The Virtual Bookcase for browsing and sharing reviews of books. New to this site? Read the welcome page first.

The Virtual Bookcase Home
Recent reviews
Collected book news
Welcome to this site
Add your own book

Book details of 'Intrusion Prevention and Active Response : Deploying Network and Host IPS'

Cover of Intrusion Prevention and Active Response : Deploying Network and Host IPS
TitleIntrusion Prevention and Active Response : Deploying Network and Host IPS
Author(s)Michael Rash, Angela D. Orebaugh, Graham Clark, Becky Pinkard, Jake Babbin
ISBN193226647X
LanguageEnglish
PublishedFebruary 2005
PublisherSyngress
Web links for this book
Search at Bookcrossing.com
Wikipedia booksources
Shop for this book
At Amazon.com
At Amazon.co.uk

Back to shelf Computer security
Amazon.com info for Intrusion Prevention and Active Response : Deploying Network and Host IPS

Score:

Vote for this book

The Virtual Bookcase Reviews of 'Intrusion Prevention and Active Response : Deploying Network and Host IPS':

Reviewer Rob Slade wrote:
In the beginning were the blackhats, and the net was without form, and void. (Actually, slightly before the beginning were a bunch of grad students who were just all keen to share stuff and never figured anybody would try and deliberately break such a neat toy.) And the security community said, "Let there be firewalls!" And the security community looked upon the firewalls and saw that they were good. (And they didn't say anything in particular about the fact that there were also ACLs, and rulesets, and management issues, and all manner of creeping features.) And the security community said, "Let there be intrusion detection systems, which shall also be known as IDSs!" And the security community looked upon the IDSs and saw that they were good. (And there were even *more* ACLs, and rulesets, and management issues, and all manner of creeping features.) And the security community said, "Let us make unto ourselves the ultimate in network security tools, and let it be the Holy Grail and Silver Bullet and Philosopher's Stone of security, and let it manage itself and respond to any kind of attack!" And lo, the security vendors looked upon the intrusion prevention system (IPS) and saw that it was a very good marketing idea. Chapter one attempts to define intrusion prevention and active response, but it doesn't do so in a particularly clear or consistent manner. An IPS is an IDS that can take some kind of action. What kind of action? Well, an IPS does data content (application level) inspection. Maybe. Then again, a network-based active response system (and an active response system may or may not be the same thing as an IPS: it depends upon which section of the chapter you are reading) might modify firewall policies or respond to attack packets by resetting the port and killing the connection. (This means, as the book points out, that an active response system can't do anything at all to prevent an attack that consists of a single packet. I'm not sure that all IPS vendors would agree with that position.) Network- based IPS/active response systems can block ports or systems, change firewall rules, reset connections, or alter the data content. (And why wouldn't that stop a single-packet attack?) Host-based IPS/active response can revise filesystem privileges, perform disinfection, and change firewall rules. I'm sorry, that paragraph was confused, had poor structure, and was not particularly clear. But then again, it seems to capture the essence and style of chapter one. (In response to the draft of this review, one of the authors feels that I have not been fair. He primarily notes that the authors wish to make a distinction between intrusion prevention and active response, but that is not made terribly clear in the printed text. In addition, he says that the missing details I have listed are present in the book--but gives citations that come from a variety of different places in the volume.) Chapter two seems to be an attempt to declare that "deep" packet inspection is different than inspection of the packet contents, but, aside from giving a whole bunch of examples of things that shouldn't be in packets, it doesn't say why. False positives can be a real danger, so I agree with the title of chapter three. Unfortunately, the text doesn't: we simply have a lot of discussion about how Nmap works, finishing off with a terse mention of Bayesian statistics. A few specific attacks against certain applications (and certain versions) are listed in chapter four. Chapter five discusses systems that will modify data content, but only in terms of setting up Snort or Netfilter for specific attacks, and not in a usefully detailed way, or one that is helpful for general usage. A few more attacks, and ways that systems operating at the level of the kernel can help, are described (in a rather confused fashion) in chapter six. Chapter seven proposes an application-level IPS, but what is described seems to be identical to any application-level proxy firewall with content inspection. Chapter eight lists some of the data you might obtain from a number of open source tools. Some of the things that can go wrong with an IPS are mentioned in chapter nine. Intrusion prevention systems are new, not terribly well-defined, and popular. The security literature on the topic is limited. Therefore, any work that addresses the topic will have some value. Indeed, in his response, one of the authors felt that they should get some credit for being first, and this is generally true. This book, however, will be difficult for the newcomer to approach with any certainty. The expert will find it both limited and (because of this) misleading at times. Some of the content is useful, and a number of the points raised should be considered, but the material should be treated with caution. The volume is doctrinaire about items that cannot yet be fully agreed upon, neglects issues and options that should be considered by security professionals, includes considerable information that has only the most tenuous connection to the topic at hand, and is written without much consideration for the reader. copyright Robert M. Slade, 2006
Add my review for Intrusion Prevention and Active Response : Deploying Network and Host IPS

