Customer Review

0 of 3 people found the following review helpful
4.0 out of 5 stars A solid examination of open source solutions, April 4, 2005
This review is from: Intrusion Prevention and Active Response: Deploying Network and Host IPS (Paperback)
'Intrusion Prevention and Active Response' (IPAAR) is a good book, as long as you confine your expectations to open source solutions. The foreword says 'Security professionals are going to be approaching management for funding in the next year or two to procure intrusion prevention devices, especially intelligent switches from 3Com (TippingPoint), as well as host-based intrusion prevention solutions like Cisco Security Agent, Platform Logic, Ozone, or CrossTec.' This foreword was the first time I had heard of several of these products, but unfortunately none of them receive any coverage at all in IPAAR. Aside from a short discussion of the Enterasys Web IPS, eEye's SecureIIS, and improvements in Microsoft IIS 6.0, IPAAR squarely concentrates on open source products. Nevertheless, the book does a better job covering so-called prevention solutions than the previous book with 'prevention' in the title, e.g., Osborne's 'Intrusion Detection and Prevention.'

Without doubt the best part of IPAAR is chapter 6, 'Protecting Your Host Through the Operating System.' This chapter explains memory operations and ways to protect memory contents. The author, probably Graham Clark of Enterasys, mentions both Windows and Linux memory management. He uses a sample C program and a custom Metasploit exploit to demonstrate buffer overflows. Using GDB he shows how the exploit affects a target and then describes multiple ways to mitigate these attacks.

I also enjoyed chapter 5, 'Network Inline Data Modification.' The author makes creative use of Tcpdump traces to explain how Netfilter string replacement and Snort_inline protect vulnerable services. His justification of this defensive strategy is tempered by a good discussion of the pros and cons of inline data modification. Chapter 8 also skillfully leverages Tcpdump traces to show network IPS in action.

I did not have major problems with IPAAR, aside from the lack of even a mention of almost all commercial intrusion prevention products. This is a deficiency because it is tough to find unbiased discussions of the capabilities of network- and host-based IPSs. On the technical front, chapter 8 presented several slight TCP sequence number problems. On p. 317 we see packets with 'ack 358'; this means bytes of data relatively numbered 1 to 357 have been received, and the next byte of expected data is relative number 358. The client did not receive 'all data ending at server sequence number 358,' as stated on p. 319 and elsewhere; 'ack 358' means it received 1 through 357 and is awaiting 358.

I found it silly to call the application layer on p. 258 'layer 5' instead of layer 7, the universally recognized way to refer to the services available to applications. I also laughed at this statement on p. 37: 'Many widely deployed mainstream products deviate from the protocol specifications. Hopefully, new packet inspection devices that check for protocol compliance will force these vendors to update and correct any noncompliance with protocol standards.' Sorry, any IPS component that complains about business-critical application protocols will end up turned off. Security vendors always lose the battle with application vendors!

In places IPAAR demonstrates a serious understanding of the limitations of so-called 'intrusion prevention systems,' which when network-based are really layer 7 firewalls. For example, p. 75 states 'the fundamental problem with this technology is that in order to prevent an attack, it first has to be detected. Hence, it is no surprise that the detection mechanisms employed by both active response and IPSs are borrowed from IDSs, and therefore subject to the same limitations.' This is the fact Gartner conveniently overlooked when it pushed 'firewalls with deep packet inspection' ahead of IDSs in 2003.

I recommend reading IPAAR if you are considering deploying open source layer 7 firewalls (aka 'IPSs') or want to augment host-based defenses. There are few reasons not to try running a product like ModSecurity on an Apache Web server, and it helps to understand new anti-overflow features in the latest Fedora and Red Hat Linux releases. Keep in mind most of the host-based open source solutions in IPAAR are Linux-specific, in a world where Windows is the target of the day. If you need help evaluating IPS for Windows, IPAAR won't be able to specifically help you.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No

Be the first person to comment on this review.

[Add comment]
Post a comment
To insert a product link use the format: [[ASIN:ASIN product-title]] (What's this?)
Amazon will display this name with all your submissions, including reviews and discussion posts. (Learn more)
This badge will be assigned to you and will appear along with your name.
There was an error. Please try again.
Please see the full guidelines here.

Official Comment

As a representative of this product you can post one Official Comment on this review. It will appear immediately below the review wherever it is displayed.   Learn more
The following name and badge will be shown with this comment:
 (edit name)
After clicking the Post button you will be asked to create your public name, which will be shown with all your contributions.

Is this your product?

If you are the author, artist, manufacturer or an official representative of this product, you can post an Official Comment on this review. It will appear immediately below the review wherever it is displayed.  Learn more
Otherwise, you can still post a regular comment on this review.

Is this your product?

If you are the author, artist, manufacturer or an official representative of this product, you can post an Official Comment on this review. It will appear immediately below the review wherever it is displayed.   Learn more
System timed out

We were unable to verify whether you represent the product. Please try again later, or retry now. Otherwise you can post a regular comment.

Since you previously posted an Official Comment, this comment will appear in the comment section below. You also have the option to edit your Official Comment.   Learn more
The maximum number of Official Comments have been posted. This comment will appear in the comment section below.   Learn more
Prompts for sign-in

Review Details


4.0 out of 5 stars (9 customer reviews)
5 star:
4 star:
3 star:
2 star:    (0)
1 star:    (0)
$54.95 $50.50
Add to cart Add to wishlist

Location: Metro Washington, DC

Top Reviewer Ranking: 18,628