BKINPRAR.RVW 20050615 "Intrusion Prevention and Active Response", Michael Rash et al, 2005, 1-932266-47-X, U$49.95/C$69.95 %A Michael Rash www.cipherdyne.org %A Angela Orebaugh %A Graham Clark %A Becky Pinkard %A Jake Babbin %C 800 Hingham Street, Rockland, MA 02370 %D 2005 %G 1-932266-47-X %I Syngress Media, Inc. %O U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 www.syngress.com %O http://www.amazon.com/exec/obidos/ASIN/193226647X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/193226647X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/193226647X/robsladesin03-20 %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 402 p. %T "Intrusion Prevention and Active Response" In the beginning were the blackhats, and the net was without form, and void. (Actually, slightly before the beginning were a bunch of grad students who were just all keen to share stuff and never figured anybody would try and deliberately break such a neat toy.) And the security community said, "Let there be firewalls!" And the security community looked upon the firewalls and saw that they were good. (And they didn't say anything in particular about the fact that there were also ACLs, and rulesets, and management issues, and all manner of creeping features.) And the security community said, "Let there be intrusion detection systems, which shall also be known as IDSs!" And the security community looked upon the IDSs and saw that they were good. (And there were even *more* ACLs, and rulesets, and management issues, and all manner of creeping features.) And the security community said, "Let us make unto ourselves the ultimate in network security tools, and let it be the Holy Grail and Silver Bullet and Philosopher's Stone of security, and let it manage itself and respond to any kind of attack!" And lo, the security vendors looked upon the intrusion prevention system (IPS) and saw that it was a very good marketing idea. Chapter one attempts to define intrusion prevention and active response, but it doesn't do so in a particularly clear or consistent manner. An IPS is an IDS that can take some kind of action. What kind of action? Well, an IPS does data content (application level) inspection. Maybe. Then again, a network-based active response system (and an active response system may or may not be the same thing as an IPS: it depends upon which section of the chapter you are reading) might modify firewall policies or respond to attack packets by resetting the port and killing the connection. (This means, as the book points out, that an active response system can't do anything at all to prevent an attack that consists of a single packet. I'm not sure that all IPS vendors would agree with that position.) Network- based IPS/active response systems can block ports or systems, change firewall rules, reset connections, or alter the data content. (And why wouldn't that stop a single-packet attack?) Host-based IPS/active response can revise filesystem privileges, perform disinfection, and change firewall rules. I'm sorry, that paragraph was confused, had poor structure, and was not particularly clear. But then again, it seems to capture the essence and style of chapter one. (In response to the draft of this review, one of the authors feels that I have not been fair. He primarily notes that the authors wish to make a distinction between intrusion prevention and active response, but that is not made terribly clear in the printed text. In addition, he says that the missing details I have listed are present in the book--but gives citations that come from a variety of different places in the volume.) Chapter two seems to be an attempt to declare that "deep" packet inspection is different than inspection of the packet contents, but, aside from giving a whole bunch of examples of things that shouldn't be in packets, it doesn't say why. False positives can be a real danger, so I agree with the title of chapter three. Unfortunately, the text doesn't: we simply have a lot of discussion about how Nmap works, finishing off with a terse mention of Bayesian statistics. A few specific attacks against certain applications (and certain versions) are listed in chapter four. Chapter five discusses systems that will modify data content, but only in terms of setting up Snort or Netfilter for specific attacks, and not in a usefully detailed way, or one that is helpful for general usage. A few more attacks, and ways that systems operating at the level of the kernel can help, are described (in a rather confused fashion) in chapter six. Chapter seven proposes an application-level IPS, but what is described seems to be identical to any application-level proxy firewall with content inspection. Chapter eight lists some of the data you might obtain from a number of open source tools. Some of the things that can go wrong with an IPS are mentioned in chapter nine. Intrusion prevention systems are new, not terribly well-defined, and popular. The security literature on the topic is limited. Therefore, any work that addresses the topic will have some value. Indeed, in his response, one of the authors felt that they should get some credit for being first, and this is generally true. This book, however, will be difficult for the newcomer to approach with any certainty. The expert will find it both limited and (because of this) misleading at times. Some of the content is useful, and a number of the points raised should be considered, but the material should be treated with caution. The volume is doctrinaire about items that cannot yet be fully agreed upon, neglects issues and options that should be considered by security professionals, includes considerable information that has only the most tenuous connection to the topic at hand, and is written without much consideration for the reader. copyright Robert M. Slade, 2006 BKINPRAR.RVW 20050615