[ISN] REVIEW: "Intrusion Detection", Terry Escamilla

From: mea culpa (jerichoat_private)
Date: Sat Feb 13 1999 - 00:49:50 PST

  • Next message: mea culpa: "[ISN] Brazilian National Elections (security in voting)"

    Forwarded From: "Rob Slade" <rsladeat_private>
    BKINTRDT.RVW   990108
    "Intrusion Detection", Terry Escamilla, 1998, 0-471-29000-9,
    %A   Terry Escamilla
    %C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
    %D   1998
    %G   0-471-29000-9
    %I   John Wiley & Sons, Inc.
    %O   U$39.99/C$56.50 416-236-4433 fax: 416-236-4448 rlangloiat_private
    %P   348 p.
    %T   "Intrusion Detection: Network Security Beyond the Firewall"
    Maybe my perception is skewed from having been involved with physical
    security as well as the computer kind, but I see intrusion detection as
    being part of security.  There is no security system that cannot be
    penetrated or bypassed, and so detection is, in my view, simply a fact of
    security life.  Isn't that what auditing, one of the main pillars of data
    security, all about?  So I find the attempt to sell the idea of intrusion
    detection somewhat redundant.  Then there is the emphasis on reviewing
    commercial Intrusion Detection Systems (IDS). 
    Part one looks at what happens before intrusion detection: the traditional
    role and model of computer security.  Chapter one provides a brief, but
    reasonably sound, overview of this classic paradigm, concentrating on
    defining most of the theoretical terms used.  Some identification and
    authentication details from both UNIX and Windows NT start our chapter
    two, which then meanders through a few examples of password cracking, and
    finally ends with a look at ticket granting systems and other
    authentication improvements.  A similar look at access control is provided
    by chapter three.  Given the complexity of networking and network
    security, the number of topics covered in chapter four is unsurprising. 
    Part two looks at intrusion detection by extending the traditional
    security design.  Chapter five is fairly pivotal, as evidenced by the
    title "Intrusion Detection and Why You Need It."  The "why" part comes
    first, with a rather weak example showing that security systems can have
    loopholes if you don't configure or program everything properly. Intrusion
    detection then seems to be defined as the usual game of find
    vulnerability-fix-repeat, only in automated form.  A number of possible
    attacks are mentioned in chapter six, and then a promotion of the addition
    of an IDS layer to a system, without a corresponding reiteration of the
    warning, from chapter four, that layers in a system increase the
    possibility of loopholes.  I was rather astonished that SATAN [Security
    Administrator's Tool for Analyzing Networks] was not included with the
    vulnerability scanners mentioned in chapter seven. Two more sophisticated
    products are reviewed in chapter eight. Chapter nine looks at the
    possibility of catching intruders by traffic analysis, although "catch"
    seems to be too strong a term to use here. Since most of the foregoing
    deals with UNIX, chapter ten looks at similar products for NT, although
    most of the material seems to concentrate on NT's own audit logs. 
    Part three looks at dealing with an intrusion once you have detected it. 
    Chapter eleven recommends being prepared well, detecting early, analyzing
    thoroughly, and deciding judiciously.  In one useful piece of advice, it
    recommends against an attack on a system you may think is hitting on
    yours.  Chapter twelve is a quick summary of the book. 
    As the author admits, in the final chapter, that intrusion detection
    systems are not the final word in computer security, I am inescapably
    reminded of the battles in the antiviral field over the relative strengths
    of scanners, activity monitors, and change detection systems.  What works
    best?  A combination approach, of course.  The price of a secure system is
    more budget for administration time and tools.  This book does not present
    any radically new approach or technique for system security.  In fact,
    with the emphasis on proprietary commercial products, the work will date
    quite quickly. For those who are looking to add an automated IDS to their
    current network, the volume could act as a kind of incomplete buyer's
    copyright Robert M. Slade, 1999   BKINTRDT.RVW   990108
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:18:53 PDT