SAN MATEO (03/13/2000) - Securing a network and staying one step ahead of the hacker community is a monumental task made even more difficult by the lack of available security experts. In addition, administrative overhead and other associated costs of heightened security can reduce an IT department's ability to properly secure its network. A new product, ClickNet Software Corp.'s entercept 1.5, aims and succeeds at protecting companies and their networks.
Ingenious and elegant in its simplicity, especially for a first release, entercept is ideal for securing corporate networks, and I've given it an overall score of Excellent.
ClickNet's entercept is designed to compete with the traditional network and host-based intrusion-detection systems. Unlike most intrusion-detection systems, which react to attacks that have already damaged files or networks, entercept proactively prevents unauthorized intrusions and attacks, and it provides real-time analysis and reaction -- a technology coined host-based "intrusion prevention."
The product is composed of two components, the control station and client agents. Administrators define users, security policies, and other access with a high level of flexibility on the control station, currently available for Windows NT Server. The agents, currently available for NT Workstation, NT Server, and Solaris, are intelligent applications that reside on individual systems and communicate with the console over 3DES-encrypted channels. These agents wrap around the OS kernel and act as a filter by evaluating system requests against an attack signature database before they are executed.
ClickNet has a crack team of exploit analysts working in its labs to identify new attacks and incorporate them into the entercept attack signature knowledge base, which dynamically updates the control station by communicating with the ClickNet Update Web Server.
Four possible security levels define the degree of intrusion and notify the administrator using color indicators. Because administrators have the option to terminate, log, prevent, or ignore the process, the entercept security policy can act as the enforcer of the company security policy.
* White. System configuration events that may create security holes in the system* Yellow. Events not explicitly identified as known attacks, but that indicate mildly suspicious user behavior* Orange. Known attacks with low-risk implications; the same as "yellow" events but with highly suspicious user behavior* Red. Known attacks with highly risky implicationsYou can also specify where and how alerts are sent: e-mail, pager, process, or SNMP trap.
I installed the control station on a Windows NT Server and agents on NT Server and Workstation. The installation process took less than five minutes to complete. The agent installation process took a little longer because I had to copy and paste the public key file, used to create the encrypted communication between the console and the agent, from the console machine onto the agent machine. This file could be included in the agent installation to automate companywide deployment.
I initially tested entercept with its default security policy, with the exception of changing the reaction from log to terminate on "red" events. I attached the Back Orifice 2000 Trojan to an executable cartoon I received in an e-mail. I tried to execute this newly "Trojaned" executable on my NT Workstation, but it terminated before executing and gave me an error message.
I perused the entercept security log and found that the agent running on my NT Workstation had identified the Trojan executable and terminated the process.
Next, I changed the reaction from terminate to log for "red" events and ran my newly created executable. This time, everything executed as planned and my Back Orifice 2000 Trojan was picked up by the agent and logged.
What I like most about entercept is its flexibility and granularity in defining a security policy that fits the business needs of the company it is protecting.
ClickNet has provided a nice exception feature that lets you allow events for specific users, helping reduce the number of false positives.
In my testing, I defined Back Orifice 2000 as an exception to the Administrator on my NT Workstation. When I ran the Trojan, the event was logged in the security report as an exception, but everything executed normally. I also tested other exploits such as netcat and Internet Information Server (IIS) buffer overflows and received similar results to my Back Orifice 2000 tests.
The entercept software is a great product aimed at midsize to large enterprises. The price tag may seem a little high, but when you take into account the efficiencies (no longer needing to monitor logs continuously to detect intrusions) gained by using the product, you will find the cost is well worth it.
The power and flexibility of entercept in administering security policy earn it an overall score of Excellent and make it a must for any security-conscious company.
Mandy Andress (email@example.com) is director of information security at Privada.net, a privacy infrastructure provider.
THE BOTTOM LINE: EXCELLENT
Business Case: This product's design and approach to security make it an ideal product for any company. Its cost is easily justified by the time and money saved from no longer having to continuously monitor intrusion detection systems.
Technology Case: The ease-of-use and flexibility in defining security policies of entercept let any IT department easily integrate it into an existing security infrastructure. Security policies can be changed down to the user level, providing a high level of control.
+ Easy to install and administer
+ Automatic database updates
- Console available only for Windows NT
Cost: Console: $4,995; Server agent: $995; Client agents: $95 each; volume discounts availablePlatform(s): Console: Windows NT Server; Agent: Windows NT Server and Workstation; Solaris 2.5.1, 2.6, and 2.7ClickNet Software Corp., San Jose, Calif.; (800) 599-3200; www.clicknet.com.