Customer Reviews

Intrusion Prevention and Active Response: Deploying Network and Host IPS

5 star:		(1)
4 star:		(7)
3 star:		(1)
2 star:		(0)
1 star:		(0)

 

 

This is excellent, but not a beginner's book - you'll need to read some other security books before jumping into this. On the other hand, the format of it is very good for learning: each section presents ideas and concepts, and is followed by a summary that bullets important points, and then by a less formal Q&A section. Additionally, the chapters are peppered with "Notes from the Underground" sections that are interesting sidebars on the subject.

The more security books I read, the more I feel like I'm standing in a hall of mirrors, with the villian plainly visible pointing a weapon at me. But where is he? Which reflection is the one I need to pay attention to? That's one of the many interesting points discussed here: false positives distract your attention from real problems, and the "bad guys" know that, so if you ever are under real attack, you can bet that you'll also be seeing all manner of distracting false attacks also.

This covers all the important security tools, mostly from a Linux perspective though Windows isn't entirely ignored. Weaknesses and strengths are examined, but what I really appreciated was the constant focus on reality: this isn't at all a theoretical discussion; it's real-world, get your hands dirty, watch out for this, etc.

Great job, the authors obviously put a lot of thought into it. The only fault I'd find at all is that some of it gets very techy, but that's really unavoidable: you can't begin to understand how some of these exploits work without a deeper understanding of geekish subjects. I think in general they did an excellent job with all of it.

As malware and cracking become more potent, so too have the countermeasures. Hitherto, IDS have been popular, to detect such incursions into your network. But sterner tactics have evolved. An IDS is essentially passive. This book explores the concept of an Intrusion Prevention System.

The strongest configuration is to put an IPS inline. So that it sits between the Internet and your computers. It parses the network traffic at any or all of the 5 layers, from data link to application. In its most intensive incarnation, it can analyse application layer data and modify these before passing them on. Plus, of course, it can block suspects attack messages, even in a zero-day mode.

The discussion is fairly technical. A good prior knowledge of UDP and TCP is needed to make sense of much of the text.

The book is also careful to warn of the pitfalls of using an IPS, especially inline. False positives and negatives. It is very hard to correctly find all the attacks. That is, to be able to implement a robust rule set to remove attacks from the traffic.

This book was really helpful! Our company really needed a solution for a prevention/response system. We already had an IDS system but needed something for the attacks. Once our company was under attack we had no way of stopping it. This book really helped us to make an intelligent decision and the company went with the Interceptor.NET from Network Intercept. They were found on www.networkintercept.com. This book explains all about how these kind of systems work and was really knowledgeable. Highly recommend!

Will Intrusion Prevention and Active Response help you in purchasing your next IPS system? Yes and no. Yes, because it will provide you with a really good insight about what IPS' are about, where they will help, where they will fail, and where they will make things worse.

But you'll have a hard time if you're not technically savvy, if you don't master at least the basics of TCP/IP, network and application security, Linux, and even C and Assembler up to a certain extent. It is not written for managers trying to decide what commercial product to choose and purchase.

Be prepared for some in depth, geek stuff. The build-up and organization is logical and obvious. A good and detailed first four chapters explain why you should go for IPS', what they are, what they will do and what they will not. This `introduction' is followed by 3 chapters (about 170 pp.) detailing, with all technical details, examples, code samples and such, what attacks an inline IPS may thwart, how these attacks work. This part is really in depth, and in some points is a very good complement to the mandatory reading of Hacking Exposed. In particular, I really liked Chapter 6, were the inner workings of a buffer overflow are explained. Then again, be prepared to drill down to the stack pointers, processor registers and all that good stuff. After all, exploiting buffer overflows is not obvious, and so is the understanding of what they are. But the authors manage to explain the actual workings of a buffer overflow, starting from such concepts as process and memory management, the stack pointers - and use a practical example so you can try this at home.

One may want to read it twice, though...

The book concludes with two chapters about Open Source IPS, and Evasion Techniques.

