Intrusion Detection

Network Security Beyond the Firewall

Terry Escamilla

Publisher: Wiley, 1998, 348 pages

ISBN: 0-471-29000-9

Keywords: IT Security, Networks

Last modified: May 22, 2021, 10:33 a.m.

A complete nuts-and-bolts guide to improving network security using today's best intrusion detection products

Firewalls cannot catch all of the hacks coming into your network. To properly safeguard your valuable information resources against attack, you need a full-time watchdog, ever on the alert, to sniff out suspicious behavior on your network. This book gives you the additional ammo you need. Terry Escamilla shows you how to combine and properly deploy today's best intrusion detection products in order to arm your network with a virtually impenetrable line of defense. He provides:

  • Assessments of commercially available intrusion detection products: what each can and cannot do to fill the gaps in your network security
  • Recommendations for dramatically improving network security using the right combination of intrusion detection products
  • The lowdown on identification and authentication, firewalls, and access control
  • Detailed comparisons between today's leading intrusion detection product categories
  • A practical perspective on how different security products fit together to provide protection for your network
    • Introduction
      • Overview of the Book and Intrusion Detection
      • Who Should Read This Book
      • How the Book Is Organized
      • The Reality of Tradeoffs
  • Part 1: Before Intrusion Detection: Traditional Computer Security
    1. Intrusion Detection and the Classic Security Model
      • Back to Basics: The Classic Security Model
      • Goals of Computer Security
      • Learn to Ask Tough Questions
      • A Basic Computer Security Model
        • The Reference Monitor
        • What Makes a Good Reference Monitor
      • Enhancing the Security Model Further
        • Identification and Authentication (I&A)
        • Access Control
        • Auditing
      • Classifying Security Products with a Nod to Intrusion Detection
        • Identification and Authentication
        • Access Control
        • Scanners
        • Intrusion Detection and Monitoring
        • Additional Product Differences
      • Prevention, Detection, and Response with Intrusion Detection
      • Where to Go from Here
    2. The Role of Identification and Authentication in Your Environment
      • Identification and Authentication in UNIX
        • Users and Groups
        • Superuser
        • What Are the Subjects in UNIX?
        • UNIX Login
        • UNIX Password Mechanism
        • Storing Passwords in a Central Server
      • Identification and Authentication in NT
        • Users and Groups in NT
        • Subjects in NT
        • NT Login Security
        • NT Authentication Using a Domain Controller
      • How Hackers Exploit Weaknesses in Password Security
        • Easily Guessed Passwords
        • Brute Force Attacks
        • Social Engineering
        • Trojan Horses
        • Network Sniffing
        • Electromagnetic Emissions Monitoring
        • Software Bugs
      • Improving upon I&A with Authentication Servers
        • Third-Party Authentication
        • A Cryptography Primer
      • Ideas for Improving I&A Security
        • One-Time Passwords
        • Strong Authentication
        • One-Time Passwords and One-Time Pads
        • Two-Factor Authentication
        • Challenge-Response Authentication
      • The Need for Intrusion Detection
        • Biometrics
    3. The Role of Access Control in Your Environment
      • Configuration Problems
      • Program Bugs
      • What Is Access Control?
        • How Are Access Control Decisions Made?
        • Access Control Lists
        • Who Are You?
      • Access Control in UNIX
        • Who Are You in the UNIX Environment?
        • UNIX File and Directory Permissions
        • Are You Remembering to Ask Tough Questions?
        • Link Counts, Hard Links, and Symbolic Links
      • Increasing Your Privileges or Capabilities
        • Background Processes and Credentials
      • Access Control in NT
        • NT Rights and Privileges
        • Who Are You in NT?
        • Permissions for NT Files and Directories
      • How Hackers Get around Access Control
      • How to Improve upon Access Control
        • Memco SeOS
        • APIs
        • Impact of SeOS on Base Operating System Security
        • SeOS Auditing
        • Other SeOS Features
      • Going beyond SeOS
      • Why You Still Need Intrusion Detection
    4. Traditional Network Security Approaches
      • Layers of Network Security
        • Security between Layers on a System
        • Security between Peer Layers across Systems
      • I&A for Network Security Entities
        • How Hackers Exploit Protocols
        • How Many Network Entities Are There?
        • I&A for Users and Groups in a Network
        • Security Models within Models
        • Network Node I&A
        • Software Can Be a Network Entity
      • Network Access Control
        • Network Application Access Controls
        • The Importance of Naming
      • The Internet Protocol (IP)
        • Probing Network Paths
        • Problems at the IP Layer
        • Are Your Mission-Critical Applications Safe from Attacks?
        • IPsec
      • Supporting Protocols for IP
        • Address Resolution Protocol (ARP)
        • Domain Name System (DNS)
