We are all aware that systems have to be protected from attacks originating outside the organization. But the most dangerous attacks come from within. This can take the form of finding private information (salaries, pricing information, technical secrets), to people with an intent to do damage (the employee just fired, or who just got a new job because of some anger towards the company), or of course to people looking to steal money. Note that some of the information that might be stored on a computer system may have legal requirements regarding the distribution of the information. This includes things such a medical records.
This is a Cisco book, so it deals with protecting Cisco equipment and techniques. The basic philosophy is the use of the Cisco Security Agent or CSA. This book does not describe CSA, instead it covers its implementation and monitoring. This should be considered an advanced book. It presumes a basic knowledge of CSA before you start.
 |
*^NETGEAR WNR2000 300Mbps WIRELESS LAN WIFI "N" ROUTER^ US $37.99 (0 Bid) End Date: Monday Feb-08-2010 19:00:28 PST |
 |
Netgear WNR834B V2 RangeMax Wireless-N Router US $30.99 (0 Bid) End Date: Monday Feb-08-2010 19:03:04 PST |
 |
__NETGEAR ~RangeMax~ WNDR3300 Dual-Band Wireless n WiFi US $39.99 (0 Bid) End Date: Monday Feb-08-2010 19:10:04 PST |
 |
SonicWall TZ 170 25 Node Firewall VPN 01-SSC-5558 US $48.00 (4 Bids) End Date: Monday Feb-08-2010 19:26:53 PST |
|
*^NETGEAR WNR2000 300Mbps WIRELESS LAN WIFI "N" ROUTER^ US $37.99 (0 Bid) End Date: Monday Feb-08-2010 19:00:28 PST |
|
Netgear WNR834B V2 RangeMax Wireless-N Router US $30.99 (0 Bid) End Date: Monday Feb-08-2010 19:03:04 PST |
|
__NETGEAR ~RangeMax~ WNDR3300 Dual-Band Wireless n WiFi US $39.99 (0 Bid) End Date: Monday Feb-08-2010 19:10:04 PST |
|
SonicWall TZ 170 25 Node Firewall VPN 01-SSC-5558 US $48.00 (4 Bids) End Date: Monday Feb-08-2010 19:26:53 PST |
 |
*^NETGEAR WNR2000 300Mbps WIRELESS LAN WIFI "N" ROUTER^ US $37.99 (0 Bid) End Date: Monday Feb-08-2010 19:29:50 PST |
 |
NETGEAR WNR2000 300Mbps WIRELESS LAN WIFI "N" ROUTER US $43.95 (0 Bid) End Date: Monday Feb-08-2010 19:35:20 PST |
 |
Watchguard WatchGuard Firebox X55e Edge with UTM Bundle US $881.67 End Date: Monday Feb-08-2010 19:55:10 PST |
 |
*^NETGEAR WNR2000 300Mbps WIRELESS LAN WIFI "N" ROUTER^ US $37.99 (0 Bid) End Date: Monday Feb-08-2010 19:59:53 PST |
 |
NETGEAR WRN2000 PUSH N CONNECT WIRELESS-N ROUTER US $44.99 End Date: Monday Feb-08-2010 20:06:15 PST |
 |
Netgear RangeMax Wireless Router WPN824 - original box US $29.99 (1 Bid) End Date: Monday Feb-08-2010 20:10:15 PST |
Tag Feeds At Technorati
Copyright 2002-2009 by the authors
Tag Feeds At Technorati
Tag Results Are Unavailable
The feed you requested is currently unavailable. Technorati has retired all of the legacy feeds and is in the process of creating new ones based on our new infrastructure. The following new feeds are available now:
Latest Original Articles from Technorati
network Related Roadmap
“Intrusion Detection and Prevention” left me with a mixed impression. The book has really good parts (fun to read, informative and well presented) and also has other parts…
The book aspires to clarify the whole intrusion detection and prevention conundrum and I can’t say it completely succeeds at that. The issue is covered, but not really clarified or even defined. Even IDS vs IPS “pro and con” lists have many random items (such as IPS supposed resistance to “low and slow” attacks). Some sections are downright confusing, such as the one on agents. Others are way too short (”creating an IR team” is one page…)
Among the good parts are correlation chapters, tcpdump coverage, intrusion analysis process, attacks overview (although some important pieces such as web application attacks are missing) and many others.
