Intrusion Detection: Network Security Beyond the Firewall

This is a book with a lot of content, capable to give valuable help to the data security professional. As often happens today, the title is somehow misleading, being in this case reductive in relation with the actual content. In fact, the first of the three parts the book is made of (half of the total 348 pages) is a good recap of traditional protection models. Identification, authentication, access control and auditing are covered, both conceptually and with reference to market available tools. The idea is to let the reader have a sound grasp of traditional devices before showing, in the second and third part, how Intrusion Detection Systems (IDS) are a complementary must to the traditional protection models. Both UNIX (various flavours) and NT operating systems are taken in account. The second part introduces IDS both working philosophy and practical usage. They are divided in three main categories: vulnerability assessment scanners, system level devices and network sniffers. Also in this case UNIX and NT scenarios are considered and several market leader tools are devised with a certain detail. Integration of IDS with traditional security functions (discussed in part 1) is covered. Despite all your accuracy in deploying a protection system (including IDS), you could be hit! The third part of the book introduces you in the incidents handling phase of the story, giving you advises about what to do and not to do in such not desirable event.

Review by M. E. Kabay, PhD, CISSP Director of Education ICSA,Inc.Terry Escamilla, PhD, has many years of experience designingand implementing information security systems. After He worked with Haystack Labs on the Stalker intrusion detection products and currently works on IBM's e-commerce products. Dr Escamilla has written a concise introduction not only to intrusion detection systems but also an excellent primer on important elements of modern information security.Intrusion Detection begins with a clear Preface that explains the purpose of his textbook: "Our goal is . . . To differentiate intrusion detection from other forms of computer security and to show how each product category adds value." The author explicitly avoids the shopping cart approach, leaving detailed product comparisons to the trade press where they belong in a rapidly-changing technical environment. He includes specific products as representatives of classes of software. Escamilla aims his book at CIOs and security officers or network managers; he wants to provide a high-level overview with enough technical detail to help the reader fit intrusion detection into corporate information security architectures.The book includes a good Introduction where Escamilla lays out the structure of his text. The first 153 pages serve in effect as a mini textbook introducing the conventional model for security -- the model focused on preventing breaches of security. The author uses the classical triad (C-I-A for confidentiality, integrity and availability) of security as a framework for reviewing traditional security; I strongly prefer Donn Parker's Hexad, which adds control or possession, authenticity and utility. Escamilla summarizes some of these in a mere paragraph. Nonetheless, his review is well worth reading by his intended audience and even by rank beginners in the field of security.The author's Chapter 1 definitions of security model, entities, subjects, objects, authorization, users, trust relationships, trust boundaries, reference monitor, security kernel, identification and authentication, access control schemes, and the other basics of security theory are lucid and well illustrated. For example, his paragraph on "Intrusion Detection and Monitoring" (p. 23) states, "The purpose of an IDS product is to monitor the system for attacks. An attack might be signaled by something as simple as a program that illegally modifies a user name. Complex attacks might involve sequences of events that span multiple systems. Intrusion detection products are classified with system monitors because they usually depend on auditing information provided from the system's logs or data gathered by sniffing network traffic. One difference between scanners and IDSs is the time interval. A scanner is running in real time when it is started. However, a scanner is rarely run all of the time. Intrusion detection products are designed to run in real time and to constantly monitor the system for a

Escamilla uses practical perspectives to expertly describe methods to improve network security.

If you're responsible for protecting your company's information assets, this book is for you. As a security professional at a mid-sized firm, I found Escamilla's frank assessments of commercially available intrusion detection products invaluable. Given the author's obvioulsly immense research on the classic security model and today's leading intrusion detection products, I am now very confident about the right steps to take to fill the gaps in my organization's network security. Escamillia provides a thorough explanation of security problems and then explains how classic security products address these problems and why intrusion detection is needed beyond I & A, access control, and network security products such as firewalls. As the author states, the book is intended for the reader to know "precisely what a product can and cannot do." If you're a security officer, or simply have an interest on the growing need for computer security, prepare to think critically about how intrusion detection products work and why you need them. Buy this book!

Intrusion Detection - Network Security Beyond the Firewall is a very well researched and well thought out discussion of where commercial security tools fit into an organizations security policy. The author presents support for Intrusion Detection based on a well documented history of computer security problems and proposed solutions, and then explains how different security products fit different needs.Computer Security is a very complex topic that means different things to different people. The author uses his many years of experience in actually building, deploying, and using Intrusion Detection Systems to present the topic in a simple and easy to understand fashion.This book also contains a rich set of references and sources of additional information. This book will not make you a security expert overnight, but it is an excellent way to get started.