<< 1 >>
Rating: 
Summary: Good but mildly confusing
Review: "Intrusion Detection and Prevention" left me with a mixed impression. The book has really good parts (fun to read, informative and well presented) and also has other parts...The book aspires to clarify the whole intrusion detection and prevention conundrum and I can't say it completely succeeds at that. The issue is covered, but not really clarified or even defined. Even IDS vs IPS "pro and con" lists have many random items (such as IPS supposed resistance to "low and slow" attacks). Some sections are downright confusing, such as the one on agents. Others are way too short ("creating an IR team" is one page...) Among the good parts are correlation chapters, tcpdump coverage, intrusion analysis process, attacks overview (although some important pieces such as web application attacks are missing) and many others. The book bears unfortunate signs of being written by a group of people who didn't talk to each other much. Thus, many contradictions (especially about network IDS) are noticeable in the text. Also, example IDS systems covered in the book have almost no connection to the "theory" chapters that preceded them. Example chapters have no common format as well covering random pieces of architecture, deployment, management and internals. What is worse, some parts of the book seem written based on casually browsing vendor websites: "Manhunt Firewall" is one example and in some other cases, the authors confuse the features with product names and with company names. Loose use of industry-standard terminology is there as well (especially when talking about host vs network IDS). "IDSs work at the network layer of the OSI model" is just one example. Overall, I liked many places in the book, but the big picture is missing. I'd say it's a recommended read for non-security people who don't mind being a bit confused. Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major security information management company. He is the author of the book "Security Warrior" (O'Reilly, 2004). His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal info-secure.org
Rating:
Summary: Good but mildly confusing
Review: "Intrusion Detection and Prevention" left me with a mixed impression. The book has really good parts (fun to read, informative and well presented) and also has other parts... The book aspires to clarify the whole intrusion detection and prevention conundrum and I can't say it completely succeeds at that. The issue is covered, but not really clarified or even defined. Even IDS vs IPS "pro and con" lists have many random items (such as IPS supposed resistance to "low and slow" attacks). Some sections are downright confusing, such as the one on agents. Others are way too short ("creating an IR team" is one page...) Among the good parts are correlation chapters, tcpdump coverage, intrusion analysis process, attacks overview (although some important pieces such as web application attacks are missing) and many others. The book bears unfortunate signs of being written by a group of people who didn't talk to each other much. Thus, many contradictions (especially about network IDS) are noticeable in the text. Also, example IDS systems covered in the book have almost no connection to the "theory" chapters that preceded them. Example chapters have no common format as well covering random pieces of architecture, deployment, management and internals. What is worse, some parts of the book seem written based on casually browsing vendor websites: "Manhunt Firewall" is one example and in some other cases, the authors confuse the features with product names and with company names. Loose use of industry-standard terminology is there as well (especially when talking about host vs network IDS). "IDSs work at the network layer of the OSI model" is just one example. Overall, I liked many places in the book, but the big picture is missing. I'd say it's a recommended read for non-security people who don't mind being a bit confused. Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major security information management company. He is the author of the book "Security Warrior" (O'Reilly, 2004). His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal info-secure.org
Rating:
Summary: Some value, but doesn't meet expectations
Review: I had high hopes for "Intrusion Detection and Prevention" (IDAP) as it is the first book to devote chapters to different vendor IDS products. It's also the first to explicitly mention the buzzword "intrusion prevention" in its title. Unfortunately, the book does not deliver the value I expected. IDAP suffers from several technical issues. The OSI reference model on p. 6 lists ARP as both a layer 4 (transport) and layer 3 (network) protocol. In reality it assists layer 2 but, as it has an EtherType, it's ok to list at layer 3; layer 4 is wrong. Page 7 says "a NIDS system is usually inline on the network," but p. 8 says "this is unlike IDS, which do not sit inline." (NIDS are usually not inline; NIPS are.) Page 34 says "most useful packets will not fit into 68 bytes, so they may need to be fragmented anyway." All three packets of the three-way handshake and all four of a graceful close can be less than 68 bytes, and they're certainly useful. Pages 36-38 and 97 have multiple errors regarding TCP sequence numbers. Readers familiar with my earlier reviews know these errors are repeated frequently. For data portions of a session, the TCP sequence number is the sequence number of the first byte of application data in the packet. The TCP acknowledgement number is the sequence number of the first byte of application data expected to be sent by the other party. The sections I most anticipated were the chapters on products, but only the NFR material was genuinely helpful. First, despite the book's title, the four products were mainly intrusion detection systems and not intrusion prevention systems. RealSecure, Cisco Secure, Snort, and NFR were covered. RealSecure offers IPS through Proventia, but its capabilities aren't discussed. The Cisco chapter offers a few sentences on Okena, but where were chapters on NAI IntruShield (formerly from IntruVert) or Entercept? Snort merits a chapter, but why is Sourcefire not mentioned? I know everything can't appear, but a book called "Intrusion Detection and Prevention" should cover "prevention" products. Of the four chapters on products, the NFR material was most useful. I kept two questions important to all analysts in mind while reading: (1) How do I modify or create signatures? (2) How do I validate what the product reports? Only the NFR chapter gave sufficient detail to answer question 1, and only the NFR chapter showed packet data to confirm a sample Code Red II alert. This suggests the other products aren't capable, which may be true for ISS and Cisco; it's certainly *not* true for Snort, where modification and validation via packet detail are the heart of the product. I also took exception to some of the authors' conclusions. (Keep in mind a team wrote this book.) A cheap shot on page 187 shows the ISS chapter author doesn't understand what real analysts need to "trust" their IDS: "These increases in product signatures have given more customers the capability to trust the comprehensive nature of RealSecure over every other product, including the freeware power player, Snort." Analyst trust is built on transparency and validation, meaning he can see why the product generated an alert, and use additional data to confirm its validity. Snort and NFR offer this; ISS does not. Furthermore, if you don't like how Snort works, you can modify the source code -- try that with a proprietary system. On the positive side, I liked the buffer overflow coverage in chapter 4. The Tcpdump chapter offered some intriguing string matching capabilities through nifty bit-shifting, but I think ngrep or even Snort are more practical. A chapter on legal issues gives readers a helpful brief on federal laws and a listing of state cybercrime laws, but fails to mention exceptions to the wiretap act which permit traffic collection.
