Features
- Cover Type: Paperback with 424 pages
- Published by: Syngress
- Edition: 1st Edition April 12, 2005
- Written in: English
- ISBN 10 Number: 193226647X
- ISBN 13 Number: 978-1932266474
-
Book Dimensions:
9.1 x 7 x 1.2 inches
- Weighs: 1.4 pounds
Product Description
From the Foreword by Stephen Northcutt, Director of Training and Certification, The SANS InstituteWithin a year of the infamous "Intrusion Detection is Dead" report by Gartner, we started seeing Intrusion Prevention System (IPS) products that actually worked in the real world. Security professionals are going to be approaching management for funding in the next year or two to procure intrusion prevention devices, especially Intelligent switches from 3Com (TippingPoint), as well as host-based intrusion prevention solutions like Cisco Security Agent, Platform Logic, Ozone or CrossTec. Both managers and security technologists face a pressing need to get up to speed, and fast, on the commercial and open source intrusion prevention solutions. This is the first book-length work that specifically concentrates on the concept, implementation, and implications of intrusion prevention and active response. The term IPS has been thrown around with reckless abandon by the security community. Here, the author team works to establish a common understanding and terminology, as well as compare the approaches to intrusion prevention.
- Transition from Intrusion Detection to Intrusion PreventionUnlike IDS, IPS can modify application-layer data or perform system call interception.
- Develop an Effective Packet Inspection ToolboxUse products such as the Metasploit Framework as a source of test attacks.
- Travel Inside the SANS Internet Storm CenterReview packet captures of actual attacks, like the "Witty" worm, directly from the handler's diary.
- Protect Against False PositivesRemember that, unlike an IDS, an IPS will REACT to an intrusion.
- Integrate Multiple Layers of IPSCreate a multivendor defense at the Data Link, Network, Transport, and Application layers.
- Deploy Host Attack Prevention MechanismsIncludes stack hardening, system call interception, and application shimming.
- Implement Inline Packet Payload AlterationUse Snort Inline or a Linux kernel patch to the Netfilter string match extension.
- Covers all Major Intrusion Prevention and Active Response SystemsIncludes Snort Inline, SnortSAM, PaX, StackGuard, LIDS, FWSnort, PSAD, Enterasys Web IPS, and mod_securit.
- Deploy IPS on Web Servers at the Applications LayerThe loading of an application-level IPS in process by the Web server will protect the server and inspect encrypted traffic.
TABLE OF Contents Foreword by Stephen Northcutt
Intrusion Prevention and Active Response
Packet Inspection for Intrusion Analysis
False Positives and Real Damage
Four Layers of IPS Actions
Network Inline Data Modification
Protecting Your Host Through the Operating System
IPS at the Application Layer
Deploying Open Source IPS Solutions
IPS Evasion Techniques
About The Author
Angela Orebaugh (, GCIA, GCFW, GCIH, GSEC, CCNA) is a Senior Scientist in the Advanced Technology Research Center of Sytex, Inc. where she works with a specialized team to advance the state of the art in information systems security. She has over ten years experience in information technology, with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. She has a Masters in Computer Science, and is currently pursuing her Ph.D. with a concentration in Information Security at George Mason University.
Reader ReviewsThe June, 2003, report from Gartner on the death of IDS set off a lot of security industry activity. Everyone was busy trying to either defend the IDS product space, reposition their products as IPS devices, or trying to dismiss the Gartner position. Many security engineers had to suddenly evaluate the IPS products on the market and make purchase and deployment decisions, as well. However, there's been a lack of understanding of this marketspace for some time. If you've been curious about this technology, you may want to look at Intrusion Prevention and Active Response: Deploying Network and Host IPS to help you understand these solutions. It would have been relatively easy to write a book that simply covered one facet of the IPS product space, such as network IPS systems. However, the authors have chosen to try and write a comprehensive overview of the tools currently available for both the network and the host, as well as ways in which they can be attacked and the scenarios they work in. While the book focuses on open source tools, including the Snort IPS extensions, the techniques apply to closed source, commercial tools as well. In general I found Intrusion Prevention to be a decent first book on the subject, although a bit unfocused in its delivery. At times it seems to try and bite off more than it can chew, or go off on a tangent for too long (such as the many pages of nmap options), but in general the book does a fair job of delivering its promise. Through it you'll get a good overview of many of the technologies present in the IPS marketspace and what they offer. If you're up to it, you'll even learn a few ways to test the tools and weed out the snake oil vendors. The book is heavy on actual system output and configuration examples. I like the explicit packet captures and snort rules, I think they go a long way towards illustrating the premise of an IPS system. As is somewhat common with Syngress press books, the formatting is a bit off at times (sometimes it's too wide or slips over the page boundary at the wrong time), but if you can work past that you're rewarded with a useful example. For host-based IPS solutions, the book covers a number of approaches that aren't always evident as IPS techniques. Various stack protection mechanisms, including LD_PRELOAD techniques like Libsafe, GCC modifications such as StackGuard, and kernel modifications like LIDS, PaX, RBAC and GrSecurity are all described. By now you can see that the book is pretty Linux and open source centric. This isn't too bad at all, since the basic functionality is present in most of the commercial tools, as well. These can include inline network data modification and reactions or application integrity checking tools. The open source versions, while they sometimes have fewer features, are excellent representatives of this technology. The book really comes together in chapter 8, 'Deploying Open Source IPS Solutions.' Several vulnerable systems are set up, deployed in a fictitious network, and protected through a variety of IPS solutions which work together to create a layered security model. If the network can detect the attack, it's dropped or modified to remove the offending bits. If the malicious data gets through to the host, the host-level IPS tools remediate the problem. All in all a nice example chapter. The discussion on how to evade IPS devices was a bit lacking, unfortunately. It seems squeezed in, and doesn't have the same level of detail as other chapters on similar topics. Detailed descriptions of the layer 3, 4 and application layer obfuscation techniques would have been useful to help explain this complex topic. Before you begin thinking that the authors are entirely gung-ho on IPS technologies, they spend a long time discussing how they can be fooled and how they are fundamentally prone to false positives. This tempered stance is valuable, and they recommend that you take a limited set of functionality from your IDS system and make it reactive in your IPS. There are only a couple of books that cover IPS technologies to any significant degree, and this appears to be the only one solely devoted to discussing IPS approaches for both the host and network. To that end, the authors have done a pretty good job of introducing the reader to what an IPS can give them, how to evaluate it, and what to expect in the real world. While the book itself has some production and layout problems, the material is worthwhile and will give the reader much-needed advice.
Search for books at
