Will Intrusion Prevention and Active Response help you in purchasing your next IPS system? Yes and no. Yes, because it will provide you with a really good insight about what IPS' are about, where they will help, where they will fail, and where they will make things worse.
But you'll have a hard time if you're not technically savvy, if you don't master at least the basics of TCP/IP, network and application security, Linux, and even C and Assembler up to a certain extent. It is not written for managers trying to decide what commercial product to choose and purchase.
Be prepared for some in depth, geek stuff. The build-up and organization is logical and obvious. A good and detailed first four chapters explain why you should go for IPS', what they are, what they will do and what they will not. This `introduction' is followed by 3 chapters (about 170 pp.) detailing, with all technical details, examples, code samples and such, what attacks an inline IPS may thwart, how these attacks work. This part is really in depth, and in some points is a very good complement to the mandatory reading of Hacking Exposed. In particular, I really liked Chapter 6, were the inner workings of a buffer overflow are explained. Then again, be prepared to drill down to the stack pointers, processor registers and all that good stuff. After all, exploiting buffer overflows is not obvious, and so is the understanding of what they are. But the authors manage to explain the actual workings of a buffer overflow, starting from such concepts as process and memory management, the stack pointers - and use a practical example so you can try this at home.
One may want to read it twice, though...
The book concludes with two chapters about Open Source IPS, and Evasion Techniques.
Recommended reading? Yes, definitely for anyone with a good technical basis, wondering what IPS' really are about.
- In depth, no blah blah, no big screenshots, no page filling
- Good layout, easily readable large font
- Full of practical examples, code sample, and how-to's. You'll want a Linux box around to try this stuff out
- All chapters end with a summary (normal), but also a checklist (a kind of bulleted complement of the summary), a `solutions fast track', not about solutions (see cons) but rather another topic by topic review. Then comes the commented list of URLs mentioned in the chapter - good to review things and dig further, and a FAQ, giving practical answers to those questions you're still wondering about.
- Not commercial - the whole discussion is based on Snort, Netfilter, and zillions of readily available hacking tools and Linux add-ons
- Syngress probably hired some marketing guy who felt it was absolutely necessary to include all sorts of buzzwords and frills: chapters are `Solutions'. This book is about explaining and understanding, not about solutions. Little checked marks, the Syngress URL on every page, `Notes from the Underground' boxes. Underground? Yeah, that must sound cool... All rather pointless and distracting. Minus one star for this.
- Nothing about commercial products. Everything is based on Open Source. While that makes it easy to test things out, most readers would still appreciate an additional chapter covering some pros and cons of the major products out there. Even when it comes to compare them to Snort.
All in all, great job, great book, interesting but at times demanding reading. Next recommended reading? Snort 2.1 Intrusion Detection, from Syngress as well.