Item description for Intrusion Prevention and Active Response: Deploying Network and Host IPS by Michael Rash...
From the Foreword by Stephen Northcutt, Director of Training and Certification, The SANS Institute
Within a year of the infamous "Intrusion Detection is Dead" report by Gartner, we started seeing Intrusion Prevention System (IPS) products that actually worked in the real world. Security professionals are going to be approaching management for funding in the next year or two to procure intrusion prevention devices, especially Intelligent switches from 3Com (TippingPoint), as well as host-based intrusion prevention solutions like Cisco Security Agent, Platform Logic, Ozone or CrossTec. Both managers and security technologists face a pressing need to get up to speed, and fast, on the commercial and open source intrusion prevention solutions. This is the first book-length work that specifically concentrates on the concept, implementation, and implications of intrusion prevention and active response. The term IPS has been thrown around with reckless abandon by the security community. Here, the author team works to establish a common understanding and terminology, as well as compare the approaches to intrusion prevention.
Transition from Intrusion Detection to Intrusion PreventionUnlike IDS, IPS can modify application-layer data or perform system call interception.
Develop an Effective Packet Inspection ToolboxUse products such as the Metasploit Framework as a source of test attacks.
Travel Inside the SANS Internet Storm CenterReview packet captures of actual attacks, like the "Witty" worm, directly from the handler's diary.
Protect Against False PositivesRemember that, unlike an IDS, an IPS will REACT to an intrusion.
Integrate Multiple Layers of IPSCreate a multivendor defense at the Data Link, Network, Transport, and Application layers.
Deploy Host Attack Prevention MechanismsIncludes stack hardening, system call interception, and application shimming.
Implement Inline Packet Payload AlterationUse Snort Inline or a Linux kernel patch to the Netfilter string match extension.
Covers all Major Intrusion Prevention and Active Response SystemsIncludes Snort Inline, SnortSAM, PaX, StackGuard, LIDS, FWSnort, PSAD, Enterasys Web IPS, and mod_securit.
Deploy IPS on Web Servers at the Applications LayerThe loading of an application-level IPS in process by the Web server will protect the server and inspect encrypted traffic.
TABLE OF Contents
Foreword by Stephen Northcutt
Intrusion Prevention and Active Response
Packet Inspection for Intrusion Analysis
False Positives and Real Damage
Four Layers of IPS Actions
Network Inline Data Modification
Protecting Your Host Through the Operating System
IPS at the Application Layer
Deploying Open Source IPS Solutions
IPS Evasion Techniques
Promise Angels is dedicated to bringing you great books at great prices. Whether you read for entertainment, to learn, or for literacy - you will find what you want at promiseangels.com!
Est. Packaging Dimensions: Length: 9.1" Width: 7" Height: 1.2" Weight: 1.45 lbs.
Release Date Apr 12, 2005
ISBN 193226647X ISBN13 9781932266474
Availability 65 units. Availability accurate as of May 24, 2017 05:43.
Usually ships within one to two business days from La Vergne, TN.
Orders shipping to an address other than a confirmed Credit Card / Paypal Billing address may incur and additional processing delay.
More About Michael Rash
Rash works as a Security Research Engineer in Columbia, MD for Enterasys Network, Inc.
Michael Rash currently resides in the state of Maryland.
Reviews - What do customers think about Intrusion Prevention and Active Response: Deploying Network and Host IPS?
In depth and complete Dec 29, 2007
Will Intrusion Prevention and Active Response help you in purchasing your next IPS system? Yes and no. Yes, because it will provide you with a really good insight about what IPS' are about, where they will help, where they will fail, and where they will make things worse. But you'll have a hard time if you're not technically savvy, if you don't master at least the basics of TCP/IP, network and application security, Linux, and even C and Assembler up to a certain extent. It is not written for managers trying to decide what commercial product to choose and purchase.
Be prepared for some in depth, geek stuff. The build-up and organization is logical and obvious. A good and detailed first four chapters explain why you should go for IPS', what they are, what they will do and what they will not. This `introduction' is followed by 3 chapters (about 170 pp.) detailing, with all technical details, examples, code samples and such, what attacks an inline IPS may thwart, how these attacks work. This part is really in depth, and in some points is a very good complement to the mandatory reading of Hacking Exposed. In particular, I really liked Chapter 6, were the inner workings of a buffer overflow are explained. Then again, be prepared to drill down to the stack pointers, processor registers and all that good stuff. After all, exploiting buffer overflows is not obvious, and so is the understanding of what they are. But the authors manage to explain the actual workings of a buffer overflow, starting from such concepts as process and memory management, the stack pointers - and use a practical example so you can try this at home. One may want to read it twice, though... The book concludes with two chapters about Open Source IPS, and Evasion Techniques.