The book bears unfortunate signs of being written by a group of people who didn’t talk to each other much. Thus, many contradictions (especially about network IDS) are noticeable in the text. Also, example IDS systems covered in the book have almost no connection to the “theory” chapters that preceded them. Example chapters have no common format as well covering random pieces of architecture, deployment, management and internals.
What is worse, some parts of the book seem written based on casually browsing vendor websites: “Manhunt Firewall” is one example and in some other cases, the authors confuse the features with product names and with company names. Loose use of industry-standard terminology is there as well (especially when talking about host vs network IDS). “IDSs work at the network layer of the OSI model” is just one example.
Overall, I liked many places in the book, but the big picture is missing. I’d say it’s a recommended read for non-security people who don’t mind being a bit confused.
Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major security information management company. He is the author of the book “Security Warrior” (O’Reilly, 2004). His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal info-secure.org
Intrusion Detection & Prevention by the expert team of Carl Endorf, Eugene Schultz, & Jim Mellander shows exactly how to implement top intrusion detection products into real-world networked environments. Intrusion Detection & Prevention methodically covers the most popular intrusion detection tools including Internet Security Systems’ Black ICE & RealSecure, Cisco Systems’ Secure IDS, Computer Associates’ eTrust, Entercept, and the open source Snort tool. Both of these outstanding titles are confidently recommended and would be of special value as introductions to novice computer users with a need for system security.
I had high hopes for “Intrusion Detection and Prevention” (IDAP) as it is the first book to devote chapters to different vendor IDS products. It’s also the first to explicitly mention the buzzword “intrusion prevention” in its title. Unfortunately, the book does not deliver the value I expected.
IDAP suffers from several technical issues. The OSI reference model on p. 6 lists ARP as both a layer 4 (transport) and layer 3 (network) protocol. In reality it assists layer 2 but, as it has an EtherType, it’s ok to list at layer 3; layer 4 is wrong. Page 7 says “a NIDS system is usually inline on the network,” but p. 8 says “this is unlike IDS, which do not sit inline.” (NIDS are usually not inline; NIPS are.) Page 34 says “most useful packets will not fit into 68 bytes, so they may need to be fragmented anyway.” All three packets of the three-way handshake and all four of a graceful close can be less than 68 bytes, and they’re certainly useful.
Pages 36-38 and 97 have multiple errors regarding TCP sequence numbers. Readers familiar with my earlier reviews know these errors are repeated frequently. For data portions of a session, the TCP sequence number is the sequence number of the first byte of application data in the packet. The TCP acknowledgement number is the sequence number of the first byte of application data expected to be sent by the other party.
The sections I most anticipated were the chapters on products, but only the NFR material was genuinely helpful. First, despite the book’s title, the four products were mainly intrusion detection systems and not intrusion prevention systems. RealSecure, Cisco Secure, Snort, and NFR were covered. RealSecure offers IPS through Proventia, but its capabilities aren’t discussed. The Cisco chapter offers a few sentences on Okena, but where were chapters on NAI IntruShield (formerly from IntruVert) or Entercept? Snort merits a chapter, but why is Sourcefire not mentioned? I know everything can’t appear, but a book called “Intrusion Detection and Prevention” should cover “prevention” products.
Of the four chapters on products, the NFR material was most useful. I kept two questions important to all analysts in mind while reading: (1) How do I modify or create signatures? (2) How do I validate what the product reports? Only the NFR chapter gave sufficient detail to answer question 1, and only the NFR chapter showed packet data to confirm a sample Code Red II alert. This suggests the other products aren’t capable, which may be true for ISS and Cisco; it’s certainly *not* true for Snort, where modification and validation via packet detail are the heart of the product.
I also took exception to some of the authors’ conclusions. (Keep in mind a team wrote this book.) A cheap shot on page 187 shows the ISS chapter author doesn’t understand what real analysts need to “trust” their IDS: “These increases in product signatures have given more customers the capability to trust the comprehensive nature of RealSecure over every other product, including the freeware power player, Snort.” Analyst trust is built on transparency and validation, meaning he can see why the product generated an alert, and use additional data to confirm its validity. Snort and NFR offer this; ISS does not. Furthermore, if you don’t like how Snort works, you can modify the source code — try that with a proprietary system.
On the positive side, I liked the buffer overflow coverage in chapter 4. The Tcpdump chapter offered some intriguing string matching capabilities through nifty bit-shifting, but I think ngrep or even Snort are more practical. A chapter on legal issues gives readers a helpful brief on federal laws and a listing of state cybercrime laws, but fails to mention exceptions to the wiretap act which permit traffic collection.
