Entercept falls into the category of an intrusion prevention system (IPS). In common with traditional host-based IDS, Entercept resides on the host itself, but it works at a much lower level than a normal HIDS system.
HIDS react to events that have happened and are recorded in log files. But Entercept monitors, at the OS or web server level, events that may be used to create such log entries. By seeing these events before processing by the OS or web server, Entercept can actually stop them before any damage occurs.
Entercept consists of a number of host agents that are controlled by a single central console. There are agents available for Windows NT 4.0 Server, Windows 2000 and Sun Solaris 2.6/7/8. There are also web server agents available to provide protection for various systems.
Each agent communicates with the console via triple-DES-encrypted sessions. If communication with the console is interrupted for any reason, the console displays the agent as 'not connected,' but the agent continues to operate in a standalone mode. Each console can manage up to 1,000 agents. Data can also be sent to third-party consoles for further analysis.
Entercept offers web shielding, to ensure that the configuration, layout and operation of a web site cannot be altered. Even with administrative privileges on the server, someone would still be unable to modify the web site.
Entercept is installed on the host, so encryption does not affect its ability to see all activity. It can be used to protect the resources of the OS or applications, while SecureSelect Vault Mode is used to lock down the operating system. The default policy is applied automatically to all new agents.
Each alert has a severity level associated with it. The severity level determines the action that is taken by the agent. Three direct actions are supported: ignore, log and recorded. A plausible error code is returned to the application that caused the alert so that it is not obvious that it is the IDS that has terminated the action.
It is also possible to generate alerts via email, pager or SNMP trap, and spawn processes - the latter could, for example, be used to reprogram the firewall to prevent further similar intrusions.