled on a test Windows IIS Web server, including the ones mentioned above. The product works by comparing attack methods and actions to a database of known penetrations that is similar to a virus pattern database used by virus scanning products. The difference is perhaps one of dimension, as Web server exploits have a variety of ways to take control over a system. Also, most antivirus products are useless when a new virus is created and no match is available for it from the scanner vendor. Entercept looks for ways that the Web server software can be subverted and denies these actions, regardless of whether it has seen this specific exploit before. For example, if someone uses the Web services account to make changes to the registry, the product will deny this action.
The major disadvantage of a product like this is that you need to examine the log files and understand the warning messages that the software displays. Some of the messages are informational, while others are telling you the exact nature of the potential exploit. Of course, these exploits never actually happen because Entercept prevents them as part of its protective features. There are actually two different ways to run the software: to deny all attacks or to just display warnings to help teach network administrators what is going on with their Web servers. In a production environment, I would recommend sticking with the "deny all" method, once people are properly trained on the product.
The product comes in two basic pieces: a console program, which is strictly Windows, and various agents that are installed as system services on both Windows and Solaris servers. You have two basic agent types: those that are designed to work just with the basic underlying operating system and those that have additional code that also work exclusively with the Web server software running on that machine. You need to buy a separate agent for each server you are planning on protecting, and the Web agents are a superset of the functionality of the general OS agents.
Installing the software isn't simple and will require some attention to various details. Still, the beauty of the product is that once it is installed, you don't have to do much other than monitor the console and determine when you have an attack in progress. The software will even update itself when the company builds new agents, so you can try to stay ahead of new exploits by the bad guys. These automatic updates won't happen if you have chosen one of the nonroutable IP address ranges (like 10.x.x.x) or have firewalled inbound port 5000 (the port used by the product). In this case, you have to manually apply the updates. I had all sorts of trouble with the manual updates, and it would help if Entercept would include error messages when the updates fail, something that they are considering in a future release.
This protection doesn't come cheaply, given that each Web server costs close to $1,600 apiece, and you also need to shell out another $5,000 fee for the console software. Even if you have just a few servers to protect, you could be out a great deal of cash. But the alternatives aren't very pretty either, and the expense of having to clean up after someone has penetrated your site and stolen your data or customer records could easily cost more.
Entercept is worth taking a look at, especially if you have experienced a break-in before and know how much trouble it is to clean up after one of those varmints. Even if you site has remained inviolated, it is worth installing it for peace of mind.
**** = Very cool, very useful.
*** = Hey, not bad. One notch below very cool.
** = A tad shaky to install and use but has some value.
* = Don't waste your time. Minimal real value.
About the author
David Strom is president of his own consulting firm in Port Washington, NY. He has tested hundreds of computer products over the past two decades working as a computer journalist, consultant and corporate IT manager. Since 1995, he has written a weekly series of essays on Web technologies and marketing called Web Informant. His second book, entitled "Home Networking Survival Guide" is available through TechTarget's Digital Guru bookstore now. You can send him e-mail at firstname.lastname@example.org.
This was first published in November 2001