Book description:

From the Foreword by Stephen Northcutt, Director of Training and Certification, The SANS Institute Within a year of the infamous "Intrusion Detection is Dead" report by Gartner, we started seeing Intrusion Prevention System (IPS) products that actually worked in the real world. Security professionals are going to be approaching management for funding in the next year or two to procure intrusion prevention devices, especially Intelligent switches from 3Com (TippingPoint), as well as host-based intrusion prevention solutions like Cisco Security Agent, Platform Logic, Ozone or CrossTec. Both managers and security technologists face a pressing need to get up to speed, and fast, on the commercial and open source intrusion prevention solutions. This is the first book-length work that specifically concentrates on the concept, implementation, and implications of intrusion prevention and active response. The term IPS has been thrown around with reckless abandon by the security community. Here, the author team works to establish a common understanding and terminology, as well as compare the approaches to intrusion prevention. * Transition from Intrusion Detection to Intrusion Prevention Unlike IDS, IPS can modify application-layer data or perform system call interception. * Develop an Effective Packet Inspection Toolbox Use products such as the Metasploit Framework as a source of test attacks. * Travel Inside the SANS Internet Storm Center Review packet captures of actual attacks, like the "Witty" worm, directly from the handler's diary. * Protect Against False Positives Remember that, unlike an IDS, an IPS will REACT to an intrusion. * Integrate Multiple Layers of IPS Create a multivendor defense at the Data Link, Network, Transport, and Application layers. * Deploy Host Attack Prevention Mechanisms Includes stack hardening, system call interception, and application shimming. * Implement Inline Packet Payload Alteration Use Snort Inline or a Linux kernel patch to the Netfilter string match extension. * Covers all Major Intrusion Prevention and Active Response Systems Includes Snort Inline, SnortSAM, PaX, StackGuard, LIDS, FWSnort, PSAD, Enterasys Web IPS, and mod_securit. * Deploy IPS on Web Servers at the Applications Layer The loading of an application-level IPS in process by the Web server will protect the server and inspect encrypted traffic. TABLE OF Contents Foreword by Stephen Northcutt Intrusion Prevention and Active Response Packet Inspection for Intrusion Analysis False Positives and Real Damage Four Layers of IPS Actions Network Inline Data Modification Protecting Your Host Through the Operating System IPS at the Application Layer Deploying Open Source IPS Solutions IPS Evasion Techniques

Search The Virtual Bookcase

Enter a title word, author name or ISBN.

The shelves in The Virtual Bookcase

Arts and architecture (25)
Biography (24)
Business and Management (119)
Cars and driving (53)
Cartoons (45)
Children's books (179)
Computer (475)
Computer history/fun (111)
Computer networks (382)
Computer programming (215)
Computer security (269)
Cook books (89)
Fantasy (154)
Fiction (446)
Health and body (70)
History (135)
Hobby (37)
Horror (65)
Humorous books (52)
Literature (57)
Operating systems (94)
Outdoor camping (162)
Outdoors (236)
Politics (83)
Privacy (61)
Psychology (55)
Religion (17)
Science (113)
Science Fiction (156)
Self-help books (55)
Technology (12)
Travel guides (307)
War and weapons (29)
World Wide Web (211)
Zen (5)
Other books (88)
Mailing list
Subscribe to booktalk, the discussion list about books at The Virtual Bookcase.
Enter your e-mail address to subscribe (you will receive an e-mail to confirm your subscription):
The Virtual Bookcase is created and maintained by Koos van den Hout. Contact e-mail webmaster@virtualbookcase.com.
Site credits
Copyright © 2000-2008 Koos van den Hout / The Virtual Bookcase Copyright and privacy statement