 |
|
Home > Windows Tips > > Entercept tool: Pricey, complex, but can lock down your Web server |
|
|
|
| Win IT Tips: |
|
|
|
Entercept tool: Pricey, complex, but can lock down your Web server
David Strom
11.07.2001
Rating: --- (out of 5)
Category: Web intrusion prevention software
Name of tool: Entercept Web Server Edition V. 2.01
Company name: Entercept
Price: $4,995 for the console; $1,595 per Web server agent
URL: www.entercept.com
Platforms supported:
-- Console: Windows 2000 or NT Server with at least Service Pack 4 and with
at least 128M-bytes RAM.
-- Agents: Entercept sells two different agents. One monitors general operating
system information and is available for either Windows NT/2000 Workstations
and Servers or Solaris servers. This is a prerequisite for the second agent,
which monitors Microsoft IIS, Apache and Netscape/iPlanet Web servers. For
full details and version requirements, see
http://www.entercept.com/products/wse/sysreq.asp
Strom-meter:
** = A tad shaky to install and use but has some value.
Key features:
Pros:
Locks down numerous Web server vulnerabilities, regardless of the patches
applied by administrators.
Monitors and prevents attacks to your Web server normal operations.
Cons:
A bit complex to install and operate.
Will take some work to customize product and learn what alarms need
immediate attention.
Automatic signature updates won't work on nonroutable IP address ranges.
Description:
If you are looking for a solid way to tighten up your Windows and Solaris
Web server security, a good place to start would be to purchase Entercept's
Web Server Edition software. If you harbor any doubts that your network
administrators can keep up with the various security vulnerabilities of your
Web server software, give this product consideration.
I usually try to recommend inexpensive products in these reviews, but given
the number of Code Red and Nimda exploits as of late, it is worth asking yourself
what several thousand dollars buys you. The answer is: quite a lot. If your
Web server was running this software, chances are good that these viruses
and other attacks would not have entered your network.
Web servers, and especially Microsoft IIS Web servers, have been the
preferred means of spreading trouble by many hackers as of late. Buffer
overflow exploits, granting system administrator privileges without properly
authorization and directory traversal techniques have been well documented
over the past few years. Even with the news about these and other exploits,
many network managers run outdated or vulnerable code on their Web servers,
making their systems ripe for attack.
Entercept works by installing a software agent on each Web server machine.
The agent intercepts Web browser's requests for pages before the Web server
itself processes them. If they fit various profiles of commonly known
exploits, these requests are blocked and recorded to a log file so that
you can see who was trying to do something funny on your site. Legit
requests are left alone and processed by the server without any
interference. It is a great idea and one that is worth further exploration.
The trouble with this product is staying ahead of the bad guys, while
limiting the number of false alarms that the software might detect. I was
surprised at how many different situations/attacks Entercept detected and repelled
on a test Windows IIS Web server, including the ones
mentioned above. The product works by comparing attack methods and actions
to a database of known penetrations that is similar to a virus pattern
database used by virus scanning products. The difference is perhaps one of
dimension, as Web server exploits have a variety of ways to take control
over a system. Also, most antivirus products are useless when a new virus
is created and no match is available for it from the scanner vendor.
Entercept looks for ways that the Web server software can be subverted and
denies these actions, regardless of whether it has seen this specific
exploit before. For example, if someone uses the Web services account to
make changes to the registry, the product will deny this action.
The major disadvantage of a product like this is that you need to examine
the log files and understand the warning messages that the software
displays. Some of the messages are informational, while others are telling
you the exact nature of the potential exploit. Of course, these exploits
never actually happen because Entercept prevents them as part of its
protective features. There are actually two different ways to run the
software: to deny all attacks or to just display warnings to help teach
network administrators what is going on with their Web servers. In a
production environment, I would recommend sticking with the "deny all"
method, once people are properly trained on the product.
The product comes in two basic pieces: a console program, which is strictly
Windows, and various agents that are installed as system services on both
Windows and Solaris servers. You have two basic agent types: those that are
designed to work just with the basic underlying operating system and those
that have additional code that also work exclusively with the Web server
software running on that machine. You need to buy a separate agent for each
server you are planning on protecting, and the Web agents are a superset of
the functionality of the general OS agents.
Installing the software isn't simple and will require some attention to
various details. Still, the beauty of the product is that once it is installed,
you don't have to do much other than monitor the console and determine when
you have an attack in progress. The software will even update itself when
the company builds new agents, so you can try to stay ahead of new
exploits by the bad guys. These automatic updates won't happen if you have
chosen one of the nonroutable IP address ranges (like 10.x.x.x) or have
firewalled inbound port 5000 (the port used by the product). In this case,
you have to manually apply the updates. I had all sorts of trouble with the
manual updates, and it would help if Entercept would include error messages
when the updates fail, something that they are considering in a future
release.
This protection doesn't come cheaply, given that each Web server costs close
to $1,600 apiece, and you also need to shell out another $5,000 fee for the
console software. Even if you have just a few servers to protect, you could
be out a great deal of cash. But the alternatives aren't very pretty either,
and the expense of having to clean up after someone has penetrated your site
and stolen your data or customer records could easily cost more.
Entercept is worth taking a look at, especially if you have experienced a
break-in before and know how much trouble it is to clean up after one of
those varmints. Even if you site has remained inviolated, it is worth
installing it for peace of mind.
Strom-meter key:
**** = Very cool, very useful.
*** = Hey, not bad. One notch below very cool.
** = A tad shaky to install and use but has some value.
* = Don't waste your time. Minimal real value.
About the author
David Strom is president of his own consulting firm in Port Washington, NY.
He has tested hundreds of computer products over the past two decades
working as a computer journalist, consultant and corporate IT manager. Since
1995, he has written a weekly series of essays on Web technologies and
marketing called Web Informant. His second book, entitled "Home Networking
Survival Guide" is available through TechTarget's Digital Guru bookstore
now. You can send him e-mail at david@strom.com.
|
|
|
|
|
|
|
|
|
| TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of . |
|
| |
All Rights Reserved, , TechTarget |
|
|
|
|
|
