Intrusion Detection: Network Security Beyond the Firewall

In such a world, any author of a book needs to decide whether to write their work at the techies, thus jumping straight in at the deep end, or the novice, offering a gentle primer that attracts the reader into the subject. The very best computer security books (Schneier; Stoll; Garfinkel and Spafford) have clearly attacked one path. The worst have headed off somewhere in between.

Escamilla has chosen the latter - with the usual, dire consequences. Aimed at 'any computer literate person' the book is notionally divided into two parts, one to introduce basic concepts of computer security, and another to describe intrusion detection systems. However, neither part meets it aim. The first occupies more than 150 rambling and often inaccurate pages. Moreover, it strays into territory well beyond 'any' person. For instance, ten pages are devoted to the Kerberos authentication protocol. Indeed, so long is the 'introduction' that the author, almost apologetically, has to keep reminding the user that the book is about intrusion detection.

The second part fares little better. It forages around scanners, network sniffers, covert channels, Unix and NT adminstration, again under the apologetic guise of intrusion detection. Some intrusion detection systems are described - RealSecure, NetRanger and so on - but in a brief and fragmented manner, which offers little in the way of practical, consumer guidance. Possibly the worst aspect of the treatment is that no coverage is given to what a typical audit log looks like - which would at least help justify why intrusion detection systems are needed.

The most useful piece of advice offered in the book is not to consider buying an intrusion detection system if you haven't invested in more basic tools like a firewall. The most useful piece of advice that can be offered about the book is not to consider buying it.

Rating:
Summary: Perfect guide to network security
Review: Escamilla uses practical perspectives to expertly describe methods to improve network security.

Rating:
Summary: Jarringly unfocussed and inaccurate...
Review: I wanted to like this book, seeing as how I've made intrusion detection an important part of my career (the book spends a few pages discussing a paper I wrote), and there are no good offline resources on the subject. Unfortunately, I found little to appreciate in this book, which could have benefited greatly from better technical editing, a sharper concept of what its audience is, and (unfortunately) a better grounding in the subject matter.

The most important problem with this book will be obvious to most readers. Escamilla doesn't address the subject of intrusion detection until midway through the book, opting instead to fill the first half of the book with background information about computer security. This information is presented poorly (and with glaring inaccuracies). Almost all of it is covered better in other books, which readers unfamiliar with network security will need to buy anyways to make the intrusion detection concepts discussed in the latter half of the book accessible.

Unfortunately, the relevant half of the book isn't much better. A confused mish-mash of technologies are presented under the banner of I-D (I know of very few people in the security industry who consider security scanners to be I-D systems), and the most widely used forms of I-D are given scant coverage.

Worse still, the author profiles real commercial I-D systems (towards the end of the book). Apart from the fact that this information was unsalvageably outdated before the book made it to the press, it's also biased. Descriptions of one system span 3 pages, while another merits a single paragraph. Many important systems (which were widely known at the time of this book's release) are not covered at all. And, predictably, most of the details about the commercial systems covered read like marketing material, with almost no comparisons to the other systems covered.

Although this book is a mess, it's not an unrecoverable one. The authors descriptions of Do-It-Yourself intrusion detection on Unix systems is competant, if not revolutionary, and is almost reminiscent of Cheswick and Bellovin's work in _Firewalls_and_Internet_Security_. A better informed, more coherent second revision of this book would be worth looking at.

Unfortunately, there's very little to recommend this book. A critical and informed reader might get some value out of it, but nothing that couldn't be obtained more easily from the Internet. At its worst, however, this book can be misleading, and is thus an inappropriate introduction to its subject. Overall, a deeply flawed book. Steer clear.

Rating:
Summary: Superb coverage for ID strategy and deployment
Review: If you're responsible for protecting your company's information assets, this book is for you. As a security professional at a mid-sized firm, I found Escamilla's frank assessments of commercially available intrusion detection products invaluable. Given the author's obvioulsly immense research on the classic security model and today's leading intrusion detection products, I am now very confident about the right steps to take to fill the gaps in my organization's network security. Escamillia provides a thorough explanation of security problems and then explains how classic security products address these problems and why intrusion detection is needed beyond I&A, access control, and network security products such as firewalls. As the author states, the book is intended for the reader to know "precisely what a product can and cannot do." If you're a security officer, or simply have an interest on the growing need for computer security, prepare to think critically about how intrusion detection products work and why you need them. Buy this book!