I think IDAP left the presses before it was ready to live up to its name. I expect the second edition to cover prevention adequately and to clean up the technical and philosophical issues identified here.
I think this book layed out a great foundation for anyone involved or wanting to get involved with intrusion detection and prevention. While it is a bit light on the prevention end of things, there is not much out there as of yet and I feel this was a good attempt (besides by the time any book gets released it is already out of date).
There are some issues with TCP sequence numbers as mentioned in a previous review. The Cisco chapter left a little too be desired as it was not in depth enough.Overall I found this book to be very helpful. I especially like the coverage of the different IDS/IPS systems (Cisco, realSecure,Snort and NFR). I found that the SNORT and NFR chapters were very well written and gave me some new insights.
I feel that this is the best book to date with good solid IDS/IPS information from both a theoretical and practical hands on point of view.
…which actually is a lot to say since I’ve been diagnosed with ADHD for the better part of my life! I’ve been in security for 8 years and don’t consider myself to be an expert but enough to be dangerous. I enjoyed learning about the different subjects that I’m not exposed to through my daily routine. I agree with the one reviewer…I wish there was a better documentation source on Bro (Robin/Vern — spread the wealth!)!
I really enjoyed the geospatial IDS chapter. I saw the author speak at DefCon last year and enjoyed the topic then as well. The chapter provided a lot more background and insight than his presentation. The ‘outside the box’ thinking is innovative!!
I felt the chapters did a great job of explaining the intrusion strategies — writing signatures (nearly beaten to death in previous documents but just enough before I started to get ‘turned off’), dataflows, geospatial IDS, ROI, visualization, wireless, WAF, etc.
Added the book to my company’s InfoSec library.
When I first began reading Practical Intrusion Analysis by Ryan Trost, I was a little put-off. He begins the book with an overview of IP Addressing, subnetting, and packets. This is a touchy way to begin any book as you will either lose your audience if they are new to this subject, or annoy them if they are already familiar. Ryan was able to expand on this subject without going too far in to the weeds, and provide a backbone that makes the next chapters easier to understand.
The following chapters are the real meat of the book and I really got a lot out of them. Ryan covers the entire area of intrusion detection and prevention solutions from the end-point to geographic-based. I’d recommend this book to any IT Professional who deals with network security, as it helps simplify a fairly complicated subject.
I really enjoyed the book :: cover to cover. I also enjoyed that the book didn’t focus on hardware/OS specific examples. One of my pet peeves of other IT books is the authors find the most atypical network-specific examples to use that I can’t accurately translate it into my network. The book focused more on the concepts and used common examples when necessary (building signatures), etc. Also…I did really enjoy that chapter but found that the screen captures of the packet captures were of poor quality. Luckily some Googling lead me to the chapter datastreams/image downloads — [...]
I also enjoyed the Visualization chapter…enough that I’m planning on catching Tufte’s seminar next time he’s in the area.
I recommend the book to both beginners and even the more technical audience.
My search for one book that gives me a bird’s eye view of enterprise Intrusion detection and preventions systems process ends with this book. Any one who climbs up the ladder from different back ground in Information Security can easily understand the `ABCD’ of Intrusion Prevention/Detection Analysis by reading this book. The author explained everything from the ground up. For e.g. when he writes about Network Intrusion Analysis, he started to explain from basic OSI reference model and TCP/IP model and goes on explaining how to capture data at various levels of the network.
This book starts with explaining how Enterprise IT infrastructure looks like and explained in brief what each technology mean for the reader. Another good outcome of reading this book is to understand the management aspect of handling Intrusion detection/ Prevention systems and process.
Let me briefly describe how this book is structured in terms of chapters and technology implementations. First the author went ahead and described two open source IDS/IPS platforms namely Snort and Bro. He then analyzed and compared (Apple to Orange) both tools to give us an idea which one is best. Obviously snort came out as winner. The reason quoted is that Bro is not a simple solution to implement. You have to define what is normal so that you can trigger abnormal if some intrusion happens. Second, Vulnerability lifecycle which describes how vulnerability goes through a cycle from detection to patching the systems. Other Chapters are arranged in this order to provide a holistic approach to Intrusion Analysis. Prevention techniques, Anomaly detection using NetFlows, Web APP Firewall techniques, Wireless IDS/IPS, Physical Intrusion Detection for IT, Geospatial Intrusion detection and finally ROI factors for business justification.
