Intrusion Prevention and Active Response: Deploying Network and Host IPS Paperback – Apr 26 2005
|New from||Used from|
No Kindle device required. Download one of the Free Kindle apps to start reading Kindle books on your smartphone, tablet, and computer.
Getting the download link through email is temporarily not available. Please check back later.
To get the free app, enter your mobile phone number.
About the Author
Angela Orebaugh (, GCIA, GCFW, GCIH, GSEC, CCNA) is a Senior Scientist in the Advanced Technology Research Center of Sytex, Inc. where she works with a specialized team to advance the state of the art in information systems security. She has over 10 years experience in information technology, with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. She has a Masters in Computer Science, and is currently pursuing her Ph.D. with a concentration in Information Security at George Mason University.
Most Helpful Customer Reviews on Amazon.com (beta)
The more security books I read, the more I feel like I'm standing in a hall of mirrors, with the villian plainly visible pointing a weapon at me. But where is he? Which reflection is the one I need to pay attention to? That's one of the many interesting points discussed here: false positives distract your attention from real problems, and the "bad guys" know that, so if you ever are under real attack, you can bet that you'll also be seeing all manner of distracting false attacks also.
This covers all the important security tools, mostly from a Linux perspective though Windows isn't entirely ignored. Weaknesses and strengths are examined, but what I really appreciated was the constant focus on reality: this isn't at all a theoretical discussion; it's real-world, get your hands dirty, watch out for this, etc.
Great job, the authors obviously put a lot of thought into it. The only fault I'd find at all is that some of it gets very techy, but that's really unavoidable: you can't begin to understand how some of these exploits work without a deeper understanding of geekish subjects. I think in general they did an excellent job with all of it.
The strongest configuration is to put an IPS inline. So that it sits between the Internet and your computers. It parses the network traffic at any or all of the 5 layers, from data link to application. In its most intensive incarnation, it can analyse application layer data and modify these before passing them on. Plus, of course, it can block suspects attack messages, even in a zero-day mode.
The discussion is fairly technical. A good prior knowledge of UDP and TCP is needed to make sense of much of the text.
The book is also careful to warn of the pitfalls of using an IPS, especially inline. False positives and negatives. It is very hard to correctly find all the attacks. That is, to be able to implement a robust rule set to remove attacks from the traffic.
But you'll have a hard time if you're not technically savvy, if you don't master at least the basics of TCP/IP, network and application security, Linux, and even C and Assembler up to a certain extent. It is not written for managers trying to decide what commercial product to choose and purchase.
Be prepared for some in depth, geek stuff. The build-up and organization is logical and obvious. A good and detailed first four chapters explain why you should go for IPS', what they are, what they will do and what they will not. This `introduction' is followed by 3 chapters (about 170 pp.) detailing, with all technical details, examples, code samples and such, what attacks an inline IPS may thwart, how these attacks work. This part is really in depth, and in some points is a very good complement to the mandatory reading of Hacking Exposed. In particular, I really liked Chapter 6, were the inner workings of a buffer overflow are explained. Then again, be prepared to drill down to the stack pointers, processor registers and all that good stuff. After all, exploiting buffer overflows is not obvious, and so is the understanding of what they are. But the authors manage to explain the actual workings of a buffer overflow, starting from such concepts as process and memory management, the stack pointers - and use a practical example so you can try this at home.
One may want to read it twice, though...
The book concludes with two chapters about Open Source IPS, and Evasion Techniques.
Recommended reading? Yes, definitely for anyone with a good technical basis, wondering what IPS' really are about.
- In depth, no blah blah, no big screenshots, no page filling
- Good layout, easily readable large font
- Full of practical examples, code sample, and how-to's. You'll want a Linux box around to try this stuff out
- All chapters end with a summary (normal), but also a checklist (a kind of bulleted complement of the summary), a `solutions fast track', not about solutions (see cons) but rather another topic by topic review. Then comes the commented list of URLs mentioned in the chapter - good to review things and dig further, and a FAQ, giving practical answers to those questions you're still wondering about.