Recommended reading? Yes, definitely for anyone with a good technical basis, wondering what IPS' really are about.

Pros:

- In depth, no blah blah, no big screenshots, no page filling

- Good layout, easily readable large font

- Full of practical examples, code sample, and how-to's. You'll want a Linux box around to try this stuff out

- All chapters end with a summary (normal), but also a checklist (a kind of bulleted complement of the summary), a `solutions fast track', not about solutions (see cons) but rather another topic by topic review. Then comes the commented list of URLs mentioned in the chapter - good to review things and dig further, and a FAQ, giving practical answers to those questions you're still wondering about.

- Not commercial - the whole discussion is based on Snort, Netfilter, and zillions of readily available hacking tools and Linux add-ons

Cons:

- Syngress probably hired some marketing guy who felt it was absolutely necessary to include all sorts of buzzwords and frills: chapters are `Solutions'. This book is about explaining and understanding, not about solutions. Little checked marks, the Syngress URL on every page, `Notes from the Underground' boxes. Underground? Yeah, that must sound cool... All rather pointless and distracting. Minus one star for this.

- Nothing about commercial products. Everything is based on Open Source. While that makes it easy to test things out, most readers would still appreciate an additional chapter covering some pros and cons of the major products out there. Even when it comes to compare them to Snort.

All in all, great job, great book, interesting but at times demanding reading. Next recommended reading? Snort 2.1 Intrusion Detection, from Syngress as well.

The June, 2003, report from Gartner on the death of IDS set off a lot of security industry activity. Everyone was busy trying to either defend the IDS product space, reposition their products as IPS devices, or trying to dismiss the Gartner position. Many security engineers had to suddenly evaluate the IPS products on the market and make purchase and deployment decisions, as well. However, there's been a lack of understanding of this marketspace for some time. If you've been curious about this technology, you may want to look at Intrusion Prevention and Active Response: Deploying Network and Host IPS to help you understand these solutions.

It would have been relatively easy to write a book that simply covered one facet of the IPS product space, such as network IPS systems. However, the authors have chosen to try and write a comprehensive overview of the tools currently available for both the network and the host, as well as ways in which they can be attacked and the scenarios they work in. While the book focuses on open source tools, including the Snort IPS extensions, the techniques apply to closed source, commercial tools as well.

In general I found Intrusion Prevention to be a decent first book on the subject, although a bit unfocused in its delivery. At times it seems to try and bite off more than it can chew, or go off on a tangent for too long (such as the many pages of nmap options), but in general the book does a fair job of delivering its promise. Through it you'll get a good overview of many of the technologies present in the IPS marketspace and what they offer. If you're up to it, you'll even learn a few ways to test the tools and weed out the snake oil vendors.

The book is heavy on actual system output and configuration examples. I like the explicit packet captures and snort rules, I think they go a long way towards illustrating the premise of an IPS system. As is somewhat common with Syngress press books, the formatting is a bit off at times (sometimes it's too wide or slips over the page boundary at the wrong time), but if you can work past that you're rewarded with a useful example.

For host-based IPS solutions, the book covers a number of approaches that aren't always evident as IPS techniques. Various stack protection mechanisms, including LD_PRELOAD techniques like Libsafe, GCC modifications such as StackGuard, and kernel modifications like LIDS, PaX, RBAC and GrSecurity are all described.

By now you can see that the book is pretty Linux and open source centric. This isn't too bad at all, since the basic functionality is present in most of the commercial tools, as well. These can include inline network data modification and reactions or application integrity checking tools. The open source versions, while they sometimes have fewer features, are excellent representatives of this technology.

The book really comes together in chapter 8, 'Deploying Open Source IPS Solutions.' Several vulnerable systems are set up, deployed in a fictitious network, and protected through a variety of IPS solutions which work together to create a layered security model. If the network can detect the attack, it's dropped or modified to remove the offending bits. If the malicious data gets through to the host, the host-level IPS tools remediate the problem. All in all a nice example chapter.

