Produced by McAfee, and the only Host-based IPS (HIPS) tested, Entercept monitors events at the operating system or application server level. As it does not deal with network-based exploits, it is very complementary to existing solutions that deal with attacks on that level, such as firewalls and network-based IDS or IPS products. The latest version adds welcome new features such as a new licensing scheme, key backup capabilities, additional reports, OS lockdown and custom signatures, as well as numerous improvements "under the hood."
In terms of detection and prevention, Entercept performed well, stopping all attempted unauthorized access to critical files, directories, registry keys and applications. It was straightforward to create exceptions to allow legitimate operations to proceed where they had been prevented in error.
This level of protection has its price, and it comes in the form of lowering the maximum capacity of the server on which the agent is installed when under extreme loads. Http response times were also affected, but while the figures were noticeable in our tests, they are unlikely to make a significant impact on the end user experience in most deployments. The difference in average page response time, for example, was only 16 milliseconds.
There was no noticeable impact of ftp response times, indicating that the actual impact of the agent alone is as low as that claimed by Entercept, and that the most significant impact is imposed by the use of the ISAPI filter in web traffic.
The host-based approach ensures that there are no issues with switched networks or encrypted traffic, and the insertion of the agent software at kernel level means the system is capable of protecting the host against known and unknown attacks with a relatively small impact on the host system.
The Web Server and Database Agents also secure application software within an almost impregnable vault where virtually all attacks will be prevented before hitting the server. Should an attack get through, it is prevented from operating outside the scope of the application server. The Code Red worm is one example – Entercept users were protected since the worm was rejected at the http layer before delivering its payload.
In our tests using live exploits, Entercept successfully blocked every attempt to subvert the system. The custom signature capability is more flexible in the current release than in previous versions, and we could cover most activities where our requirements fell outside the scope of the built-in rules.
The Entercept console is easy to use, providing excellent agent update, policy deployment and agent monitoring capabilities for up to 5,000 agents from a single Management Server.
It is important to realize this is an IPS, and not a Host IDS. As such, Entercept does not provide any form of event or system log monitoring capability, and some critical events – such as audit policy or user rights modification – are reported as cryptic registry modifications rather than recognizable alerts.
Forensic analysis is also made more difficult than it should be since it is possible to select or filter on only one signature at a time when reporting. This means it is often necessary to manually run several reports across several signatures in order to provide a complete analysis of a suspicious event. It would be nice to see a custom reporting facility that changed this. The user interface has seen significant improvements, but there are more to be made. In particular, it needs the ability to make block changes to groups of configuration items in a single operation.
Configuration is straightforward and there is little daily maintenance. The three-tier management architecture is more scalable and robust than before, allowing larger systems to be managed effectively. New features, such as the ability to define and maintain custom signatures in the GUI Console are very welcome.