To the best of my knowledge the Snort/Bro type of implementations are merely secondary types in any enterprise security. Big IT organization today needs some one to take responsibility of the security vulnerability exposures. Hiring such a professional is costlier than paying support cost for maintaining Vendor products. But if you are really looking for crash course on IPS/IDS, I certainly recommend this book.
Advanced Examples given in Chapte 4, “Life Cycle of vulnerability” opens up a new horizon for Infosec professionals who are starting their career in network security. Author took diversified examples to attract all sorts of industry audience. For example SCADA is mostly used in process industries, Bitmap vulnerability targets PC users and DNS vulnerability targets Internet Industry. Author also provides some helpful tools and websites for your reference.
Analytical approach to proactive intrusion prevention and response is another favorite subject of mine. Author explains how an IT security analyst can use attack graphs to prevent any unforeseen incidents. Anomaly detection techniques using Network Flows are described in Chapter 6. Author weighed Multi-Vendor products which support Netflow technology is”must know” information.
Some of the important Chapter I liked was Web Application Firewall. Author goes on explaining various security models that one can apply according to their need and environment. Author also emphasizes on Physical intrusion detection that are mostly ignored in enterprise security. In analyzing ROI, author describes importance of cost/ benefit analysis and goes on explaining various mandatory compliance obligations to be taken in to consideration. He also introduced MSSP model and analysis the Pro’s and Con’s of outsourcing security operations. Finally, various insurance options are discussed in order to mitigate huge liability in case of any security breach.
Overall, the author covered the whole nine yards of Intrusion Prevention techniques. I highly recommend this book for all Security Analysts and anyone who oversees security operations. This book can also be a very good reference point for CISSP and CISM certifications. At the end, as network security professional, I would like to have this as one of the companion in my INFOSEC library.
This book is not really a book: it is a collection of papers about security and intrusion detection. The book bears unfortunate, but noticeable signs of being written by multiple people who didn’t talk to each other much.
I just finished reading the book and I can say I enjoyed it. It does have interesting ideas peppered in some places. Overall presentation consistency, however, is not lacking – it is absent. Also, the book is not terribly practical if you define practice as “protection of systems and networks from attacks.” Many chapters are shallow and make the impression of being added to get the book to 450 pages threshold.
So, some chapters are fun and insightful (”Geospatial ID”, “Physical IDS”, the sections on signature tuning), some are funny (example: one chapter talks about SIEM, SIM and SEM, but errs about what “M” in those stands for… seriously!) and some are sad (example: the one that mentions IDMEF), while others are very shallow (”Wireless IDS/IPS”). The chapter on ROI made me fall under my desk; I experience an actual literal ROFL.
Here are some of the highlights. Ch3 has a lot of useful Bro NIDS tips; if you have never used Bro in production, give it a try. In Ch4, I liked vulnerability-based signature definition worklfow, which takes into account sig performance tuning. Ch5 was written by an academic, who doesn’t get out much; if works great if you want to really know what the word “befuddled” means (it also mentioned IDMEF for extra punch
) Ch6 is fine if you never dealt with network flows; not a bad intro. Ch7 is a very shallow intro to web application firewalls, while ch8 is the same for wireless IDS/IPS. Ch9 deals with physical security and I loved; such information rarely shows in IT books and it was great to learn it. Ch10 that deals with geospatial intrusion detection is another good one; the approach looks a bit weird (example: all events with the sources address close to a company facility are considered “false positives”…). Ch 11 on visualization mentions all the right books on the subject, but then chooses to makes itself a bad comparison to them.
Now, ch12 (”Return on Investment: Business Justification”) is pure freakshow; I have not laughed that hard for a few months a least. After I had a chance to think about, I realized that maybe it was intended for humorous relief since it is the last chapter. In any case, the work computes the precise ROI for any IDS system like this: ALE = SBE x ARO = $517,580…
Overall, if you want a moderately interesting security read with some good ideas, get it. If you are looking for information on practical intrusion analysis in whatever century, skip it.
Finally, Addison-Wesley provided me with a review copy.
This book was not what I expected. I purchased it to learn about complex deployment scenarions, troubleshooting, and most importantly, analysis of events (how to deal with false positives, false negatives etc). A good portion of this book is dedicated to topics such as planning and information gathering which are essential for deploying any new product or solution. “Manageing CSA Projects” would have been an appropriate name for the book. There are a couple of good chapters on policies and a chapter on event corelation.