From: secedu@all.net
Reply-to: secedu@all.net
Organization: Information Security Educators Mailing List
Subject: Information Security Educators Mailing List 1999-02-12
<pre>---------------------------------------------
From: "Rob Slade, doting grandpa of Ryan and Trevor" <rslade@sprint.ca>
Organization: Vancouver Institute for Research into User
Date: Fri, 12 Feb 1999 08:33:14 -0800

BKINTRDT.RVW   990108

"Intrusion Detection", Terry Escamilla, 1998, 0-471-29000-9,
U$39.99/C$56.50
%A   Terry Escamilla
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   1998
%G   0-471-29000-9
%I   John Wiley & Sons, Inc.
%O   U$39.99/C$56.50 416-236-4433 fax: 416-236-4448 rlangloi@wiley.com
%P   348 p.
%T   "Intrusion Detection: Network Security Beyond the Firewall"

Maybe my perception is skewed from having been involved with physical
security as well as the computer kind, but I see intrusion detection
as being part of security.  There is no security system that cannot be
penetrated or bypassed, and so detection is, in my view, simply a fact
of security life.  Isn't that what auditing, one of the main pillars
of data security, all about?  So I find the attempt to sell the idea
of intrusion detection somewhat redundant.  Then there is the emphasis
on reviewing commercial Intrusion Detection Systems (IDS).

Part one looks at what happens before intrusion detection: the
traditional role and model of computer security.  Chapter one provides
a brief, but reasonably sound, overview of this classic paradigm,
concentrating on defining most of the theoretical terms used.  Some
identification and authentication details from both UNIX and Windows
NT start our chapter two, which then meanders through a few examples
of password cracking, and finally ends with a look at ticket granting
systems and other authentication improvements.  A similar look at
access control is provided by chapter three.  Given the complexity of
networking and network security, the number of topics covered in
chapter four is unsurprising.

Part two looks at intrusion detection by extending the traditional
security design.  Chapter five is fairly pivotal, as evidenced by the
title "Intrusion Detection and Why You Need It."  The "why" part comes
first, with a rather weak example showing that security systems can
have loopholes if you don't configure or program everything properly. 
Intrusion detection then seems to be defined as the usual game of find
vulnerability-fix-repeat, only in automated form.  A number of
possible attacks are mentioned in chapter six, and then a promotion of
the addition of an IDS layer to a system, without a corresponding
reiteration of the warning, from chapter four, that layers in a system
increase the possibility of loopholes.  I was rather astonished that
SATAN [Security Administrator's Tool for Analyzing Networks] was not
included with the vulnerability scanners mentioned in chapter seven. 
Two more sophisticated products are reviewed in chapter eight. 
Chapter nine looks at the possibility of catching intruders by traffic
analysis, although "catch" seems to be too strong a term to use here. 
Since most of the foregoing deals with UNIX, chapter ten looks at
similar products for NT, although most of the material seems to
concentrate on NT's own audit logs.

Part three looks at dealing with an intrusion once you have detected
it.   Chapter eleven recommends being prepared well, detecting early,
analyzing thoroughly, and deciding judiciously.  In one useful piece
of advice, it recommends against an attack on a system you may think
is hitting on yours.  Chapter twelve is a quick summary of the book.

As the author admits, in the final chapter, that intrusion detection
systems are not the final word in computer security, I am inescapably
reminded of the battles in the antiviral field over the relative
strengths of scanners, activity monitors, and change detection
systems.  What works best?  A combination approach, of course.  The
price of a secure system is more budget for administration time and
tools.  This book does not present any radically new approach or
technique for system security.  In fact, with the emphasis on
proprietary commercial products, the work will date quite quickly. 
For those who are looking to add an automated IDS to their current
network, the volume could act as a kind of incomplete buyer's guide.

copyright Robert M. Slade, 1999   BKINTRDT.RVW   990108

======================
rslade@vcn.bc.ca  rslade@sprint.ca  robertslade@usa.net  p1@canada.com
Find virus, book info http://victoria.tc.ca/techrev/rms.htm
        Mirrored at http://sun.soci.niu.edu/~rslade/rms.htm
        Linked to bookstore at http://www97.pair.com/robslade/
Robert Slade's Guide to Computer Viruses, 0-387-94663-2 (800-SPRINGER)
---------------------------------------------