Rating:
Summary: Excellent Introduction to Intrusion Detection
Review: Intrusion Detection - Network Security Beyond the Firewall is a very well researched and well thought out discussion of where commercial security tools fit into an organizations security policy. The author presents support for Intrusion Detection based on a well documented history of computer security problems and proposed solutions, and then explains how different security products fit different needs.

Computer Security is a very complex topic that means different things to different people. The author uses his many years of experience in actually building, deploying, and using Intrusion Detection Systems to present the topic in a simple and easy to understand fashion.

This book also contains a rich set of references and sources of additional information. This book will not make you a security expert overnight, but it is an excellent way to get started.

Rating:
Summary: Don't be fooled by the name of the book.
Review: Look for somewhere else if you are serious about network security. The content of the whole book is just too superficial !

Rating:
Summary: Excellent introduction to intrusion detection technology
Review: Review by M. E. Kabay, PhD, CISSP Director of Education ICSA,Inc.

Terry Escamilla, PhD, has many years of experience designingand implementing information security systems. After He worked with Haystack Labs on the Stalker intrusion detection products and currently works on IBM's e-commerce products. Dr Escamilla has written a concise introduction not only to intrusion detection systems but also an excellent primer on important elements of modern information security.

Intrusion Detection begins with a clear Preface that explains the purpose of his textbook: "Our goal is . . . To differentiate intrusion detection from other forms of computer security and to show how each product category adds value." The author explicitly avoids the shopping cart approach, leaving detailed product comparisons to the trade press where they belong in a rapidly-changing technical environment. He includes specific products as representatives of classes of software. Escamilla aims his book at CIOs and security officers or network managers; he wants to provide a high-level overview with enough technical detail to help the reader fit intrusion detection into corporate information security architectures.

The book includes a good Introduction where Escamilla lays out the structure of his text. The first 153 pages serve in effect as a mini textbook introducing the conventional model for security -- the model focused on preventing breaches of security. The author uses the classical triad (C-I-A for confidentiality, integrity and availability) of security as a framework for reviewing traditional security; I strongly prefer Donn Parker's Hexad, which adds control or possession, authenticity and utility. Escamilla summarizes some of these in a mere paragraph. Nonetheless, his review is well worth reading by his intended audience and even by rank beginners in the field of security.

The author's Chapter 1 definitions of security model, entities, subjects, objects, authorization, users, trust relationships, trust boundaries, reference monitor, security kernel, identification and authentication, access control schemes, and the other basics of security theory are lucid and well illustrated. For example, his paragraph on "Intrusion Detection and Monitoring" (p. 23) states, "The purpose of an IDS product is to monitor the system for attacks. An attack might be signaled by something as simple as a program that illegally modifies a user name. Complex attacks might involve sequences of events that span multiple systems. Intrusion detection products are classified with system monitors because they usually depend on auditing information provided from the system's logs or data gathered by sniffing network traffic. One difference between scanners and IDSs is the time interval. A scanner is running in real time when it is started. However, a scanner is rarely run all of the time. Intrusion detection products are designed to run in real time and to constantly monitor the system for attacks." I think that's admirably clear writing.

In later chapters the author looks in a bit more detail at UNIX and Windows NT security. He summarizes hacker techniques such as password guessing, brute-force attacks, social engineering, Trojan horses, network sniffers, and exploitation of known vulnerabilities (bugs in software).

Chapter 4, "Traditional Network Security Approaches," begins with a thorough review of how security protocols can include errors and how criminal hackers exploit weaknesses in those protocols. The author warns that designing distributed security particles is best left to knowledgeable, experienced experts. For example, he writes, "[a] distributed authentication protocol was designed using a challenge response technique, but the challenge and response were the same value. A hacker impersonating the recipient could just replay the challenge when asked for the response." Another example of a security blooper was "[a] protocol designed to accept incoming messages of a fixed length." The author writes, "Unfortunately, the program did not check the length of the incoming messages. . . and, because the system was a public Web server, any anonymous user on the Internet could crash the site."

