Intrusion Detection

Network Security Beyond the Firewall

Publisher: Wiley, 1998, 348 pages

ISBN: 0-471-29000-9

Last modified: May 22, 2021, 10:33 a.m.

Synopsis

A complete nuts-and-bolts guide to improving network security using today's best intrusion detection products

Firewalls cannot catch all of the hacks coming into your network. To properly safeguard your valuable information resources against attack, you need a full-time watchdog, ever on the alert, to sniff out suspicious behavior on your network. This book gives you the additional ammo you need. Terry Escamilla shows you how to combine and properly deploy today's best intrusion detection products in order to arm your network with a virtually impenetrable line of defense. He provides:

Assessments of commercially available intrusion detection products: what each can and cannot do to fill the gaps in your network security
Recommendations for dramatically improving network security using the right combination of intrusion detection products
The lowdown on identification and authentication, firewalls, and access control
Detailed comparisons between today's leading intrusion detection product categories
A practical perspective on how different security products fit together to provide protection for your network

Introduction

Overview of the Book and Intrusion Detection
Who Should Read This Book
How the Book Is Organized
The Reality of Tradeoffs

Part 1: Before Intrusion Detection: Traditional Computer Security

Intrusion Detection and the Classic Security Model

Back to Basics: The Classic Security Model
Goals of Computer Security
Learn to Ask Tough Questions
A Basic Computer Security Model

The Reference Monitor
What Makes a Good Reference Monitor

Enhancing the Security Model Further

Identification and Authentication (I&A)
Access Control
Auditing

Classifying Security Products with a Nod to Intrusion Detection

Identification and Authentication
Access Control
Scanners
Intrusion Detection and Monitoring
Additional Product Differences

Prevention, Detection, and Response with Intrusion Detection
Where to Go from Here

The Role of Identification and Authentication in Your Environment

Identification and Authentication in UNIX

Users and Groups
Superuser
What Are the Subjects in UNIX?
UNIX Login
UNIX Password Mechanism
Storing Passwords in a Central Server

Identification and Authentication in NT

Users and Groups in NT
Subjects in NT
NT Login Security
NT Authentication Using a Domain Controller

How Hackers Exploit Weaknesses in Password Security

Easily Guessed Passwords
Brute Force Attacks
Social Engineering
Trojan Horses
Network Sniffing
Electromagnetic Emissions Monitoring
Software Bugs

Improving upon I&A with Authentication Servers

Third-Party Authentication
A Cryptography Primer

Ideas for Improving I&A Security

One-Time Passwords
Strong Authentication
One-Time Passwords and One-Time Pads
Two-Factor Authentication
Challenge-Response Authentication

The Need for Intrusion Detection

Biometrics

The Role of Access Control in Your Environment

Configuration Problems
Program Bugs
What Is Access Control?

How Are Access Control Decisions Made?
Access Control Lists
Who Are You?

Access Control in UNIX

Who Are You in the UNIX Environment?
UNIX File and Directory Permissions
Are You Remembering to Ask Tough Questions?
Link Counts, Hard Links, and Symbolic Links

Increasing Your Privileges or Capabilities

Background Processes and Credentials

Access Control in NT

NT Rights and Privileges
Who Are You in NT?
Permissions for NT Files and Directories

How Hackers Get around Access Control
How to Improve upon Access Control

Memco SeOS
APIs
Impact of SeOS on Base Operating System Security
SeOS Auditing
Other SeOS Features

Going beyond SeOS
Why You Still Need Intrusion Detection

Traditional Network Security Approaches

Layers of Network Security

Security between Layers on a System
Security between Peer Layers across Systems

I&A for Network Security Entities

How Hackers Exploit Protocols
How Many Network Entities Are There?
I&A for Users and Groups in a Network
Security Models within Models
Network Node I&A
Software Can Be a Network Entity

Network Access Control

Network Application Access Controls
The Importance of Naming

The Internet Protocol (IP)

Probing Network Paths
Problems at the IP Layer
Are Your Mission-Critical Applications Safe from Attacks?
IPsec

