Entercept 2.01

Brief product description
Entercept Web Server Edition:- provides protection for critical Web servers and their applications. This solution stops both known and unknown attacks and creates a secure environment for your Web servers and applications. It is the ultimate protection for Web servers.

Entercept Standard Edition:- provides protection for all other critical e-business servers. Using an extensive intrusion dictionary and an exclusive behavior model, Entercept can identify and stop generic and specific intrusions. It gives companies unparalleled protection at the operating system level.

Architecture
Host based Agent (1 per server) reporting to single management and reporting Console over any IP based network. Console manages up to 1000 agents.

At what layer of the protocol stack is the product working?
After the stack and after decryption.

Documentation
"Reviewers Guide", "Quick Start", "User Guide". Online or CD.

What are the minimum/recommended console OS and hardware requirements? 
Is a dedicated machine required/recommended? 
Will it work on Windows 2000?
A dedicated machine is recommended for the console.
Console Installation Requirements
Windows NT 4.0 Server (SP4 or later)
Windows NT 4.0 Enterprise Server (SP4 or later)
Windows 2000 Server (no SP, SP1, SP2)
Windows 2000 Advanced Server (no SP, SP1, SP2)
Internet Explorer 4 (SP2 or later) or 5
Single or multiple Pentium-III�, 450 MHz or faster
Min. 128 MB RAM
Min. 100 MB free disk space
Administrative access to computer
TCP/IP
A static IP address

What are the minimum/recommended agent OS and hardware requirements? 
Is a dedicated machine required/recommended? 
Will it work on Windows 2000?
A dedicated machine is not necessary.
Servers supported - Windows 2000, NT, and Solaris.
Webservers supported -  IIS, Apache, NES, iPlanet.
Agent Install Requirements(W2k)
Windows 2000 Professional (no SP, SP1,SP2)
Windows 2000 Server (no SP, SP1, SP2)
Windows 2000 Advanced Server (no SP, SP1, SP2)
Single or multiple Pentium� processors, 200 MHz or faster
Min. 64 MB RAM
4MB disk space
Administrative access to computer
TCP/IP
Agent Install Requirements(Solaris)
Solaris 2.6, Solaris 7�, Solaris 8�
UltraSparc processor
32-bit kernel
64-bit kernel
Min. 64 MB RAM
Administrative access to computer
TCP/IP

What components are installed on a detector
N/A - Host based system

Which network types are supported
N/A - Host based system

Any specific recommendations for monitoring Gigabit networks with your product?
N/A - Host based system

Which OS platforms are actively monitored?
Windows 2000, NT, and Solaris

Can sensors/detectors be deployed and configured initially from a central console?
Agents are deployed via a simple installer taking approx. 5 minutes to complete, or can be included as part of a standard build 'image'.

Once deployed and configured, can sensors/detectors be managed from a central console?
Yes, managed and updated, via the management console.

Authentication between console and engines � Is it available? What algorithm/key lengths?
Yes, the scheme used is asymmetric cryptography (also called Public Key cryptography). The 168-bit session key uses Triple-DES algorithm.

Secure logon for policy management?
Yes, via seperate Entercept controlled login

How are policies distributed to engines?
On automatic update from the console.

How are policy changes handled? Will the central console detect which agents are using a changed policy and redeploy automatically, or does the administrator have to do this manually?
All poilicy changes are made from the Management Console and automatically distributed to each of the Agent groups.

How many attack signatures?
Attacks are actively detected and prevented via reference to Rule Sets which define malicious activity. Known attacks prevented by Entercept is in excess of 500+.  Unknown, or as yet to be defined attacks will also prevented.

Can the administrator define custom attack signatures?
Planned in future release.

How are new attack signatures obtained and deployed? 
Automatically downloaded from the Entercept 'Instant Update' servers. Then automatically deployed to Agents from console. Administrator has option to test new update prior to deployment.

