Forwarded From: "Rob Slade" <rsladeat_private> BKINTRDT.RVW 990108 "Intrusion Detection", Terry Escamilla, 1998, 0-471-29000-9, U$39.99/C$56.50 %A Terry Escamilla %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 1998 %G 0-471-29000-9 %I John Wiley & Sons, Inc. %O U$39.99/C$56.50 416-236-4433 fax: 416-236-4448 rlangloiat_private %P 348 p. %T "Intrusion Detection: Network Security Beyond the Firewall" Maybe my perception is skewed from having been involved with physical security as well as the computer kind, but I see intrusion detection as being part of security. There is no security system that cannot be penetrated or bypassed, and so detection is, in my view, simply a fact of security life. Isn't that what auditing, one of the main pillars of data security, all about? So I find the attempt to sell the idea of intrusion detection somewhat redundant. Then there is the emphasis on reviewing commercial Intrusion Detection Systems (IDS). Part one looks at what happens before intrusion detection: the traditional role and model of computer security. Chapter one provides a brief, but reasonably sound, overview of this classic paradigm, concentrating on defining most of the theoretical terms used. Some identification and authentication details from both UNIX and Windows NT start our chapter two, which then meanders through a few examples of password cracking, and finally ends with a look at ticket granting systems and other authentication improvements. A similar look at access control is provided by chapter three. Given the complexity of networking and network security, the number of topics covered in chapter four is unsurprising. Part two looks at intrusion detection by extending the traditional security design. Chapter five is fairly pivotal, as evidenced by the title "Intrusion Detection and Why You Need It." The "why" part comes first, with a rather weak example showing that security systems can have loopholes if you don't configure or program everything properly. Intrusion detection then seems to be defined as the usual game of find vulnerability-fix-repeat, only in automated form. A number of possible attacks are mentioned in chapter six, and then a promotion of the addition of an IDS layer to a system, without a corresponding reiteration of the warning, from chapter four, that layers in a system increase the possibility of loopholes. I was rather astonished that SATAN [Security Administrator's Tool for Analyzing Networks] was not included with the vulnerability scanners mentioned in chapter seven. Two more sophisticated products are reviewed in chapter eight. Chapter nine looks at the possibility of catching intruders by traffic analysis, although "catch" seems to be too strong a term to use here. Since most of the foregoing deals with UNIX, chapter ten looks at similar products for NT, although most of the material seems to concentrate on NT's own audit logs. Part three looks at dealing with an intrusion once you have detected it. Chapter eleven recommends being prepared well, detecting early, analyzing thoroughly, and deciding judiciously. In one useful piece of advice, it recommends against an attack on a system you may think is hitting on yours. Chapter twelve is a quick summary of the book. As the author admits, in the final chapter, that intrusion detection systems are not the final word in computer security, I am inescapably reminded of the battles in the antiviral field over the relative strengths of scanners, activity monitors, and change detection systems. What works best? A combination approach, of course. The price of a secure system is more budget for administration time and tools. This book does not present any radically new approach or technique for system security. In fact, with the emphasis on proprietary commercial products, the work will date quite quickly. For those who are looking to add an automated IDS to their current network, the volume could act as a kind of incomplete buyer's guide. copyright Robert M. Slade, 1999 BKINTRDT.RVW 990108 -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:18:53 PDT