- Published on Amazon.com
Will Intrusion Prevention and Active Response help you in purchasing your next IPS system? Yes and no. Yes, because it will provide you with a really good insight about what IPS' are about, where they will help, where they will fail, and where they will make things worse.
But you'll have a hard time if you're not technically savvy, if you don't master at least the basics of TCP/IP, network and application security, Linux, and even C and Assembler up to a certain extent. It is not written for managers trying to decide what commercial product to choose and purchase.
Be prepared for some in depth, geek stuff. The build-up and organization is logical and obvious. A good and detailed first four chapters explain why you should go for IPS', what they are, what they will do and what they will not. This `introduction' is followed by 3 chapters (about 170 pp.) detailing, with all technical details, examples, code samples and such, what attacks an inline IPS may thwart, how these attacks work. This part is really in depth, and in some points is a very good complement to the mandatory reading of Hacking Exposed. In particular, I really liked Chapter 6, were the inner workings of a buffer overflow are explained. Then again, be prepared to drill down to the stack pointers, processor registers and all that good stuff. After all, exploiting buffer overflows is not obvious, and so is the understanding of what they are. But the authors manage to explain the actual workings of a buffer overflow, starting from such concepts as process and memory management, the stack pointers - and use a practical example so you can try this at home.
One may want to read it twice, though...
The book concludes with two chapters about Open Source IPS, and Evasion Techniques.
Recommended reading? Yes, definitely for anyone with a good technical basis, wondering what IPS' really are about.
- In depth, no blah blah, no big screenshots, no page filling
- Good layout, easily readable large font
- Full of practical examples, code sample, and how-to's. You'll want a Linux box around to try this stuff out
- All chapters end with a summary (normal), but also a checklist (a kind of bulleted complement of the summary), a `solutions fast track', not about solutions (see cons) but rather another topic by topic review. Then comes the commented list of URLs mentioned in the chapter - good to review things and dig further, and a FAQ, giving practical answers to those questions you're still wondering about.
- Not commercial - the whole discussion is based on Snort, Netfilter, and zillions of readily available hacking tools and Linux add-ons
- Syngress probably hired some marketing guy who felt it was absolutely necessary to include all sorts of buzzwords and frills: chapters are `Solutions'. This book is about explaining and understanding, not about solutions. Little checked marks, the Syngress URL on every page, `Notes from the Underground' boxes. Underground? Yeah, that must sound cool... All rather pointless and distracting. Minus one star for this.
- Nothing about commercial products. Everything is based on Open Source. While that makes it easy to test things out, most readers would still appreciate an additional chapter covering some pros and cons of the major products out there. Even when it comes to compare them to Snort.
All in all, great job, great book, interesting but at times demanding reading. Next recommended reading? Snort 2.1 Intrusion Detection, from Syngress as well.
3 of 5 people found the following review helpful
- Published on Amazon.com
The June, 2003, report from Gartner on the death of IDS set off a lot of security industry activity. Everyone was busy trying to either defend the IDS product space, reposition their products as IPS devices, or trying to dismiss the Gartner position. Many security engineers had to suddenly evaluate the IPS products on the market and make purchase and deployment decisions, as well. However, there's been a lack of understanding of this marketspace for some time. If you've been curious about this technology, you may want to look at Intrusion Prevention and Active Response: Deploying Network and Host IPS to help you understand these solutions.
It would have been relatively easy to write a book that simply covered one facet of the IPS product space, such as network IPS systems. However, the authors have chosen to try and write a comprehensive overview of the tools currently available for both the network and the host, as well as ways in which they can be attacked and the scenarios they work in. While the book focuses on open source tools, including the Snort IPS extensions, the techniques apply to closed source, commercial tools as well.
In general I found Intrusion Prevention to be a decent first book on the subject, although a bit unfocused in its delivery. At times it seems to try and bite off more than it can chew, or go off on a tangent for too long (such as the many pages of nmap options), but in general the book does a fair job of delivering its promise. Through it you'll get a good overview of many of the technologies present in the IPS marketspace and what they offer. If you're up to it, you'll even learn a few ways to test the tools and weed out the snake oil vendors.
The book is heavy on actual system output and configuration examples. I like the explicit packet captures and snort rules, I think they go a long way towards illustrating the premise of an IPS system. As is somewhat common with Syngress press books, the formatting is a bit off at times (sometimes it's too wide or slips over the page boundary at the wrong time), but if you can work past that you're rewarded with a useful example.
For host-based IPS solutions, the book covers a number of approaches that aren't always evident as IPS techniques. Various stack protection mechanisms, including LD_PRELOAD techniques like Libsafe, GCC modifications such as StackGuard, and kernel modifications like LIDS, PaX, RBAC and GrSecurity are all described.
By now you can see that the book is pretty Linux and open source centric. This isn't too bad at all, since the basic functionality is present in most of the commercial tools, as well. These can include inline network data modification and reactions or application integrity checking tools. The open source versions, while they sometimes have fewer features, are excellent representatives of this technology.
The book really comes together in chapter 8, 'Deploying Open Source IPS Solutions.' Several vulnerable systems are set up, deployed in a fictitious network, and protected through a variety of IPS solutions which work together to create a layered security model. If the network can detect the attack, it's dropped or modified to remove the offending bits. If the malicious data gets through to the host, the host-level IPS tools remediate the problem. All in all a nice example chapter.
The discussion on how to evade IPS devices was a bit lacking, unfortunately. It seems squeezed in, and doesn't have the same level of detail as other chapters on similar topics. Detailed descriptions of the layer 3, 4 and application layer obfuscation techniques would have been useful to help explain this complex topic.
Before you begin thinking that the authors are entirely gung-ho on IPS technologies, they spend a long time discussing how they can be fooled and how they are fundamentally prone to false positives. This tempered stance is valuable, and they recommend that you take a limited set of functionality from your IDS system and make it reactive in your IPS.
There are only a couple of books that cover IPS technologies to any significant degree, and this appears to be the only one solely devoted to discussing IPS approaches for both the host and network. To that end, the authors have done a pretty good job of introducing the reader to what an IPS can give them, how to evaluate it, and what to expect in the real world. While the book itself has some production and layout problems, the material is worthwhile and will give the reader much-needed advice.