Frequency of signature updates? Provide dates of all updates in the last year.
Monthly, or more often as required

What infrastructure do you have behind the signature update process
A dedicated team of software engineers. The 'eKat Team'

Can one signature update file be downloaded to the local network and used to update all IDS engines from a central location, or is it necessary to initiate a live connection to the Internet download server for each engine?
N/A - Host based system

Can signature updates be scheduled and fully automated?
Fully automated

What network protocols are analysed?
N/A - Host based system

What application-level protocols are analysed?
Protocol analysis not required

Can the product perform protocol decodes?
Protocol analysis not required

Can the product perform session recording on suspect sessions?
Not necessary, malicious sessions are prevented from initiating. Full detail is logged.

Block/tear down session?
Not necessary, malicious sessions are prevented from initiating.

Ability to monitor user-defined connections (i.e. report on an FTP connection to a specific server?)
N/A - Host based system

Monitor changes in critical system files?
Yes, and prevent if required

Monitor changes in user-defined files?
In future release.

Monitor changes in Registry?
Yes, and prevent if required

Monitor unauthorised access to files?
Yes, and prevent if required

Monitor administrator activity (creation of new users, etc)?
Yes, and prevent if required

Monitor excessive failed logins?
Yes these are detected and logged

List any other resources/locations that are monitored.
N/A

Track successful logins, monitoring subsequent file activity, etc?
N/A

Detect network-level packet based attacks?
N/A - Host based system

Detect all types of port scans (full connect, SYN stealth, FIN stealth, UDP)?
N/A - Host based system

Detect and report on nmap OS fingerprinting?
N/A - Host based system

Perform packet reassembly? Resistance to known IDS evasion techniques?
N/A - Host based system

Reconfigure firewall? If so, which firewall(s) and how?
Not necessary, malicious sessions are prevented from initiating.

Option to record everything for �forensic� investigation? Where is this data stored? How is it secured from tampering?
Not necessary, sessions are prevented from initiating. Source of attack information is made available including source IP address. Data is stored centrally at the console.

Reporting from engine to console - range of action/alert options (detail these)
The major responses to malicious activity include 'Prevent' or 'Terminate Session' through to Log only.

Alerts can be sent out from the console via SNMP trap to enterprise management systems, or via email / pager notification.

What provision is made for temporary communications interruption between detector and console? Where are alerts stored? Is the repository secure?
Agent works completely self contained in the case of communications being lost, with events being stored locally. As communication is re-established the Agent automatically re-connects and delivers the events to the console.

Can alerts be reported to the central console in real time without the use of third party software? How easy is it to filter and extract individual events?
All events are sent immediately they occur. A range of filters are available to sort individual events.

Does the software offer advice on preventative action to ensure the attack does not happen again?
Entercept prevents the attack. A full description of the source and method of the attack is given.

Integration with other scanning/IDS products?
Preventative products do not require this level of integration

Log file maintenance � automatic rotation, archiving, reporting from archived logs, etc.
Full automatic archiving. Archive to standard XML - can use standard report tools.

Management reporting � range of reports/custom reports/how easy is it to filter and extract detail? Different reports for technicians and management/end users?
50 seperate built in report formats available including high level management overview graphics, through to detail of individual attacks for technical staff.

Report management � can they be scheduled for automatic production? Can they be e-mailed to administrators or published straight to a Web site?
No automatic function available in v 2.0

What are the limitations and restrictions on enterprise-wide alerting and reporting? Can reports consolidate output from every 1) server, 2) detector
Yes, reports consolidate from all sources.

Define custom reports?
No. Although all reports are exportable in many formats for further customisation.

How is it licensed? How is the license enforced?
All licences are enabled, managed and enforced from the console.

Any other unique selling points?
Low CPU usage, unlike traditional HIDS products.

Cost of management is dramatically reduced due to automatic preventative action being taken and very low incidence of false positives.

Also offered as standard Cisco product:- "Cisco Host IDS Sensor"

End user pricing information 
Management Console                         �2,995                        (US$4,995)

Standard Server Agent                         �895                        (US$1,295)

Web Server Agent                             �1,095                        (US$1,595)

 Ongoing cost of maintenance/updates
On application

Click here to return to the Entercept 2.01 Review
Click here to return to the IDS Index Section