Entercept Shuts Out Crackers

Combination of HTTP filter and kernel-level security in version 2.5 provides rock-solid protection

Weve been advocates of trusted operating system approaches to security for a number of years now. Entercept Security Technologies Inc.s Entercept 2.5, which provides kernel-level trusted operating-system-style security, earns eWeeks Analysts Choice award as our pick as the best way to protect Web servers at large organizations from defacement or other kinds of attacks.

Entercept is on a roll here; Version 2.0 won an Analysts Choice award when we reviewed it last fall.

The software combines two best-of-breed approaches: an operating system kernel-level driver that checks all API calls from applications to enforce mandatory access controls on files and the Windows registry (when run on Windows) and an HTTP filter that does similar run-time checking on HTTP traffic the Web server receives.

Entercept also includes a combination of generic protocol rules and specific attack signatures for the operating system and HTTP monitors to block attacks. This is a compelling combination, since both types of detection and prevention complement each other. eEye Digital Security Inc.s SecureIIS provides just HTTP request filtering and blocking—and works only with Microsoft Corp.s IIS (Internet Information Services) Web server, of course—although it is cheaper and easier to configure than Entercept.

The main changes in Entercept 2.5, which started shipping in mid-June, are a larger set of general rules that prevent operating system configuration changes and the ability to create exceptions to rules from scratch. (Entercept 2.0 required all exceptions to be based on rule violation records in its log.)

Also new in Version 2.5 is protection from a new kind of buffer overflow attack, called "return into libc." This emerging threat works even on operating systems that have been modified to use a nonexecutable stack because attackers call executable code in the already-loaded C library instead of placing code on the stack as part of the overflow.

Entercepts two biggest flaws are that it did not allow us to add our own rules to its database (although it provides some very general rules that cover a lot of ground) and its lack of rule templates for common databases, application servers and other types of servers, which would make configuring the system less tedious. Both rule creation and application rule templates are planned for the next release.

As is common with operating-system-level security products, Entercept can require a lot of hand-tuning to get it configured correctly. For example, when we tested with three application servers (Macromedia Inc.s ColdFusion, PHP Groups PHP and The Apache Software Foundations Tomcat) and two databases (IBMs DB2 and MySQL ABs MySQL), we had to selectively add several rule exceptions for each of these products so they could function again after we installed Entercept. Even Web server administration tools wont work out of the box—we had to add six exceptions to use IIS management tools again.

Exception creation is a straightforward process, however, and is impressively selective—we could restrict exceptions by system, user or process name. We could further customize exceptions for HTTP traffic, file access or registry access to particular URLs, source IPs, files, directories, or registry keys.

Entercept comes in two versions: a Web Server Edition ($1,595 per server) and the version we tested, which has monitoring and protection for the operating system and HTTP traffic stream, and a Standard Edition ($1,295 per server), which has just the operating system monitoring components and protection rule set. Both versions need at least one $4,995 administrative console, which provides centralized administration, reporting and update distribution.

Entercept has a limited number of supported platforms: Windows NT or 2000 and Solaris 2.6, 7 or 8 as operating systems. On the Web server side, only IIS 4 or 5 is supported on Windows, while Apache 1.3.6 or higher, Sun Microsystems Inc.s iPlanet 4.0 and 4.1, and Netscape Enterprise Server 3.6 or higher are supported on Solaris.

HP-UX and AIX (on Entercept Standard Edition only) and Apache 2.0 (on Web Server Edition only) will be supported later this year, according to company officials.

A big omission is Linux; Entercept officials told us that in their Fortune 1000 target market, they have yet to see a high demand for Linux.

Testing Entercept reminded us of how limited network IDSes (intrusion detection systems) are. Most are signature-based, so they dont detect new attacks or variations on old attacks, and they dont detect attacks in encrypted traffic such as HTTP over SSL (Secure Sockets Layer). Since it plugs into the Web server, Entercept handles SSL traffic fine.

Most important, IDSes dont block attacks, they just record that they are happening. Although IDS reports are useful for post-attack analysis, making them a key part of a security strategy is only for the truly fatalistic IT manager.

Active defense products such as Entercept use signatures, too, and so can name detected attacks but also block attacks from doing any harm.

Having two layers of protection (the Web server and the operating system) is important as well. We tried three types of chunked encoding attacks against IIS in tests, and Entercept blocked them all using its generic chunked encoding HTTP filter (all succeeded without Entercept running).

However, if a new attack emerges that doesnt have a signature (or doesnt come through an HTTP request), Entercepts API filtering features have a good chance of still stopping it. For example, we were blocked from making changes to IIS configuration using the Windows registry editor, nor could we edit or copy new files into IIS Web root directory using the command shell—and we were logged in locally as Administrator while trying to do all these potentially hostile things. Thus, even if a new threat does get past the gate, its hands will still be tied.

West Coast Technical Director Timothy Dyck can be reached at timothy_dyck@ ziffdavis.com.