I think IDAP left the presses before it was ready to live up to its name. I expect the second edition to cover prevention adequately and to clean up the technical and philosophical issues identified here.
Rating:
Summary: Some value, but doesn't meet expectations
Review: I had high hopes for "Intrusion Detection and Prevention" (IDAP) as it is the first book to devote chapters to different vendor IDS products. It's also the first to explicitly mention the buzzword "intrusion prevention" in its title. Unfortunately, the book does not deliver the value I expected. IDAP suffers from several technical issues. The OSI reference model on p. 6 lists ARP as both a layer 4 (transport) and layer 3 (network) protocol. In reality it assists layer 2 but, as it has an EtherType, it's ok to list at layer 3; layer 4 is wrong. Page 7 says "a NIDS system is usually inline on the network," but p. 8 says "this is unlike IDS, which do not sit inline." (NIDS are usually not inline; NIPS are.) Page 34 says "most useful packets will not fit into 68 bytes, so they may need to be fragmented anyway." All three packets of the three-way handshake and all four of a graceful close can be less than 68 bytes, and they're certainly useful. Pages 36-38 and 97 have multiple errors regarding TCP sequence numbers. Readers familiar with my earlier reviews know these errors are repeated frequently. For data portions of a session, the TCP sequence number is the sequence number of the first byte of application data in the packet. The TCP acknowledgement number is the sequence number of the first byte of application data expected to be sent by the other party. The sections I most anticipated were the chapters on products, but only the NFR material was genuinely helpful. First, despite the book's title, the four products were mainly intrusion detection systems and not intrusion prevention systems. RealSecure, Cisco Secure, Snort, and NFR were covered. RealSecure offers IPS through Proventia, but its capabilities aren't discussed. The Cisco chapter offers a few sentences on Okena, but where were chapters on NAI IntruShield (formerly from IntruVert) or Entercept? Snort merits a chapter, but why is Sourcefire not mentioned? I know everything can't appear, but a book called "Intrusion Detection and Prevention" should cover "prevention" products. Of the four chapters on products, the NFR material was most useful. I kept two questions important to all analysts in mind while reading: (1) How do I modify or create signatures? (2) How do I validate what the product reports? Only the NFR chapter gave sufficient detail to answer question 1, and only the NFR chapter showed packet data to confirm a sample Code Red II alert. This suggests the other products aren't capable, which may be true for ISS and Cisco; it's certainly *not* true for Snort, where modification and validation via packet detail are the heart of the product. I also took exception to some of the authors' conclusions. (Keep in mind a team wrote this book.) A cheap shot on page 187 shows the ISS chapter author doesn't understand what real analysts need to "trust" their IDS: "These increases in product signatures have given more customers the capability to trust the comprehensive nature of RealSecure over every other product, including the freeware power player, Snort." Analyst trust is built on transparency and validation, meaning he can see why the product generated an alert, and use additional data to confirm its validity. Snort and NFR offer this; ISS does not. Furthermore, if you don't like how Snort works, you can modify the source code -- try that with a proprietary system. On the positive side, I liked the buffer overflow coverage in chapter 4. The Tcpdump chapter offered some intriguing string matching capabilities through nifty bit-shifting, but I think ngrep or even Snort are more practical. A chapter on legal issues gives readers a helpful brief on federal laws and a listing of state cybercrime laws, but fails to mention exceptions to the wiretap act which permit traffic collection.
I think IDAP left the presses before it was ready to live up to its name. I expect the second edition to cover prevention adequately and to clean up the technical and philosophical issues identified here.