The discussion on how to evade IPS devices was a bit lacking, unfortunately. It seems squeezed in, and doesn't have the same level of detail as other chapters on similar topics. Detailed descriptions of the layer 3, 4 and application layer obfuscation techniques would have been useful to help explain this complex topic.

Before you begin thinking that the authors are entirely gung-ho on IPS technologies, they spend a long time discussing how they can be fooled and how they are fundamentally prone to false positives. This tempered stance is valuable, and they recommend that you take a limited set of functionality from your IDS system and make it reactive in your IPS.

There are only a couple of books that cover IPS technologies to any significant degree, and this appears to be the only one solely devoted to discussing IPS approaches for both the host and network. To that end, the authors have done a pretty good job of introducing the reader to what an IPS can give them, how to evaluate it, and what to expect in the real world. While the book itself has some production and layout problems, the material is worthwhile and will give the reader much-needed advice.

Intrusion Prevention and Active Response (IPAR) is a welcome departure from many books covering intrusion prevention and detection. The authors clearly distinguish between intrusion detection systems (IDS) and intrusion prevention systems (IPS), a distinction often conflated in media, training manuals and other educational material. The level of presentation is well suited for someone familiar with security principles, techniques and methods. If you are new to Linux, then you will probably need supporting materials to get through the more complex chapters. IPAR covers several key areas of IPS. Though many chapters focus on network and data link layers, the section on protecting your system through host-based IPS can be used on a wide number of systems. Too many IPS/IDS books focus only on perimeter security and fail to address what can be done at the host level. With the increase use of WAN, VPN and other applications, the perimeter is dissipating, making host security increasingly important.

The section on host IPS touches on a number of items with a rather detailed treatment of buffer overflows. Although I find reading source code in a book painfully boring, this detailed treatment of buffer overflows is welcomed. If you go through this section carefully, you will have a very good understanding of why buffer overflows are often exploited and more importantly how they can be defeated with tools like PaX and StackGuard. There is a brief treatment of hardened OS's and SELinux. Personally, I think the SELinux treatment was a bit light, especially as SELinux is now standard for Fedora Core 3 and Red Hat Enterprise Linux 4. Few books touch on SELinux, so a more expanded treatment of it here would have been welcomed. Nonetheless, the section on host based IPS is recommended to any server owner, especially those that lease or co-locate equipment that is in a network environment which they cannot control.

Chapter 7 focuses on application layer IPS controls. The best part of this chapter is a good review of common web application attacks such as cross-site scripting, form field manipulation, and SQL injection. These types of attacks are frequent entry points for hackers. The chapter also includes information on tools like ModSecurity, IIS Lockdown and others that can be used to protect your applications.

The remaining chapters provide background IPS information and details on how to protect the network layer. If you are a network manager, these chapters are a good starting point to IPS theory and practice. The last chapter provides brief accounts about deploying various open source tools, such as fwsnort, SnortSAM, LIDS, PSAD, and PortSentry. The inclusion of these tools is great but I think most will find that the treatment is too brief to provide a full-scale implementation. The authors point you in the right direction and get you started but you will need to rely on another resource if you plan to deploy many of these solutions.

Intrusion Prevention and Active Response is very good for anyone looking to secure their hosts and/or network. Some sections can become a bit tedious at times as they include packet captures, traces, and other highly detailed and technical information. I am not sure that showing a page full of a packet capture is too beneficial. I would rather see this replaced with CD-ROM that can simulate such events. Aside from this caveat, the treatment and background information on IPS is very strong.

I recommend this book to anyone considering deploying IPS systems or simply want to learn more about the differences between intrusion detection and intrusion prevention. As one of the few books focusing strictly on IPS, I think any security manager or system administrator can find some useful tidbits inside.

