Intrusion Detection. Network Security Beyond the Firewall

reviewed by Bob Bruen

by Terry Escamilla. John Wiley & Sons 1998.
348 pages. Index, Appendix (resource pointers), Bibliography.
$39.00 Softcover. ISBN 0-471-29000-9. LoC TK5105.59.E83

This book helps to fill a surprising gap in the security literature, that is to say, entire books about the field of intrusion detection(ID). There seems to be only a few products that exist independently from other security products, and many security products do not include ID. Like much of computer & network security, good intrusion detection is hard. Noticing a major denial of service attack is pretty simple because something does not respond, your PC, your web server, your net or whatever, but knowing for sure that it is a DoS attack and not some other legitimate failure is a bit more difficult. Even harder will be discovering where the attack came from or how it happened to you.

For those of us who care about not only about protecting our machines from attacks, but also about making sure that the attacks are stopped, the availability of information and tools is vital. Many of the topics covered are standard, but are seen from a different vantage point. For example, it would be really helpful to tools beyond tripwire that would let you know when someone has entered your system with authorization. There are obvious things to look for, such as password file changes or log changes, assuming your operating system does decent logging. But what about the older system that was was already modified when you decided to install tripwire? You will only know about new changes to files, not about the current use of an old exploit planted earlier without detection. Sometimes it is not possible to do a complete, fresh install of the OS, but you will still want to know about unauthorized activity.

There is research into ID at places like Purdue (Gene Spafford) and a few others, but one of the lessons I have taken from the book is just how much more is still to be developed. We need smarter ways to monitor our systems without logging every keystroke. An example of the problem is setting thresholds. How do you know when someone is a legitimate user who either can not type well or has forgotten a password versus someone trying to guess a password? Often three failed attempts shuts down access for a while. In this case, the number three is the threshold. It says nothing about being able to detect an unauthorized access. Is there a a better, smarter approach?

Naturally, this trivial example can be extended to larger scale issues, such as port scans of large networks. How can we be alerted to a new problem and then come up with a response beyond simply shutting down the victim, such as quickly getting hold of the source, even if there are multiple hops involved? If you have really godd logging facilities what do you do about analyzing the logs, which few people really enjoy reading, especially when they are large. Interesting paths to follow would include improved statistical techniques and pattern matching. The current state of things is presented well.

Given the scope and impact of today's problems, the future looks good for more work in ID. Escamilla provides the background for a good jumping off point. The book is organized well, spends most of the time with Unix, but does address NT, and covers several ID products. I would like to see a more in depth analysis of the products. It would be helpful to learn more about the models used to develop products with needing to buy the products or scan the sales glossies, but perhaps that's another book.

There are three main parts divided into twelve chapters. The topics include access control, vulnerability scanners, protocol exploits and building a model of intrusion detection as part of an overall approach to security. I recommend it as a book to broaden the scope of what you should learn about in the security field.