Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Intrusion Prevention and Active Response", Michael Ra

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Intrusion Prevention and Active Response", Michael Rash et al
Date: Mon, 17 Jul 2006 20:37:50 -0800 
BKINPRAR.RVW   20050615

"Intrusion Prevention and Active Response", Michael Rash et al, 2005,
1-932266-47-X, U$49.95/C$69.95
%A   Michael Rash www.cipherdyne.org
%A   Angela Orebaugh
%A   Graham Clark
%A   Becky Pinkard
%A   Jake Babbin
%C   800 Hingham Street, Rockland, MA   02370
%D   2005
%G   1-932266-47-X
%I   Syngress Media, Inc.
%O   U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/193226647X/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/193226647X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/193226647X/robsladesin03-20
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   402 p.
%T   "Intrusion Prevention and Active Response"

In the beginning were the blackhats, and the net was without form, and
void.  (Actually, slightly before the beginning were a bunch of grad
students who were just all keen to share stuff and never figured
anybody would try and deliberately break such a neat toy.)  And the
security community said, "Let there be firewalls!"  And the security
community looked upon the firewalls and saw that they were good.  (And
they didn't say anything in particular about the fact that there were
also ACLs, and rulesets, and management issues, and all manner of
creeping features.)  And the security community said, "Let there be
intrusion detection systems, which shall also be known as IDSs!"  And
the security community looked upon the IDSs and saw that they were
good.  (And there were even *more* ACLs, and rulesets, and management
issues, and all manner of creeping features.)  And the security
community said, "Let us make unto ourselves the ultimate in network
security tools, and let it be the Holy Grail and Silver Bullet and
Philosopher's Stone of security, and let it manage itself and respond
to any kind of attack!"  And lo, the security vendors looked upon the
intrusion prevention system (IPS) and saw that it was a very good
marketing idea.

Chapter one attempts to define intrusion prevention and active
response, but it doesn't do so in a particularly clear or consistent
manner.  An IPS is an IDS that can take some kind of action.  What
kind of action?  Well, an IPS does data content (application level)
inspection.  Maybe.  Then again, a network-based active response
system (and an active response system may or may not be the same thing
as an IPS: it depends upon which section of the chapter you are
reading) might modify firewall policies or respond to attack packets
by resetting the port and killing the connection.  (This means, as the
book points out, that an active response system can't do anything at
all to prevent an attack that consists of a single packet.  I'm not
sure that all IPS vendors would agree with that position.)  Network-
based IPS/active response systems can block ports or systems, change
firewall rules, reset connections, or alter the data content.  (And
why wouldn't that stop a single-packet attack?)  Host-based IPS/active
response can revise filesystem privileges, perform disinfection, and
change firewall rules.

I'm sorry, that paragraph was confused, had poor structure, and was
not particularly clear.  But then again, it seems to capture the
essence and style of chapter one.

(In response to the draft of this review, one of the authors feels
that I have not been fair.  He primarily notes that the authors wish
to make a distinction between intrusion prevention and active
response, but that is not made terribly clear in the printed text.  In
addition, he says that the missing details I have listed are present
in the book--but gives citations that come from a variety of different
places in the volume.)

Chapter two seems to be an attempt to declare that "deep" packet
inspection is different than inspection of the packet contents, but,
aside from giving a whole bunch of examples of things that shouldn't
be in packets, it doesn't say why.  False positives can be a real
danger, so I agree with the title of chapter three.  Unfortunately,
the text doesn't: we simply have a lot of discussion about how Nmap
works, finishing off with a terse mention of Bayesian statistics.  A
few specific attacks against certain applications (and certain
versions) are listed in chapter four.  Chapter five discusses systems
that will modify data content, but only in terms of setting up Snort
or Netfilter for specific attacks, and not in a usefully detailed way,
or one that is helpful for general usage.  A few more attacks, and
ways that systems operating at the level of the kernel can help, are
described (in a rather confused fashion) in chapter six.  Chapter
seven proposes an application-level IPS, but what is described seems
to be identical to any application-level proxy firewall with content
inspection.  Chapter eight lists some of the data you might obtain
from a number of open source tools.  Some of the things that can go
wrong with an IPS are mentioned in chapter nine.

Intrusion prevention systems are new, not terribly well-defined, and
popular.  The security literature on the topic is limited.  Therefore,
any work that addresses the topic will have some value.  Indeed, in
his response, one of the authors felt that they should get some credit
for being first, and this is generally true.  This book, however, will
be difficult for the newcomer to approach with any certainty.  The
expert will find it both limited and (because of this) misleading at
times.  Some of the content is useful, and a number of the points
raised should be considered, but the material should be treated with
caution.  The volume is doctrinaire about items that cannot yet be
fully agreed upon, neglects issues and options that should be
considered by security professionals, includes considerable
information that has only the most tenuous connection to the topic at
hand, and is written without much consideration for the reader.

copyright Robert M. Slade, 2006   BKINPRAR.RVW   20050615


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
Success usually comes to those who are too busy to be looking for
it.                                            - Henry David Thoreau
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


------------------------ Yahoo! Groups Sponsor --------------------~--> 
Something is new at Yahoo! Groups.  Check out the enhanced email design.
http://us.click.yahoo.com/SISQkA/gOaOAA/yQLSAA/kgFolB/TM
--------------------------------------------------------------------~-> 

 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Intrusion Prevention and Active Response", Michael Rash et al, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] Disaster Recovery and Pandemic Planning, Dave Sims
Next by Date:  [CISSP-D] PrepLogic Practice CISSP Exam packages, ardelean
Previous by Thread:  [CISSP-D] Disaster Recovery and Pandemic Planning, Dave Sims
Next by Thread:  [CISSP-D] PrepLogic Practice CISSP Exam packages, ardelean
Indexes:  [Date] [Thread] [Top] [All Lists]