Forwarded From: "Rob Slade" <rslade@sprint.ca>
BKINTRDT.RVW 990108
"Intrusion Detection", Terry Escamilla, 1998, 0-471-29000-9,
U$39.99/C$56.50
%A Terry Escamilla
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%D 1998
%G 0-471-29000-9
%I John Wiley & Sons, Inc.
%O U$39.99/C$56.50 416-236-4433 fax: 416-236-4448 rlangloi@wiley.com
%P 348 p.
%T "Intrusion Detection: Network Security Beyond the Firewall"
Maybe my perception is skewed from having been involved with physical
security as well as the computer kind, but I see intrusion detection as
being part of security. There is no security system that cannot be
penetrated or bypassed, and so detection is, in my view, simply a fact of
security life. Isn't that what auditing, one of the main pillars of data
security, all about? So I find the attempt to sell the idea of intrusion
detection somewhat redundant. Then there is the emphasis on reviewing
commercial Intrusion Detection Systems (IDS).
Part one looks at what happens before intrusion detection: the traditional
role and model of computer security. Chapter one provides a brief, but
reasonably sound, overview of this classic paradigm, concentrating on
defining most of the theoretical terms used. Some identification and
authentication details from both UNIX and Windows NT start our chapter
two, which then meanders through a few examples of password cracking, and
finally ends with a look at ticket granting systems and other
authentication improvements. A similar look at access control is provided
by chapter three. Given the complexity of networking and network
security, the number of topics covered in chapter four is unsurprising.
Part two looks at intrusion detection by extending the traditional
security design. Chapter five is fairly pivotal, as evidenced by the
title "Intrusion Detection and Why You Need It." The "why" part comes
first, with a rather weak example showing that security systems can have
loopholes if you don't configure or program everything properly. Intrusion
detection then seems to be defined as the usual game of find
vulnerability-fix-repeat, only in automated form. A number of possible
attacks are mentioned in chapter six, and then a promotion of the addition
of an IDS layer to a system, without a corresponding reiteration of the
warning, from chapter four, that layers in a system increase the
possibility of loopholes. I was rather astonished that SATAN [Security
Administrator's Tool for Analyzing Networks] was not included with the
vulnerability scanners mentioned in chapter seven. Two more sophisticated
products are reviewed in chapter eight. Chapter nine looks at the
possibility of catching intruders by traffic analysis, although "catch"
seems to be too strong a term to use here. Since most of the foregoing
deals with UNIX, chapter ten looks at similar products for NT, although
most of the material seems to concentrate on NT's own audit logs.
Part three looks at dealing with an intrusion once you have detected it.
Chapter eleven recommends being prepared well, detecting early, analyzing
thoroughly, and deciding judiciously. In one useful piece of advice, it
recommends against an attack on a system you may think is hitting on
yours. Chapter twelve is a quick summary of the book.
As the author admits, in the final chapter, that intrusion detection
systems are not the final word in computer security, I am inescapably
reminded of the battles in the antiviral field over the relative strengths
of scanners, activity monitors, and change detection systems. What works
best? A combination approach, of course. The price of a secure system is
more budget for administration time and tools. This book does not present
any radically new approach or technique for system security. In fact,
with the emphasis on proprietary commercial products, the work will date
quite quickly. For those who are looking to add an automated IDS to their
current network, the volume could act as a kind of incomplete buyer's
guide.
copyright Robert M. Slade, 1999 BKINTRDT.RVW 990108
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:22:57 1999