[ISN] REVIEW: "Intrusion Detection: Network Security Beyond the Firewall"

From: mea culpa (jerichoat_private)
Date: Mon Dec 14 1998 - 00:21:25 PST

  • Next message: mea culpa: "[ISN] Administrivia 12.15.98"

    Forwarded From: seceduat_private
    Originally From: Mich Kabay <mkabayat_private>
    
    ICSA PROJECT(S):  FWPD, IDPD, INFOWAR, ROSE, TECH
    
    Intrusion Detection:  Network Security Beyond the Firewall 
    
    by Terry Escamilla (1998).  
    
    John Wiley & Sons (New York).  
    
    ISBN 0-471- 29000-9.  
    
    xx + 348pp.  Index.
    
    Review by M. E. Kabay, PhD, CISSP
    Director of Education
    ICSA, Inc.
    
    Terry Escamilla, PhD, has many years of experience designing and
    implementing information security systems.  After He worked with Haystack
    Labs on the Stalker intrusion detection products and currently works on
    IBM's e-commerce products.  Dr Escamilla has written a concise
    introduction not only to intrusion detection systems but also an excellent
    primer on important elements of modern information security. 
    
    Intrusion Detection begins with a clear Preface that explains the purpose
    of his textbook: "Our goal is . . .  To differentiate intrusion detection
    from other forms of computer security and to show how each product
    category adds value."  The author explicitly avoids the shopping cart
    approach, leaving detailed product comparisons to the trade press where
    they belong in a rapidly-changing technical environment.  He includes
    specific products as representatives of classes of software.
    
    Escamilla aims his book at CIOs and security officers or network managers;
    he wants to provide a high-level overview with enough technical detail to
    help the reader fit intrusion detection into corporate information
    security architectures. 
    
    The book includes a good Introduction where Escamilla lays out the
    structure of his text.  The first 153 pages serve in effect as a mini
    textbook introducing the conventional model for security -- the model
    focused on preventing breaches of security.  The author uses the classical
    triad (C-I-A for confidentiality, integrity and availability)  of security
    as a framework for reviewing traditional security; I strongly prefer Donn
    Parker's Hexad, which adds control or possession, authenticity and
    utility.  Escamilla summarizes some of these in a mere paragraph. 
    Nonetheless, his review is well worth reading by his intended audience and
    even by rank beginners in the field of security. 
    
    The author's Chapter 1 definitions of security model, entities, subjects,
    objects, authorization, users, trust relationships, trust boundaries,
    reference monitor, security kernel, identification and authentication,
    access control schemes, and the other basics of security theory are lucid
    and well illustrated.  For example, his paragraph on "Intrusion Detection
    and Monitoring" (p. 23) states, "The purpose of an IDS product is to
    monitor the system for attacks.  An attack might be signaled by something
    as simple as a program that illegally modifies a user name.  Complex
    attacks might involve sequences of events that span multiple systems. 
    Intrusion detection products are classified with system monitors because
    they usually depend on auditing information provided from the system's
    logs or data gathered by sniffing network traffic.  One difference between
    scanners and IDSs is the time interval. 
    
    A scanner is running in real time when it is started.  However, a scanner
    is rarely run all of the time.  Intrusion detection products are designed
    to run in real time and to constantly monitor the system for attacks."  I
    think that's admirably clear writing. 
    
    In later chapters the author looks in a bit more detail at UNIX and
    Windows NT security.  He summarizes hacker techniques such as password
    guessing, brute-force attacks, social engineering, Trojan horses, network
    sniffers, and exploitation of known vulnerabilities (bugs in software).
    
    Chapter 4, "Traditional Network Security Approaches," begins with a
    thorough review of how security protocols can include errors and how
    criminal hackers exploit weaknesses in those protocols.  The author warns
    that designing distributed security particles is best left to
    knowledgeable, experienced experts.  For example, he writes, "[a]
    distributed authentication protocol was designed using a challenge
    response technique, but the challenge and response were the same value. 
    
    A hacker impersonating the recipient could just replay the challenge when
    asked for the response."  Another example of a security blooper was "[a]
    protocol designed to accept incoming messages of a fixed length." 
    
    The author writes, "Unfortunately, the program did not check the length of
    the incoming messages. . . and, because the system was a public Web
    server, any anonymous user on the Internet could crash the site." 
    
    Chapter 4 also includes an extensive introduction to TCP/ IP and the kinds
    of attacks specific to these widely used protocols.  In accordance with
    his principles, the author refuses to give detailed scripts that would
    allow uninformed users to generate such attacks; however, his clear
    explanations make it possible to understand the issues.  
    
    The next six chapters--about 150 pages--are devoted to intrusion detection
    systems proper.  This section includes details overviews of several
    important products.  The products are used to illustrate important
    principles distinguishing different categories of products- many of which
    are complementary.  
    
    Finally, in his last section, the author devotes two chapters to looking
    at appropriate responses to intrusion.  He offers a sensible balance
    between ignoring intrusions and exerting extraordinary efforts to capture
    intruders.  He very properly suggests that business considerations ought
    to determine the level of effort devoted to acting as a kind of
    wild-cyberwest sheriff.  In any case, as he points out, it is often
    impossible to track intruders through the maze of jumps through other
    victimized sites.  For this reason, he urges readers not to attack the
    proximate sites from which intrusions appear to be launched: too often,
    such sites are equally victims of the true attackers.  
    
    The books ends very properly with a 16-page index that seems thorough and
    useful.
    
    As usual in any book, there are always picky little details that a
    reviewer seems bound to mention in order to demonstrate his or her
    attention to the text <smile>.  I don't want to do that, although I cannot
    resist a broad grin at the following garbled sentence from page 201, "The
    answer lies in that recurring them on behalf of semantics." 
    
    As an author who has groaned at what has appeared in print under my name,
    Dr Escamilla has my sincere sympathy.  It happens to everyone. 
    
    In summary, Dr. Escamilla's excellent book is well-written, comprehensive,
    and useful for both beginners and experts in information security.  It is
    well worth its modest cost (U$40) and I hope that it will be widely used
    throughout the industry.  For more information about the book, one can
    visit a section of the publisher's Web site
    <http://www.wiley.com/compbooks/escamilla>.  In addition, readers will be
    interested to know that since this book went to press, a number of
    intrusion detection product developers banded together in December 1998 to
    form the ICSA's Intrusion Detection Product Developers Consortium
    <http://www.icsa.net/news/press_room/1998/idsc.shtml>. 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:13:49 PDT