- Not commercial - the whole discussion is based on Snort, Netfilter, and zillions of readily available hacking tools and Linux add-ons
- Syngress probably hired some marketing guy who felt it was absolutely necessary to include all sorts of buzzwords and frills: chapters are `Solutions'. This book is about explaining and understanding, not about solutions. Little checked marks, the Syngress URL on every page, `Notes from the Underground' boxes. Underground? Yeah, that must sound cool... All rather pointless and distracting. Minus one star for this.
- Nothing about commercial products. Everything is based on Open Source. While that makes it easy to test things out, most readers would still appreciate an additional chapter covering some pros and cons of the major products out there. Even when it comes to compare them to Snort.
All in all, great job, great book, interesting but at times demanding reading. Next recommended reading? Snort 2.1 Intrusion Detection, from Syngress as well.
It would have been relatively easy to write a book that simply covered one facet of the IPS product space, such as network IPS systems. However, the authors have chosen to try and write a comprehensive overview of the tools currently available for both the network and the host, as well as ways in which they can be attacked and the scenarios they work in. While the book focuses on open source tools, including the Snort IPS extensions, the techniques apply to closed source, commercial tools as well.
In general I found Intrusion Prevention to be a decent first book on the subject, although a bit unfocused in its delivery. At times it seems to try and bite off more than it can chew, or go off on a tangent for too long (such as the many pages of nmap options), but in general the book does a fair job of delivering its promise. Through it you'll get a good overview of many of the technologies present in the IPS marketspace and what they offer. If you're up to it, you'll even learn a few ways to test the tools and weed out the snake oil vendors.
The book is heavy on actual system output and configuration examples. I like the explicit packet captures and snort rules, I think they go a long way towards illustrating the premise of an IPS system. As is somewhat common with Syngress press books, the formatting is a bit off at times (sometimes it's too wide or slips over the page boundary at the wrong time), but if you can work past that you're rewarded with a useful example.
For host-based IPS solutions, the book covers a number of approaches that aren't always evident as IPS techniques. Various stack protection mechanisms, including LD_PRELOAD techniques like Libsafe, GCC modifications such as StackGuard, and kernel modifications like LIDS, PaX, RBAC and GrSecurity are all described.
By now you can see that the book is pretty Linux and open source centric. This isn't too bad at all, since the basic functionality is present in most of the commercial tools, as well. These can include inline network data modification and reactions or application integrity checking tools. The open source versions, while they sometimes have fewer features, are excellent representatives of this technology.
The book really comes together in chapter 8, 'Deploying Open Source IPS Solutions.' Several vulnerable systems are set up, deployed in a fictitious network, and protected through a variety of IPS solutions which work together to create a layered security model. If the network can detect the attack, it's dropped or modified to remove the offending bits. If the malicious data gets through to the host, the host-level IPS tools remediate the problem. All in all a nice example chapter.
The discussion on how to evade IPS devices was a bit lacking, unfortunately. It seems squeezed in, and doesn't have the same level of detail as other chapters on similar topics. Detailed descriptions of the layer 3, 4 and application layer obfuscation techniques would have been useful to help explain this complex topic.
Before you begin thinking that the authors are entirely gung-ho on IPS technologies, they spend a long time discussing how they can be fooled and how they are fundamentally prone to false positives. This tempered stance is valuable, and they recommend that you take a limited set of functionality from your IDS system and make it reactive in your IPS.
There are only a couple of books that cover IPS technologies to any significant degree, and this appears to be the only one solely devoted to discussing IPS approaches for both the host and network. To that end, the authors have done a pretty good job of introducing the reader to what an IPS can give them, how to evaluate it, and what to expect in the real world. While the book itself has some production and layout problems, the material is worthwhile and will give the reader much-needed advice.
Look for similar items by category
- Books > Computers & Technology > Certification Central
- Books > Computers & Technology > Networking & Cloud Computing > Network Security
- Books > Computers & Technology > Networking & Cloud Computing > Networks, Protocols & APIs
- Books > Computers & Technology > Web Development > Security & Encryption > Encryption
- Books > Textbooks > Computer Science & Information Systems > Computer Science
- Books > Textbooks > Computer Science & Information Systems > Networking