TELECOM Digest OnLine - Sorted: Book Review: "Intrusion Prevention and Active Response", Michael Rash

Book Review: "Intrusion Prevention and Active Response", Michael Rash

Rob Slade (
Mon, 17 Jul 2006 20:37:50 -0800


"Intrusion Prevention and Active Response", Michael Rash et al, 2005,
1-932266-47-X, U$49.95/C$69.95
%A Michael Rash
%A Angela Orebaugh
%A Graham Clark
%A Becky Pinkard
%A Jake Babbin
%C 800 Hingham Street, Rockland, MA 02370
%D 2005
%G 1-932266-47-X
%I Syngress Media, Inc.
%O U$49.95/C$69.95 781-681-5151 fax: 781-681-3585
%O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 402 p.
%T "Intrusion Prevention and Active Response"

In the beginning were the blackhats, and the net was without form, and
void. (Actually, slightly before the beginning were a bunch of grad
students who were just all keen to share stuff and never figured
anybody would try and deliberately break such a neat toy.) And the
security community said, "Let there be firewalls!" And the security
community looked upon the firewalls and saw that they were good. (And
they didn't say anything in particular about the fact that there were
also ACLs, and rulesets, and management issues, and all manner of
creeping features.) And the security community said, "Let there be
intrusion detection systems, which shall also be known as IDSs!" And
the security community looked upon the IDSs and saw that they were
good. (And there were even *more* ACLs, and rulesets, and management
issues, and all manner of creeping features.) And the security
community said, "Let us make unto ourselves the ultimate in network
security tools, and let it be the Holy Grail and Silver Bullet and
Philosopher's Stone of security, and let it manage itself and respond
to any kind of attack!" And lo, the security vendors looked upon the
intrusion prevention system (IPS) and saw that it was a very good
marketing idea.

Chapter one attempts to define intrusion prevention and active
response, but it doesn't do so in a particularly clear or consistent
manner. An IPS is an IDS that can take some kind of action. What
kind of action? Well, an IPS does data content (application level)
inspection. Maybe. Then again, a network-based active response
system (and an active response system may or may not be the same thing
as an IPS: it depends upon which section of the chapter you are
reading) might modify firewall policies or respond to attack packets
by resetting the port and killing the connection. (This means, as the
book points out, that an active response system can't do anything at
all to prevent an attack that consists of a single packet. I'm not
sure that all IPS vendors would agree with that position.) Network-
based IPS/active response systems can block ports or systems, change
firewall rules, reset connections, or alter the data content. (And
why wouldn't that stop a single-packet attack?) Host-based IPS/active
response can revise filesystem privileges, perform disinfection, and
change firewall rules.

I'm sorry, that paragraph was confused, had poor structure, and was
not particularly clear. But then again, it seems to capture the
essence and style of chapter one.

(In response to the draft of this review, one of the authors feels
that I have not been fair. He primarily notes that the authors wish
to make a distinction between intrusion prevention and active
response, but that is not made terribly clear in the printed text. In
addition, he says that the missing details I have listed are present
in the book -- but gives citations that come from a variety of different
places in the volume.)

Chapter two seems to be an attempt to declare that "deep" packet
inspection is different than inspection of the packet contents, but,
aside from giving a whole bunch of examples of things that shouldn't
be in packets, it doesn't say why. False positives can be a real
danger, so I agree with the title of chapter three. Unfortunately,
the text doesn't: we simply have a lot of discussion about how Nmap
works, finishing off with a terse mention of Bayesian statistics. A
few specific attacks against certain applications (and certain
versions) are listed in chapter four. Chapter five discusses systems
that will modify data content, but only in terms of setting up Snort
or Netfilter for specific attacks, and not in a usefully detailed way,
or one that is helpful for general usage. A few more attacks, and
ways that systems operating at the level of the kernel can help, are
described (in a rather confused fashion) in chapter six. Chapter
seven proposes an application-level IPS, but what is described seems
to be identical to any application-level proxy firewall with content
inspection. Chapter eight lists some of the data you might obtain
from a number of open source tools. Some of the things that can go
wrong with an IPS are mentioned in chapter nine.

Intrusion prevention systems are new, not terribly well-defined, and
popular. The security literature on the topic is limited. Therefore,
any work that addresses the topic will have some value. Indeed, in
his response, one of the authors felt that they should get some credit
for being first, and this is generally true. This book, however, will
be difficult for the newcomer to approach with any certainty. The
expert will find it both limited and (because of this) misleading at
times. Some of the content is useful, and a number of the points
raised should be considered, but the material should be treated with
caution. The volume is doctrinaire about items that cannot yet be
fully agreed upon, neglects issues and options that should be
considered by security professionals, includes considerable
information that has only the most tenuous connection to the topic at
hand, and is written without much consideration for the reader.

copyright Robert M. Slade, 2006 BKINPRAR.RVW 20050615

====================== (quote inserted randomly by Pegasus Mailer)
A doctor's reputation is made by the number of eminent men who
die under his care. - George Bernard Shaw
Dictionary of Information Security

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Jim Haynes: "Parlino?"
Go to Previous message: Reuters News Wire: "Feed Burner Buys Blog Beat, Expands Services"
TELECOM Digest: Home Page