Chapter 4 also includes an extensive introduction to TCP/ IP and the kinds of attacks specific to these widely used protocols. In accordance with his principles, the author refuses to give detailed scripts that would allow uninformed users to generate such attacks; however, his clear explanations make it possible to understand the issues.

The next six chapters--about 150 pages--are devoted to intrusion detection systems proper. This section includes details overviews of several important products. The products are used to illustrate important principles distinguishing different categories of products- many of which are complementary.

Finally, in his last section, the author devotes two chapters to looking at appropriate responses to intrusion. He offers a sensible balance between ignoring intrusions and exerting extraordinary efforts to capture intruders. He very properly suggests that business considerations ought to determine the level of effort devoted to acting as a kind of wild-cyberwest sheriff. In any case, as he points out, it is often impossible to track intruders through the maze of jumps through other victimized sites. For this reason, he urges readers not to attack the proximate sites from which intrusions appear to be launched: too often, such sites are equally victims of the true attackers.

The books ends very properly with a 16-page index that seems thorough and useful.

As usual in any book, there are always picky little details that a reviewer seems bound to mention in order to demonstrate his or her attention to the text <smile>. I don't want to do that, although I cannot resist a broad grin at the following garbled sentence from page 201, "The answer lies in that recurring them on behalf of semantics." As an author who has groaned at what has appeared in print under my name, Dr Escamilla has my sincere sympathy. It happens to everyone.

In summary, Dr. Escamilla's excellent book is well-written, comprehensive, and useful for both beginners and experts in information security. It is well worth its modest cost (U$40) and I hope that it will be widely used throughout the industry.

Rating:
Summary: Valuable help to the data security professional.
Review: This is a book with a lot of content, capable to give valuable help to the data security professional. As often happens today, the title is somehow misleading, being in this case reductive in relation with the actual content. In fact, the first of the three parts the book is made of (half of the total 348 pages) is a good recap of traditional protection models. Identification, authentication, access control and auditing are covered, both conceptually and with reference to market available tools. The idea is to let the reader have a sound grasp of traditional devices before showing, in the second and third part, how Intrusion Detection Systems (IDS) are a complementary must to the traditional protection models. Both UNIX (various flavours) and NT operating systems are taken in account. The second part introduces IDS both working philosophy and practical usage. They are divided in three main categories: vulnerability assessment scanners, system level devices and network sniffers. Also in this case UNIX and NT scenarios are considered and several market leader tools are devised with a certain detail. Integration of IDS with traditional security functions (discussed in part 1) is covered. Despite all your accuracy in deploying a protection system (including IDS), you could be hit! The third part of the book introduces you in the incidents handling phase of the story, giving you advises about what to do and not to do in such not desirable event.

Rating:
Summary: Buy the Northcutt book instead
Review: This is just not a useful book. Half of the book is not about intrusion detection at all--it consists of an uninspiring general introduction to computer security.

The author apparently has no actual experience in the subject. It is filled with innaccuracies. Confusing 'hash value' with 'digital signature' is a common rookie mistake, but it is typical of the inexcusable lack of precision in this text.

Besides being misleading, off-subject, and out-of-date, it is deadly boring. If you want a hands-on book, get the Northcutt text. If you want an academic and useful theoretical approach, get Amoroso's book. If you want an introductory text on information security, why would you buy a book on IDS?

It is apparent that Wiley badly wanted to publish a book on intrusion detection, and the author was all too willing to squeeze his existing square peg of a security text into an ill-fitting IDS round hole.

Rating:
Summary: Buy the Northcutt book instead
Review: This is just not a useful book. Half of the book is not about intrusion detection at all--it consists of an uninspiring general introduction to computer security.

The author apparently has no actual experience in the subject. It is filled with innaccuracies. Confusing 'hash value' with 'digital signature' is a common rookie mistake, but it is typical of the inexcusable lack of precision in this text.

Besides being misleading, off-subject, and out-of-date, it is deadly boring. If you want a hands-on book, get the Northcutt text. If you want an academic and useful theoretical approach, get Amoroso's book. If you want an introductory text on information security, why would you buy a book on IDS?

It is apparent that Wiley badly wanted to publish a book on intrusion detection, and the author was all too willing to squeeze his existing square peg of a security text into an ill-fitting IDS round hole.