Entercept intercepts threats

Network-based intrusion detection and prevention systems protect the company LAN from outside threats, and they can guard against evil traveling from one busy internal segment to another. But due to their network focus, they can't guarantee the protection of the most common network asset: the vulnerable host. Locking down mission-critical servers and desktop systems requires a host-based IPS.

For example, by learning normal host behavior and blocking abnormal requests, Sana Security's Primary Response 2.2 effectively protects Solaris and Windows servers against zero-day attacks.

As much as we liked Primary Response, we like McAfee's Entercept 5.0 even better. Entercept not only protects both servers and desktop systems, it's also equipped with several security components that Primary Response lacks. But like Primary Response, it's easy to deploy and easy to manage over the long haul.

Entercept comprises three components: a management server, a management console, and agents for Windows desktops and HP-UX, Solaris, and Windows servers. Desktop agents incorporate protection for Microsoft Outlook and Internet Explorer, while server agents are designed to shield Web servers and databases.

Entercept agents have two primary functions, serving as a firewall and an IPS. We installed desktop and server agents on Windows XP. The process was straightforward, and no reboot was required to complete the installation sequence. The firewall and the IPS have separate configuration settings, and both can be set to either block harmful traffic or merely warn administrators of its presence.

Agents can tune themselves based on host behavior, but a default set of rules guards against straightforward threats out of the box. We found the default rulesets to be effective without tweaking.

The Entercept management server collects all of the alert data from the agents in the network and dumps it into a Microsoft SQL Server 2000 or Microsoft SQL Server 2000 Desktop Engine database. Neither database is provided with Entercept. We opted for SQL Server 2000 and quickly discovered an important limitation -- Entercept requires the database to be installed on the same machine as the Management System software.

Installing an agent at the host is as simple as clicking the wizard and providing the IP address of the management server. For large deployments, you can configure a Microsoft installer package to push agents out to hosts en masse. Once the agent is installed, the only visible changes on the machine are some different properties of the NIC and the presence of a McAfee firewall service. All changes to agent configuration settings must be made via the management server, ensuring that end-users cannot turn off the firewall or IPS. Further, outside the console, there is no way to communicate with the agents, which are bound to a specific management server via public key.

Entercept's management console is hosted on the management server and served on a local machine via a Java applet running across HTTPS to keep console/server communications secure. According to McAfee, a single management server can support 10,000 agents. We could even roll data into McAfee's security policy management product, ePolicy Orchestrator. 

Entercept agents use a number of techniques to ensure that the data reaching the host is legitimate. Unlike Sana's Primary Response, Entercept has a process firewall that can be tuned by administrators for specific types of network traffic: inbound, outbound, or both. You can deny traffic from specific hosts or ports that pose a security threat, for example.

The IPS component also has something that Primary Response doesn't have: signature-based detection capabilities. The use of signatures ensures that common exploits are caught quickly. Entercept even allows administrators to create custom signatures using a built-in wizard. The McAfee software also provides flexible policy administration for specific hosts and groups.

We tested Entercept's defenses using the Core Impact penetration testing tool, launching exploits against a number of the SANS/FBI Top 20 Internet Security Vulnerabilities. Pointing Core Impact at a wide-open Windows XP system across the network, we were able to exploit six different vulnerabilities, and we could easily create and delete files on the exploited host. We then rebooted the host and installed the Entercept agent on the test computer. We enabled IPS protection but set the firewall to warning mode. In this configuration, we were unable to exploit the previously vulnerable host.

Giving it the old college try, we then ran a previously successful RPC DCOM exploit. We were able to get the exploit into the host's memory, but Entercept prevented the malicious code from executing and overrunning the buffer. Further attempts to get through the buffer overflow protection, using a number of IIS exploits, were also unsuccessful.

Entercept's Java-based management interface is nicely laid out, responsive, and easy to use. Dashboards provide a graphical view of agent status along with the five most frequently triggered IPS signatures. Outside of the dashboard, other views are tabular and easily sortable. In addition to a wealth of data on previous and potential attacks, we found everything we were looking for when it came to doing basic forensic analysis.

Reporting somewhat lacking, however. You get the basics of top incident types and incidents by agents, but not incidents over time, nor can you customize reports. And although Entercept could correlate incidents reported by a specific agent, it could not correlate events across multiple agents.

Combining signature- and behavior-based detection is the best way to guard against a wide range of new and old attacks. Entercept uses both approaches to secure desktops and servers, and throws buffer overflow protection and a process firewall into the bargain. The best part is, it really works.

Charles D. Herring at the Naval Postgraduate School contributed to this review.