|
http://www.dmst.aueb.gr/dds/pubs/Breview/1999-CR-IntrDet/html/review.html This is an HTML rendering of a working paper draft that led to a publication. The publication should always be cited in preference to this draft using the following reference:
|
Diomidis Spinellis
University of the Aegean
Intrusion detection: network security beyond the
firewall
Escamilla, Terry
John Wiley & Sons, Inc. New York, NY 1998, 348
pp. $39.99, ISBN 0-471-29000-9
Intrusion detection systems complement other approaches to information systems security by providing a mechanism to detect attacks that were not foreseen or covered by other security mechanisms. About half of the book's material provides a general overview of system security mechanisms with particular emphasis on their implementation under the Unix and Windows NT operating systems. Thus, following the introductory chapter, Chapter 2 presents a number of identification and authentication mechanisms including those provided by the above mentioned operating systems, and, in addition, Kerberos, X509, and ACE Server by Security Dynamics. Similarly, Chapter 3 presents the respective operating system native access control mechanisms as well as the Memco SeOS and the Tivoli Management Environment. Chapter 4, rounding up the introductory material, introduces network-based exploits and security approaches across all levels of the Internet protocol stack and presents firewall technologies and configurations that are routinely used to counter those attacks. The common theme across the first part of the book is that traditional approaches are not enough and need to be complemented by intrusion detection systems. A taxonomy of those systems is presented in Chapter 5, followed by a number of detailed examples in Chapter 6. Chapter 7 presents products that scan a system for vulnerabilities, while the following three chapters deal with intrusion detection systems targeting Unix, networks, and Windows NT. The book concludes with one chapter dealing with attack response procedures, and one summarising the presented information and outlining future directions for intrusion detection research. A limited number of - the nowadays obligatory - Web links are provided in an appendix. A complete list of references and a detailed index complete the book's offerings.
According to the author, the book should be read by site security officers, chief information officers, intrusion detection system implementors, and generally anyone interested in computer security. Most of the material is presented in an accessible format and can thus be understood and used by its intended audience. Interesting complementary information is conveniently presented in sideboxes. Unfortunately, the use of figures as a presentation aid is lacking: in a number of places an additional diagram would make the material more accessible; furthermore, I found many of the existing diagrams - especially those presenting network topologies - difficult to comprehend. A small number of inaccuracies such as the description of the top three bits of the Unix file permission value as the "sticky bit" or oversights such as the suggestion that a system administrator should type "su - root" at a user console to securely get superuser rights (the user could still have a Trojan "su" command installed) are minor and infrequent. By far, the greatest shortcoming of this book is its exclusive focus on commercial products aimed at the Unix and Windows-NT market. The rapidly advancing and changing technologies of our network infrastructure, attack methods, and intrusion detection tools provide research-derived, open-source products and home-grown approaches an edge that commercial products can not easily match. Prospective readers who are constrained by organisational policy or other factors to use a vendor-supported product might find the tool descriptions provided by Escamilla a useful procurement guide. Those whose system platforms or needs are not covered by the available commercial tools will be better served by the intrusion detection pages maintained by COAST [1]; researchers should also take into account the ongoing effort towards a Common Intrusion Detection Framework [2].