Recommended reading? Yes, definitely for anyone with a good technical basis, wondering what IPS' really are about.
Pros: - In depth, no blah blah, no big screenshots, no page filling - Good layout, easily readable large font - Full of practical examples, code sample, and how-to's. You'll want a Linux box around to try this stuff out - All chapters end with a summary (normal), but also a checklist (a kind of bulleted complement of the summary), a `solutions fast track', not about solutions (see cons) but rather another topic by topic review. Then comes the commented list of URLs mentioned in the chapter - good to review things and dig further, and a FAQ, giving practical answers to those questions you're still wondering about. - Not commercial - the whole discussion is based on Snort, Netfilter, and zillions of readily available hacking tools and Linux add-ons
Cons: - Syngress probably hired some marketing guy who felt it was absolutely necessary to include all sorts of buzzwords and frills: chapters are `Solutions'. This book is about explaining and understanding, not about solutions. Little checked marks, the Syngress URL on every page, `Notes from the Underground' boxes. Underground? Yeah, that must sound cool... All rather pointless and distracting. Minus one star for this. - Nothing about commercial products. Everything is based on Open Source. While that makes it easy to test things out, most readers would still appreciate an additional chapter covering some pros and cons of the major products out there. Even when it comes to compare them to Snort.
All in all, great job, great book, interesting but at times demanding reading. Next recommended reading? Snort 2.1 Intrusion Detection, from Syngress as well.
Host and network protection solutions Sep 11, 2005
The June, 2003, report from Gartner on the death of IDS set off a lot of security industry activity. Everyone was busy trying to either defend the IDS product space, reposition their products as IPS devices, or trying to dismiss the Gartner position. Many security engineers had to suddenly evaluate the IPS products on the market and make purchase and deployment decisions, as well. However, there's been a lack of understanding of this marketspace for some time. If you've been curious about this technology, you may want to look at Intrusion Prevention and Active Response: Deploying Network and Host IPS to help you understand these solutions.
It would have been relatively easy to write a book that simply covered one facet of the IPS product space, such as network IPS systems. However, the authors have chosen to try and write a comprehensive overview of the tools currently available for both the network and the host, as well as ways in which they can be attacked and the scenarios they work in. While the book focuses on open source tools, including the Snort IPS extensions, the techniques apply to closed source, commercial tools as well.
In general I found Intrusion Prevention to be a decent first book on the subject, although a bit unfocused in its delivery. At times it seems to try and bite off more than it can chew, or go off on a tangent for too long (such as the many pages of nmap options), but in general the book does a fair job of delivering its promise. Through it you'll get a good overview of many of the technologies present in the IPS marketspace and what they offer. If you're up to it, you'll even learn a few ways to test the tools and weed out the snake oil vendors.
The book is heavy on actual system output and configuration examples. I like the explicit packet captures and snort rules, I think they go a long way towards illustrating the premise of an IPS system. As is somewhat common with Syngress press books, the formatting is a bit off at times (sometimes it's too wide or slips over the page boundary at the wrong time), but if you can work past that you're rewarded with a useful example.
For host-based IPS solutions, the book covers a number of approaches that aren't always evident as IPS techniques. Various stack protection mechanisms, including LD_PRELOAD techniques like Libsafe, GCC modifications such as StackGuard, and kernel modifications like LIDS, PaX, RBAC and GrSecurity are all described.
By now you can see that the book is pretty Linux and open source centric. This isn't too bad at all, since the basic functionality is present in most of the commercial tools, as well. These can include inline network data modification and reactions or application integrity checking tools. The open source versions, while they sometimes have fewer features, are excellent representatives of this technology.
The book really comes together in chapter 8, 'Deploying Open Source IPS Solutions.' Several vulnerable systems are set up, deployed in a fictitious network, and protected through a variety of IPS solutions which work together to create a layered security model. If the network can detect the attack, it's dropped or modified to remove the offending bits. If the malicious data gets through to the host, the host-level IPS tools remediate the problem. All in all a nice example chapter.
The discussion on how to evade IPS devices was a bit lacking, unfortunately. It seems squeezed in, and doesn't have the same level of detail as other chapters on similar topics. Detailed descriptions of the layer 3, 4 and application layer obfuscation techniques would have been useful to help explain this complex topic.
Before you begin thinking that the authors are entirely gung-ho on IPS technologies, they spend a long time discussing how they can be fooled and how they are fundamentally prone to false positives. This tempered stance is valuable, and they recommend that you take a limited set of functionality from your IDS system and make it reactive in your IPS.