Rating:
Summary: Some value, but doesn't meet expectations
Review: I had high hopes for "Intrusion Detection and Prevention" (IDAP) as it is the first book to devote chapters to different vendor IDS products. It's also the first to explicitly mention the buzzword "intrusion prevention" in its title. Unfortunately, the book does not deliver the value I expected. IDAP suffers from several technical issues. The OSI reference model on p. 6 lists ARP as both a layer 4 (transport) and layer 3 (network) protocol. In reality it assists layer 2 but, as it has an EtherType, it's ok to list at layer 3; layer 4 is wrong. Page 7 says "a NIDS system is usually inline on the network," but p. 8 says "this is unlike IDS, which do not sit inline." (NIDS are usually not inline; NIPS are.) Page 34 says "most useful packets will not fit into 68 bytes, so they may need to be fragmented anyway." All three packets of the three-way handshake and all four of a graceful close can be less than 68 bytes, and they're certainly useful. Pages 36-38 and 97 have multiple errors regarding TCP sequence numbers. Readers familiar with my earlier reviews know these errors are repeated frequently. For data portions of a session, the TCP sequence number is the sequence number of the first byte of application data in the packet. The TCP acknowledgement number is the sequence number of the first byte of application data expected to be sent by the other party. The sections I most anticipated were the chapters on products, but only the NFR material was genuinely helpful. First, despite the book's title, the four products were mainly intrusion detection systems and not intrusion prevention systems. RealSecure, Cisco Secure, Snort, and NFR were covered. RealSecure offers IPS through Proventia, but its capabilities aren't discussed. The Cisco chapter offers a few sentences on Okena, but where were chapters on NAI IntruShield (formerly from IntruVert) or Entercept? Snort merits a chapter, but why is Sourcefire not mentioned? I know everything can't appear, but a book called "Intrusion Detection and Prevention" should cover "prevention" products. Of the four chapters on products, the NFR material was most useful. I kept two questions important to all analysts in mind while reading: (1) How do I modify or create signatures? (2) How do I validate what the product reports? Only the NFR chapter gave sufficient detail to answer question 1, and only the NFR chapter showed packet data to confirm a sample Code Red II alert. This suggests the other products aren't capable, which may be true for ISS and Cisco; it's certainly *not* true for Snort, where modification and validation via packet detail are the heart of the product. I also took exception to some of the authors' conclusions. (Keep in mind a team wrote this book.) A cheap shot on page 187 shows the ISS chapter author doesn't understand what real analysts need to "trust" their IDS: "These increases in product signatures have given more customers the capability to trust the comprehensive nature of RealSecure over every other product, including the freeware power player, Snort." Analyst trust is built on transparency and validation, meaning he can see why the product generated an alert, and use additional data to confirm its validity. Snort and NFR offer this; ISS does not. Furthermore, if you don't like how Snort works, you can modify the source code -- try that with a proprietary system. On the positive side, I liked the buffer overflow coverage in chapter 4. The Tcpdump chapter offered some intriguing string matching capabilities through nifty bit-shifting, but I think ngrep or even Snort are more practical. A chapter on legal issues gives readers a helpful brief on federal laws and a listing of state cybercrime laws, but fails to mention exceptions to the wiretap act which permit traffic collection.
I think IDAP left the presses before it was ready to live up to its name. I expect the second edition to cover prevention adequately and to clean up the technical and philosophical issues identified here.
Rating: 
Summary: Great book, very informative
Review: I think this book layed out a great foundation for anyone involved or wanting to get involved with intrusion detection and prevention. While it is a bit light on the prevention end of things, there is not much out there as of yet and I feel this was a good attempt (besides by the time any book gets released it is already out of date). There are some issues with TCP sequence numbers as mentioned in a previous review. The Cisco chapter left a little too be desired as it was not in depth enough.Overall I found this book to be very helpful. I especially like the coverage of the different IDS/IPS systems (Cisco, realSecure,Snort and NFR). I found that the SNORT and NFR chapters were very well written and gave me some new insights. I feel that this is the best book to date with good solid IDS/IPS information from both a theoretical and practical hands on point of view.
Rating:
Summary: Exactly how to implement top intrusion detection products
Review: Intrusion Detection & Prevention by the expert team of Carl Endorf, Eugene Schultz, & Jim Mellander shows exactly how to implement top intrusion detection products into real-world networked environments. Intrusion Detection & Prevention methodically covers the most popular intrusion detection tools including Internet Security Systems' Black ICE & RealSecure, Cisco Systems' Secure IDS, Computer Associates' eTrust, Entercept, and the open source Snort tool. Both of these outstanding titles are confidently recommended and would be of special value as introductions to novice computer users with a need for system security.
Rating:
Summary: Exactly how to implement top intrusion detection products
Review: Intrusion Detection & Prevention by the expert team of Carl Endorf, Eugene Schultz, & Jim Mellander shows exactly how to implement top intrusion detection products into real-world networked environments. Intrusion Detection & Prevention methodically covers the most popular intrusion detection tools including Internet Security Systems' Black ICE & RealSecure, Cisco Systems' Secure IDS, Computer Associates' eTrust, Entercept, and the open source Snort tool. Both of these outstanding titles are confidently recommended and would be of special value as introductions to novice computer users with a need for system security.
<< 1 >>
| 