Supporting Protocols for IP

Address Resolution Protocol (ARP)
Domain Name System (DNS)
Routing Interchange Protocol (RIP)

User Datagram Protocol (UDP)

Port Security
UDP Security Concerns

Transmission Control Protocol (TCP)

TCP/IP Security Concerns

TCP/IP Application Security

Trusted Hosts

The Role of the Firewall in Traditional Security

What Is a Firewall?
Packet Filters Provide Access Control Services
Application Proxies Provide Access Control
Firewalls Provide IP Security
IP Sec or Application Security

How Complex Is Your Network Security?
Why Intrusion Detection Is Needed after Network Security

Part 2: Intrusion Detection: Beyond Traditional Security

Intrusion Detection and Why You Need It

Do You Have Protection?
The Role of Intrusion Detection

Beyond I&A
Beyond Access Control
Beyond Network Security

Intrusion Detection: Concepts and Definitions

IDS Engine Categories
Real Time or Interval Based
Data Source
A Generic IDS Model

Getting Ready to Look for Hacker Trade

Detecting Intruders on Your System Is Fun and Easy

Classes of Attacks

Internal Attacks
External Threats

Layers of Information Sources

Warning: Opportunities for Hackers!

Commercial IDS Layering
How Does One Get the Data?

Intrusion Detection Inside a Firewall
Relying on Others for Data

System Data Sources

syslog
Audit Trails

Tracing the Path of Activity Can Be Difficult

Monitoring Policies

Simple or Complex Attacks
Prepare to Scan for Weaknesses

Vulnerability Scanners

What Is a Scanner?
Characteristics of Scanners

Local Scanners
Remote Scanning

How a Scanner Works
Improving Your Security with Scanners

ISS SAFESuite

Other Scanners

Ballista
IBM Network Security Auditor
Keeping the Scanners Current

Are You Done Yet?

UNIX System-Level IDSs

Detecting Hacks with Stalker

Audit Management
Tracer/Browser
Misuse Detector
Attacks Detected by Stalker
Is Stalker Right for You?
Some Alternative Stalker Configurations

Detecting Hacks with the Computer Misuse Detection System

How CMDS Works

Other IDS Features to Consider

Ease of Set Up
Distributed Intrusion Detection
Monitoring and Privacy
Finding New Attacks
General Event Monitoring or Intrusion Detection

Using Audit Logs to Find Attacks

Two Main Reasons for Vulnerabilities
Notation
A Word about Sequences
Focusing on Local Attacks
An IDS Limitation
The Scope Problem and Memory Requirements

Why You're Not Finished Yet

Sniffing for Intruders

How Network IDSs Work

Networks and Subnets
Network IDSs Sniff Network Traffic
Other Network IDS Features

Network IDS Attack Recognition

Fragmented IP Packets

Advantages of Network IDSs
Limitations of Network Packet Sniffing

Network Sniffers Do Not See All Packets
Network Sniffers Are Blinded by Encryption
Missed System-Level Attacks
The Network IDS Is Not the Destination Node
Getting around the Encryption Problem

Which Product Has The Best Nose?

IBM and NetRanger
RealSecure
Network Flight Recorder

Will Intrusion Detection Be Enough?

Intrusion Detection for NT

NT Security Review
Sources of Data for NT IDSs

NT Event Log
Event Records

What to Monitor on NT

Increased Privileges
Impersonation
Remote Attacks
Local Vulnerabilities

Intrusion Detection Products for NT

Look for These Features
Centrax

For Further Thought

Part 3: Rounding Out Your Environment

You've Been Hit!

Be Prepared
Discovery and Detection
Responding to Intrusions
Should You Pursue Your Attacker?

Intrusion Detection: Not the Last Chapter When It Comes to Security
- Traditional Computer Security
- The Rationale for IDSs
- Types of IDSs
- Improving upon IDSs
- Take It Away

Appendix Hot Links for Information

Incident Response Organizations
Intrusion Detection Research

Reviews