Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Intrusion Prevention and Active Response", Michael Rash et al

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKINPRAR.RVW 20050615 Intrusion Prevention and Active Response , Michael Rash et al, 2005, 1-932266-47-X, U$49.95/C$69.95 %A Michael Rash
    Message 1 of 1 , Jul 17, 2006
      BKINPRAR.RVW 20050615

      "Intrusion Prevention and Active Response", Michael Rash et al, 2005,
      1-932266-47-X, U$49.95/C$69.95
      %A Michael Rash www.cipherdyne.org
      %A Angela Orebaugh
      %A Graham Clark
      %A Becky Pinkard
      %A Jake Babbin
      %C 800 Hingham Street, Rockland, MA 02370
      %D 2005
      %G 1-932266-47-X
      %I Syngress Media, Inc.
      %O U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 www.syngress.com
      %O http://www.amazon.com/exec/obidos/ASIN/193226647X/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/193226647X/robsladesin03-20
      %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
      %P 402 p.
      %T "Intrusion Prevention and Active Response"

      In the beginning were the blackhats, and the net was without form, and
      void. (Actually, slightly before the beginning were a bunch of grad
      students who were just all keen to share stuff and never figured
      anybody would try and deliberately break such a neat toy.) And the
      security community said, "Let there be firewalls!" And the security
      community looked upon the firewalls and saw that they were good. (And
      they didn't say anything in particular about the fact that there were
      also ACLs, and rulesets, and management issues, and all manner of
      creeping features.) And the security community said, "Let there be
      intrusion detection systems, which shall also be known as IDSs!" And
      the security community looked upon the IDSs and saw that they were
      good. (And there were even *more* ACLs, and rulesets, and management
      issues, and all manner of creeping features.) And the security
      community said, "Let us make unto ourselves the ultimate in network
      security tools, and let it be the Holy Grail and Silver Bullet and
      Philosopher's Stone of security, and let it manage itself and respond
      to any kind of attack!" And lo, the security vendors looked upon the
      intrusion prevention system (IPS) and saw that it was a very good
      marketing idea.

      Chapter one attempts to define intrusion prevention and active
      response, but it doesn't do so in a particularly clear or consistent
      manner. An IPS is an IDS that can take some kind of action. What
      kind of action? Well, an IPS does data content (application level)
      inspection. Maybe. Then again, a network-based active response
      system (and an active response system may or may not be the same thing
      as an IPS: it depends upon which section of the chapter you are
      reading) might modify firewall policies or respond to attack packets
      by resetting the port and killing the connection. (This means, as the
      book points out, that an active response system can't do anything at
      all to prevent an attack that consists of a single packet. I'm not
      sure that all IPS vendors would agree with that position.) Network-
      based IPS/active response systems can block ports or systems, change
      firewall rules, reset connections, or alter the data content. (And
      why wouldn't that stop a single-packet attack?) Host-based IPS/active
      response can revise filesystem privileges, perform disinfection, and
      change firewall rules.

      I'm sorry, that paragraph was confused, had poor structure, and was
      not particularly clear. But then again, it seems to capture the
      essence and style of chapter one.

      (In response to the draft of this review, one of the authors feels
      that I have not been fair. He primarily notes that the authors wish
      to make a distinction between intrusion prevention and active
      response, but that is not made terribly clear in the printed text. In
      addition, he says that the missing details I have listed are present
      in the book--but gives citations that come from a variety of different
      places in the volume.)

      Chapter two seems to be an attempt to declare that "deep" packet
      inspection is different than inspection of the packet contents, but,
      aside from giving a whole bunch of examples of things that shouldn't
      be in packets, it doesn't say why. False positives can be a real
      danger, so I agree with the title of chapter three. Unfortunately,
      the text doesn't: we simply have a lot of discussion about how Nmap
      works, finishing off with a terse mention of Bayesian statistics. A
      few specific attacks against certain applications (and certain
      versions) are listed in chapter four. Chapter five discusses systems
      that will modify data content, but only in terms of setting up Snort
      or Netfilter for specific attacks, and not in a usefully detailed way,
      or one that is helpful for general usage. A few more attacks, and
      ways that systems operating at the level of the kernel can help, are
      described (in a rather confused fashion) in chapter six. Chapter
      seven proposes an application-level IPS, but what is described seems
      to be identical to any application-level proxy firewall with content
      inspection. Chapter eight lists some of the data you might obtain
      from a number of open source tools. Some of the things that can go
      wrong with an IPS are mentioned in chapter nine.

      Intrusion prevention systems are new, not terribly well-defined, and
      popular. The security literature on the topic is limited. Therefore,
      any work that addresses the topic will have some value. Indeed, in
      his response, one of the authors felt that they should get some credit
      for being first, and this is generally true. This book, however, will
      be difficult for the newcomer to approach with any certainty. The
      expert will find it both limited and (because of this) misleading at
      times. Some of the content is useful, and a number of the points
      raised should be considered, but the material should be treated with
      caution. The volume is doctrinaire about items that cannot yet be
      fully agreed upon, neglects issues and options that should be
      considered by security professionals, includes considerable
      information that has only the most tenuous connection to the topic at
      hand, and is written without much consideration for the reader.

      copyright Robert M. Slade, 2006 BKINPRAR.RVW 20050615

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Success usually comes to those who are too busy to be looking for
      it. - Henry David Thoreau
      Dictionary of Information Security www.syngress.com/catalog/?pid=4150
    Your message has been successfully submitted and would be delivered to recipients shortly.