The Entercept system, now acquired by Network Associat-es, has in its latest version bought a major revision to how software runs in the enterprise.
Most of the work on the update has gone into improving the product's scalability, allowing the enterprise administrator to monitor thousands of agents without hindering performance. Up to 5,000 agents can be observed from the management server, which can make use of a redundant management server in case of failover.
Installing the software was straightforward, although there was a tiny problem installing from the CD that was quickly solved.
The management server software works atop a version of SQL Server, which holds policy and logging information. The server and console used to administer it have morphed into distributed Java-based applications. While the management server has to sit on a Windows 2000 server, the agents can run on W2K/NT4, HP-UX (11.0/11i) or Solaris (2.6/7/8/9).
Firing up the console gave a clear view of our test network. Agents were installed on other servers and testing commenced. The agents can each be set to one of three modes: warning, protect and vault. Warning mode monitors activity and reports back, but does not block any suspected attacks. The protect mode is employed in most networks. In this mode the software quickly stopped nefarious activity such as clearing the event viewer, which intruders use to hide evidence of their work.
Worms and double file extensions are another source of problems, and while an agent is running in protect mode it disallowed any execution of these types of files. The system also stopped IIS directory traversals that may be used to execute commands on a web server and give the hacker control over the compromised machine.
The console and software has been redesigned with distributed administration in mind. One group of administrators can view a set of agents on machines, such as web servers, while another can monitor database servers. Agents can also be banded together as single, logical units.
The software has been well thought out and is quite easy to get along with. Its scalability should make this a must for enterprises.