From: secedu@all.net Reply-to: secedu@all.net Organization: Information Security Educators Mailing List Subject: Information Security Educators Mailing List 1998-12-13 
---------------------------------------------
Date: Sun, 13 Dec 1998 20:48:57 -0500
From: Mich Kabay 
Subject: NEWS: Intrusion Detection:  Network Security Beyond the Firewall.

ICSA PROJECT(S):  FWPD, IDPD, INFOWAR, ROSE, TECH

Intrusion Detection:  Network Security Beyond the Firewall =

by Terry Escamilla (1998).  =

John Wiley & Sons (New York).  =

ISBN 0-471- 29000-9.  =

xx + 348pp.  Index.

Review by M. E. Kabay, PhD, CISSP
Director of Education
ICSA, Inc.


Terry Escamilla, PhD, has many years of experience designing and
implementing information security systems.  After He worked with
Haystack Labs on the Stalker intrusion detection products and currently
works on IBM's e-commerce products.  Dr Escamilla has written a concise
introduction not only to intrusion detection systems but also an
excellent primer on important elements of modern information security.

Intrusion Detection begins with a clear Preface that explains the
purpose of his textbook: "Our goal is . . .  To differentiate intrusion
detection from other forms of computer security and to show how each
product category adds value."  The author explicitly avoids the shopping
cart approach, leaving detailed product comparisons to the trade press
where they belong in a rapidly-changing technical environment.  He
includes specific products as representatives of classes of software. =

Escamilla aims his book at CIOs and security officers or network
managers; he wants to provide a high-level overview with enough
technical detail to help the reader fit intrusion detection into
corporate information security architectures.

The book includes a good Introduction where Escamilla lays out the
structure of his text.  The first 153 pages serve in effect as a mini
textbook introducing the conventional model for security -- the model
focused on preventing breaches of security.  The author uses the
classical triad (C-I-A for confidentiality, integrity and availability)
of security as a framework for reviewing traditional security; I
strongly prefer Donn Parker's Hexad, which adds control or possession,
authenticity and utility.  Escamilla summarizes some of these in a mere
paragraph.  Nonetheless, his review is well worth reading by his
intended audience and even by rank beginners in the field of security.

The author's Chapter 1 definitions of security model, entities,
subjects, objects, authorization, users, trust relationships, trust
boundaries, reference monitor, security kernel, identification and
authentication, access control schemes, and the other basics of security
theory are lucid and well illustrated.  For example, his paragraph on
"Intrusion Detection and Monitoring" (p. 23) states, "The purpose of an
IDS product is to monitor the system for attacks.  An attack might be
signaled by something as simple as a program that illegally modifies a
user name.  Complex attacks might involve sequences of events that span
multiple systems.  Intrusion detection products are classified with
system monitors because they usually depend on auditing information
provided from the system's logs or data gathered by sniffing network
traffic.  One difference between scanners and IDSs is the time interval.
 A scanner is running in real time when it is started.  However, a
scanner is rarely run all of the time.  Intrusion detection products are
designed to run in real time and to constantly monitor the system for
attacks."  I think that's admirably clear writing.

In later chapters the author looks in a bit more detail at UNIX and
Windows NT security.  He summarizes hacker techniques such as password
guessing, brute-force attacks, social engineering, Trojan horses,
network sniffers, and exploitation of known vulnerabilities (bugs in
software).

Chapter 4, "Traditional Network Security Approaches," begins with a
thorough review of how security protocols can include errors and how
criminal hackers exploit weaknesses in those protocols.    The author
warns that designing distributed security particles is best left to
knowledgeable, experienced experts.  For example, he writes, "[a]
distributed authentication protocol was designed using a challenge
response technique, but the challenge and response were the same value. =

A hacker impersonating the recipient could just replay the challenge
when asked for the response."  Another example of a security blooper was
"[a] protocol designed to accept incoming messages of a fixed length." =

The author writes, "Unfortunately, the program did not check the length
of the incoming messages. . . and, because the system was a public Web
server, any  anonymous user on the Internet could crash the site."

Chapter 4 also includes an extensive introduction to TCP/ IP and the
kinds of attacks specific to these widely used protocols.  In accordance
with his principles, the author  refuses to give detailed scripts that
would allow uninformed users to generate such attacks; however, his
clear explanations make it possible to understand the issues.  =


The next six chapters--about 150 pages--are devoted to intrusion
detection systems proper.  This section includes details overviews of
several important products.  The products are used to illustrate
important principles distinguishing different categories of products-
many of which are complementary.  =


Finally, in his last section, the author devotes two chapters to looking
at appropriate responses to intrusion.  He offers a sensible balance
between ignoring intrusions and exerting extraordinary efforts to
capture intruders.  He very properly suggests that business
considerations ought to determine the level of effort devoted to acting
as a kind of wild-cyberwest sheriff.  In any case, as he points out, it
is often impossible to track intruders through the maze of jumps through
other victimized sites.  For this reason, he urges readers not to attack
the proximate sites from which intrusions appear to be launched: too
often, such sites are equally victims of the true attackers.  =


The books ends very properly with a 16-page index that seems thorough
and useful.

As usual in any book, there are always picky little details that a
reviewer seems bound to mention in order to demonstrate his or her
attention to the text .  I don't want to do that, although I
cannot resist a broad grin at the following garbled sentence from page
201, "The answer lies in that recurring them on behalf of semantics." =

As an author who has groaned at what has appeared in print under my
name, Dr Escamilla has my sincere sympathy.  It happens to everyone.

In summary, Dr. Escamilla's excellent book is well-written,
comprehensive, and useful for both beginners and experts in information
security.  It is well worth its modest cost (U$40) and I hope that it
will be widely used throughout the industry.  For more information about
the book, one can visit a section of the publisher's Web site
.  In addition, readers will
be interested to know that since this book went to press, a number of
intrusion detection product developers banded together in December 1998
to form the ICSA's Intrusion Detection Product Developers Consortium
.

---------------------------------------------