This is the type of book I have been looking for. I am so tired of all the beginner security books that take 200 pages to review TCP/IP. This book is so much better because it goes beyond that and gets into the real in depth technical areas of security. It provides both a theoretical and hands-on perspective for IPS - the first book to attempt to harness such a pervasive technology. The distinquished author team (check out some of their other books) is just the right choice for such a book and they do an excellent job at presenting the technology from a factual standpoint without bias.

'Intrusion Prevention and Active Response' (IPAAR) is a good book, as long as you confine your expectations to open source solutions. The foreword says 'Security professionals are going to be approaching management for funding in the next year or two to procure intrusion prevention devices, especially intelligent switches from 3Com (TippingPoint), as well as host-based intrusion prevention solutions like Cisco Security Agent, Platform Logic, Ozone, or CrossTec.' This foreword was the first time I had heard of several of these products, but unfortunately none of them receive any coverage at all in IPAAR. Aside from a short discussion of the Enterasys Web IPS, eEye's SecureIIS, and improvements in Microsoft IIS 6.0, IPAAR squarely concentrates on open source products. Nevertheless, the book does a better job covering so-called prevention solutions than the previous book with 'prevention' in the title, e.g., Osborne's 'Intrusion Detection and Prevention.'

Without doubt the best part of IPAAR is chapter 6, 'Protecting Your Host Through the Operating System.' This chapter explains memory operations and ways to protect memory contents. The author, probably Graham Clark of Enterasys, mentions both Windows and Linux memory management. He uses a sample C program and a custom Metasploit exploit to demonstrate buffer overflows. Using GDB he shows how the exploit affects a target and then describes multiple ways to mitigate these attacks.

I also enjoyed chapter 5, 'Network Inline Data Modification.' The author makes creative use of Tcpdump traces to explain how Netfilter string replacement and Snort_inline protect vulnerable services. His justification of this defensive strategy is tempered by a good discussion of the pros and cons of inline data modification. Chapter 8 also skillfully leverages Tcpdump traces to show network IPS in action.

I did not have major problems with IPAAR, aside from the lack of even a mention of almost all commercial intrusion prevention products. This is a deficiency because it is tough to find unbiased discussions of the capabilities of network- and host-based IPSs. On the technical front, chapter 8 presented several slight TCP sequence number problems. On p. 317 we see packets with 'ack 358'; this means bytes of data relatively numbered 1 to 357 have been received, and the next byte of expected data is relative number 358. The client did not receive 'all data ending at server sequence number 358,' as stated on p. 319 and elsewhere; 'ack 358' means it received 1 through 357 and is awaiting 358.

I found it silly to call the application layer on p. 258 'layer 5' instead of layer 7, the universally recognized way to refer to the services available to applications. I also laughed at this statement on p. 37: 'Many widely deployed mainstream products deviate from the protocol specifications. Hopefully, new packet inspection devices that check for protocol compliance will force these vendors to update and correct any noncompliance with protocol standards.' Sorry, any IPS component that complains about business-critical application protocols will end up turned off. Security vendors always lose the battle with application vendors!

In places IPAAR demonstrates a serious understanding of the limitations of so-called 'intrusion prevention systems,' which when network-based are really layer 7 firewalls. For example, p. 75 states 'the fundamental problem with this technology is that in order to prevent an attack, it first has to be detected. Hence, it is no surprise that the detection mechanisms employed by both active response and IPSs are borrowed from IDSs, and therefore subject to the same limitations.' This is the fact Gartner conveniently overlooked when it pushed 'firewalls with deep packet inspection' ahead of IDSs in 2003.

I recommend reading IPAAR if you are considering deploying open source layer 7 firewalls (aka 'IPSs') or want to augment host-based defenses. There are few reasons not to try running a product like ModSecurity on an Apache Web server, and it helps to understand new anti-overflow features in the latest Fedora and Red Hat Linux releases. Keep in mind most of the host-based open source solutions in IPAAR are Linux-specific, in a world where Windows is the target of the day. If you need help evaluating IPS for Windows, IPAAR won't be able to specifically help you.

This was a decent book that explains more then I could understand but it was very helpfull and would recommend it.