There are only a couple of books that cover IPS technologies to any significant degree, and this appears to be the only one solely devoted to discussing IPS approaches for both the host and network. To that end, the authors have done a pretty good job of introducing the reader to what an IPS can give them, how to evaluate it, and what to expect in the real world. While the book itself has some production and layout problems, the material is worthwhile and will give the reader much-needed advice.
Want to deploy an IPS? Start with this book. Jun 15, 2005
Intrusion Prevention and Active Response (IPAR) is a welcome departure from many books covering intrusion prevention and detection. The authors clearly distinguish between intrusion detection systems (IDS) and intrusion prevention systems (IPS), a distinction often conflated in media, training manuals and other educational material. The level of presentation is well suited for someone familiar with security principles, techniques and methods. If you are new to Linux, then you will probably need supporting materials to get through the more complex chapters. IPAR covers several key areas of IPS. Though many chapters focus on network and data link layers, the section on protecting your system through host-based IPS can be used on a wide number of systems. Too many IPS/IDS books focus only on perimeter security and fail to address what can be done at the host level. With the increase use of WAN, VPN and other applications, the perimeter is dissipating, making host security increasingly important.
The section on host IPS touches on a number of items with a rather detailed treatment of buffer overflows. Although I find reading source code in a book painfully boring, this detailed treatment of buffer overflows is welcomed. If you go through this section carefully, you will have a very good understanding of why buffer overflows are often exploited and more importantly how they can be defeated with tools like PaX and StackGuard. There is a brief treatment of hardened OS's and SELinux. Personally, I think the SELinux treatment was a bit light, especially as SELinux is now standard for Fedora Core 3 and Red Hat Enterprise Linux 4. Few books touch on SELinux, so a more expanded treatment of it here would have been welcomed. Nonetheless, the section on host based IPS is recommended to any server owner, especially those that lease or co-locate equipment that is in a network environment which they cannot control.
Chapter 7 focuses on application layer IPS controls. The best part of this chapter is a good review of common web application attacks such as cross-site scripting, form field manipulation, and SQL injection. These types of attacks are frequent entry points for hackers. The chapter also includes information on tools like ModSecurity, IIS Lockdown and others that can be used to protect your applications.
The remaining chapters provide background IPS information and details on how to protect the network layer. If you are a network manager, these chapters are a good starting point to IPS theory and practice. The last chapter provides brief accounts about deploying various open source tools, such as fwsnort, SnortSAM, LIDS, PSAD, and PortSentry. The inclusion of these tools is great but I think most will find that the treatment is too brief to provide a full-scale implementation. The authors point you in the right direction and get you started but you will need to rely on another resource if you plan to deploy many of these solutions.
Intrusion Prevention and Active Response is very good for anyone looking to secure their hosts and/or network. Some sections can become a bit tedious at times as they include packet captures, traces, and other highly detailed and technical information. I am not sure that showing a page full of a packet capture is too beneficial. I would rather see this replaced with CD-ROM that can simulate such events. Aside from this caveat, the treatment and background information on IPS is very strong.
I recommend this book to anyone considering deploying IPS systems or simply want to learn more about the differences between intrusion detection and intrusion prevention. As one of the few books focusing strictly on IPS, I think any security manager or system administrator can find some useful tidbits inside.
false positives and negatives are the problem Apr 10, 2005
As malware and cracking become more potent, so too have the countermeasures. Hitherto, IDS have been popular, to detect such incursions into your network. But sterner tactics have evolved. An IDS is essentially passive. This book explores the concept of an Intrusion Prevention System.
The strongest configuration is to put an IPS inline. So that it sits between the Internet and your computers. It parses the network traffic at any or all of the 5 layers, from data link to application. In its most intensive incarnation, it can analyse application layer data and modify these before passing them on. Plus, of course, it can block suspects attack messages, even in a zero-day mode.
The discussion is fairly technical. A good prior knowledge of UDP and TCP is needed to make sense of much of the text.
The book is also careful to warn of the pitfalls of using an IPS, especially inline. False positives and negatives. It is very hard to correctly find all the attacks. That is, to be able to implement a robust rule set to remove attacks from the traffic.
Intrusion Prevention Help Apr 6, 2005
This book was really helpful! Our company really needed a solution for a prevention/response system. We already had an IDS system but needed something for the attacks. Once our company was under attack we had no way of stopping it. This book really helped us to make an intelligent decision and the company went with the Interceptor.NET from Network Intercept. They were found on www.networkintercept.com. This book explains all about how these kind of systems work and was really knowledgeable. Highly recommend!