Heading Off Hack Attacks

WatchGuard and Entercept provide IT with different approaches to shielding network servers

While many security products such as intrusion detection and anti-virus technology concentrate on identifying and alerting administrators to attacks after theyve taken place, several companies are beginning to focus on preventing the conditions that invite such attacks.

Two companies in particular, WatchGuard Technologies Inc. and Entercept Security Technologies, have taken novel yet different approaches to the problem.

WatchGuard, a Seattle startup, this week will announce its Windows NT-based ServerLock technology, which defines two modes for each server: operational and administrative.

When the server is in operational mode—that is, transmitting and receiving traffic—all the machines administrative features and functions are unavailable.

"This goes a long way toward making sure that nothing gets touched on your Web site," said Chip Moore, a security analyst at DataSafe Inc., of Boston, which has been testing ServerLock for three months. "Its much more effective than simple intrusion detection."

To perform tasks such as updating or reinstalling software or changing configuration settings or user preferences, the administrator must enter a password and change to administrative mode.

This change effectively takes the server offline and enables the administrator to perform maintenance without exposing the machine.

Not only does this protect servers from outside attacks, it also prevents administrative errors—such as the one that brought down Microsoft Corp.s Domain Name System servers a few weeks ago—from crippling a companys network.

"This is designed to protect the core of the network against people with administrative privileges doing bad things," said Jack Danahy, vice president and general manager of WatchGuard. "We assume a hacker will be able to get root privileges, and then we go from there."

Entercepts Entercept 2.0 sits at the kernel level and intercepts operating-system-level calls, compares them with a database of known attack signatures and then prevents the execution of the operation if it is found to be suspect.

Entercept can also protect servers against unknown attacks through much the same method. For example, if an attacker tries a new type of buffer overflow against a machine running Entercept, the software will look for a series of individual calls that make up all buffer overflow attacks, regardless of the actual hole they exploit.

"The idea is to stop whole classes of attacks, not just react to each individual exploit," said Robin Matlock, senior vice president at Entercept, in San Jose, Calif.