| Table of Contents |
This book was written to help you understand how intrusion detection systems (IDSs) fit into your arsenal of security products. By the time you finish reading this book, you will have a clear understanding of how intrusion detection security products differ from one another, where they overlap, and how they help to provide comprehensive protection at your site.
The main focus of the book is intrusion detection. However, to understand why intrusion detection is important, you need to know quite a bit of background material.
Even if you want to grab public domain source code and customize a suite of tools, you will want to read further. The problems and solutions presented throughout apply equally to both commercial and free tools. You definitely need to understand the advantages and limitations of public domain tools as well. When you read a section describing some commercial software in detail, take notes and use them to complete a similar style of analysis when considering software that you can get freely from the Internet. By the way, many commercial products originated as software you could freely download, such as the TIS Firewall Toolkit.
You do not need to buy any products to benefit from the material in this book. The chapters do not require that you complete any exercises on a particular computer or with a specific software program. However, you certainly will learn more if you have the opportunity to try out some of the products. Most vendors offer evaluation copies of products or will ship you a full-featured version that is limited by a software key.
You might be pondering whether you need intrusion detection. Another question you have is whether to put together some freely available tools or buy commercial products. Several other books adequately cover the range of public domain tools that are useful and perform some subset of intrusion detection tasks. In Part 2 of this book, “Intrusion Detection: Beyond Traditional Security,” the focus is commercial rather than free tools. This should complement any other books already lining your shelves.
If you are a site security officer, you will definitely want to read this book to see how IDSs relate to other security products. You also will want to see what an IDS can detect and what it cannot. If you plan to support your site security policies with an IDS, you must know its strengths and weaknesses.
The material in the book is broad enough for any computer literate person to finish. For those who like more in-depth treatments, a few topics are covered in detail. Therefore, if you’re a CIO or someone who is just interested in computer security, you’ll definitely benefit from reading the book. Should you be interested in building your own IDS, plenty of information is presented to get you started.
One thing you will not find in this book is a description of ways to hack into systems. Nor are all of the known attacks described in detail. This information is easily available to those who know how to get it. This type of discussion also would require a separate book to adequately describe the common hacks in detail. Easily more than a hundred known hacks exist, and new discoveries are made every day.
The book is divided into three main parts. Part 1, “Before Intrusion Detection: Traditional Computer Security,” provides background and justification for why intrusion detection is important. Part 2, “Intrusion Detection: Beyond Traditional Security,” dives into intrusion detection and shows you how it adds value. Part 3, “Rounding Out Your Environment,” recommends actions for responding to intrusions and suggests how you can pull together all of your new knowledge for building a complete security solution.
To get the most out of the book, read the chapters in sequence. However, if you consider yourself to be beyond the novice level, feel free to jump around after glancing through Chapter 1, “Intrusion Detection and the Classic Security Model.” If you find yourself looking for more breadth or depth, check out the references and Web sites in the Appendix, “Hot Links for Information.” You are not expected to be a security expert before you read this book nor by the time you finish it.
Part 1, “Before Intrusion Detection: Traditional Computer Security,” begins with an overview of classical computer security in Chapter 1. A primer is given on the important aspects of computer security by constructing a security model. If you learn to think about what the basic model should be doing, you will develop skills for asking deep, critical questions about security products. An understanding of the basic model clarifies which computer security problems are addressed by different products.
In Chapter 2, “The Role of Identification and Authentication in Your Environment,” you will take a close look at identification and authentication (I&A). The first step in interacting with a computer is identification and authentication of the user. Because I&A establishes who you are on the system, it has important consequences for intrusion detection. One goal of a hacker is to gain access to the system by exploiting the I&A process. In Chapter 2, you will see how I&A can be attacked, what you can do to improve I&A, and why an IDS is needed even if you have strong authentication.
Chapter 3, “The Role of Access Control in Your Environment,” moves to the next logical step—access control. When you have completed the I&A process, you will be limited by what you can do according to the access control policies defined in the system you are using. In this chapter, you will learn how access control is handled by the underlying operating system and how to improve upon access control with other tools. You’ll also see how intrusion detection is needed beyond access control, even if you add other access control products in your network.
The role of the firewall is explored in Chapter 4, “Traditional Network Security Approaches,” as are other aspects of network security. When you finish Chapter 4, you will know exactly what services a firewall provides beyond I&A and access control. You also will see why intrusion detection is needed even if you have a firewall. By the way, if your site is connected to the Internet, and you have not yet installed a firewall (or at least a screening router), stop reading and install one.