        • Routing Interchange Protocol (RIP)
      • User Datagram Protocol (UDP)
        • Port Security
        • UDP Security Concerns
      • Transmission Control Protocol (TCP)
        • TCP/IP Security Concerns
      • TCP/IP Application Security
        • Trusted Hosts
      • The Role of the Firewall in Traditional Security
        • What Is a Firewall?
        • Packet Filters Provide Access Control Services
        • Application Proxies Provide Access Control
        • Firewalls Provide IP Security
        • IP Sec or Application Security
      • How Complex Is Your Network Security?
      • Why Intrusion Detection Is Needed after Network Security
  • Part 2: Intrusion Detection: Beyond Traditional Security
    1. Intrusion Detection and Why You Need It
      • Do You Have Protection?
      • The Role of Intrusion Detection
        • Beyond I&A
        • Beyond Access Control
        • Beyond Network Security
      • Intrusion Detection: Concepts and Definitions
        • IDS Engine Categories
        • Real Time or Interval Based
        • Data Source
        • A Generic IDS Model
      • Getting Ready to Look for Hacker Trade
    2. Detecting Intruders on Your System Is Fun and Easy
      • Classes of Attacks
        • Internal Attacks
        • External Threats
      • Layers of Information Sources
        • Warning: Opportunities for Hackers!
      • Commercial IDS Layering
      • How Does One Get the Data?
        • Intrusion Detection Inside a Firewall
        • Relying on Others for Data
      • System Data Sources
        • syslog
        • Audit Trails
      • Tracing the Path of Activity Can Be Difficult
        • Monitoring Policies
      • Simple or Complex Attacks
      • Prepare to Scan for Weaknesses
    3. Vulnerability Scanners
      • What Is a Scanner?
      • Characteristics of Scanners
        • Local Scanners
        • Remote Scanning
      • How a Scanner Works
      • Improving Your Security with Scanners
        • ISS SAFESuite
      • Other Scanners
        • Ballista
        • IBM Network Security Auditor
        • Keeping the Scanners Current
      • Are You Done Yet?
    4. UNIX System-Level IDSs
      • Detecting Hacks with Stalker
        • Audit Management
        • Tracer/Browser
        • Misuse Detector
        • Attacks Detected by Stalker
        • Is Stalker Right for You?
        • Some Alternative Stalker Configurations
      • Detecting Hacks with the Computer Misuse Detection System
        • How CMDS Works
      • Other IDS Features to Consider
        • Ease of Set Up
        • Distributed Intrusion Detection
        • Monitoring and Privacy
        • Finding New Attacks
        • General Event Monitoring or Intrusion Detection
      • Using Audit Logs to Find Attacks
        • Two Main Reasons for Vulnerabilities
        • Notation
        • A Word about Sequences
        • Focusing on Local Attacks
        • An IDS Limitation
        • The Scope Problem and Memory Requirements
      • Why You're Not Finished Yet
    5. Sniffing for Intruders
      • How Network IDSs Work
        • Networks and Subnets
        • Network IDSs Sniff Network Traffic
        • Other Network IDS Features
      • Network IDS Attack Recognition
        • Fragmented IP Packets
      • Advantages of Network IDSs
      • Limitations of Network Packet Sniffing
        • Network Sniffers Do Not See All Packets
        • Network Sniffers Are Blinded by Encryption
        • Missed System-Level Attacks
        • The Network IDS Is Not the Destination Node
        • Getting around the Encryption Problem
      • Which Product Has The Best Nose?
        • IBM and NetRanger
        • RealSecure
        • Network Flight Recorder
      • Will Intrusion Detection Be Enough?
    6. Intrusion Detection for NT
      • NT Security Review
      • Sources of Data for NT IDSs
        • NT Event Log
        • Event Records
      • What to Monitor on NT
        • Increased Privileges
        • Impersonation
        • Remote Attacks
        • Local Vulnerabilities
      • Intrusion Detection Products for NT
        • Look for These Features
        • Centrax
      • For Further Thought
  • Part 3: Rounding Out Your Environment
    1. You've Been Hit!
      • Be Prepared
      • Discovery and Detection
      • Responding to Intrusions
      • Should You Pursue Your Attacker?
    2. Intrusion Detection: Not the Last Chapter When It Comes to Security
      • Traditional Computer Security
        • The Basic Security Model
        • I&A
        • Access Control
        • Network Security
      • The Rationale for IDSs
      • Types of IDSs
        • Scanners
        • System-Level IDSs
        • Network Sniffers
      • Improving upon IDSs
        • Increase Application-Level Detection
        • Adapt to Changing I&A
        • Support Common Systems Management
        • Simplify Development of Attack Signatures
        • Combine Products
        • Support Integration into Other Products
        • Support Research
        • Self Reference and IDSs
      • Take It Away
  • Appendix Hot Links for Information
    • Incident Response Organizations
    • Intrusion Detection Research

Reviews

Intrusion Detection

Reviewed by Roland Buresund

Bad ** (2 out of 10)

Last modified: Nov. 15, 2008, 2:21 a.m.

If you need this, there are other needs that must be satisfied first, namely basic knowledge of IT-security.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required