When you understand the role of these three traditional security areas—I&A, access control, and firewalls—Part 2, “Intrusion Detection: Beyond Traditional Security,” will take you through the intrusion detection landscape. In Chapter 5, “Intrusion Detection and Why You Need It,” you will find an introduction to the three main categories of IDSs. There, you’ll also find a brief overview of scanners, system-level IDSs, and network IDSs. You should know that even though there is tremendous interest in detecting people who try to break into systems from the outside, the FBI and other sources regularly report that 80 percent or more of losses due to computer crime are attributed to employees on the inside. Intrusion detection products try to catch both insiders and outsiders.
Chapter 6, “Detecting Intruders on Your System Is Fun and Easy,” takes a closer look at how IDSs actually find out about hack attacks. You will see that it is not always easy to detect a hacker. It’s even harder to uncover everything a hacker is doing if the attack covers a large network. Although scanners, system IDSs, and network IDSs overlap slightly, you see early on that each one fulfills an important role based on the types of hacks they detect.
Chapter 7, “Vulnerability Scanners,” discusses intrusion detection scanner tools in detail. The emphasis is more on what a scanner can and cannot detect, as opposed to surveying all of the commercially available scanner tools on the market. A good discussion of some tools is provided, but you should consult the vendors mentioned for more current information. Intrusion detection tools change regularly, so it is better to know what questions to ask about a tool than it is to compare individual scanners as they exist today.
System-level IDSs are the subject of Chapter 8, “UNIX System-Level IDSs.” As you will see, several hacks can be detected only by monitoring each system at your site. A number of tradeoffs are discussed. Specific UNIX hacks are described so that you can understand how a system-level IDS catches intruders. Naturally, there is mention of weaknesses and why you need to use scanners and network IDSs in addition to system monitors. Some of the earliest research in intrusion detection is centered on system-level tools.
Chapter 9, “Sniffing for Intruders,” rounds out the IDS categories by describing the capabilities of network IDSs. Generally, these tools work by intelligently sniffing network packets. As with the other two IDS types, network sniffing can catch some attacks but misses others. By the time you finish Chapter 9, you will have a very good knowledge base on intrusion detection. You will be able to clearly describe how an IDS complements traditional security products that improve I&A, access control, or network security.
The subject of NT intrusion detection is given special consideration in Chapter 10, “Intrusion Detection for NT.” As you will see, NT has been the chief target of a number of hackers. Although the source code for NT is not freely available (as is UNIX), a new hack against NT is discovered frequently. NT hacks and IDSs that detect them are combined in this chapter. Chapter 10 completes the survey of intrusion detection, but you still have more to consider.
Part 3, “Rounding Out Your Environment,” closes the book with two important topics. Chapter 11, “You’ve Been Hit!” collects recommendations from a variety of sources and provides guidelines for handling security incidents. You’ll see that the familiar suggestion to be prepared is especially important for incident response teams. If you are at risk for intrusions, you should roll out the suggestions in Chapter 11 as soon as possible.
Chapter 12, “Intrusion Detection: Not the Last Chapter When It Comes to Security,” recaps the path you took to understanding intrusion detection. You will review the threats, vulnerabilities, and solutions covered in the classical computer security. Key points about the three main IDS categories are refreshed for you as well. The chapter then provides some suggestions on how you can deploy several complementary security products at your site. Closing remarks speculate about where intrusion detection might be in the near future.
Finally, useful Web links are provided in the Appendix, “Hot Links for Information.”
Two important points are worth mentioning before moving forward.
First, successful software vendors are driven to make tradeoffs based on market demands. Because you are in business, too, you know that market demands seldom bear any resemblance to common sense. Numerous stories exist about companies that invent the best possible widget and then fail to create a market or unseat an already entrenched competitor in an emerging market. Companies add function to products for different reasons—competition, time to market, lost opportunities, and cost are a few. If you do not like what an IDS does today, find out the vendor’s future plans. You may be forced to make one set of tradeoffs today but will see your needs met when a new version of the product is announced.
Second, you, too, will be required to make tradeoffs when implementing your site security. To begin with, your own resources are bounded. A frequently cited claim in cryptography is that given enough money and time, any cryptographic solution can be broken. Therefore, you start by holding the short end of the stick. You cannot build the ideal security environment because you have neither infinite time nor unlimited money. Tradeoffs are unavoidable.
People and companies buy a product for a variety of reasons—because their best friends recommended it, because it was cheap, because they liked the advertisements, because their boss recommended it, because their competitor uses it, because the service is good, or perhaps because it’s the only one that supports the Japanese language. The best-selling IDS may not have the richest function, may not have the best quality, or may not be the easiest to use. It might be the best-selling product because it’s endorsed by an authority widely respected or widely feared by the majority of computer users. You may be forced to adopt a product in your industry because some influential standards body issued a decree, even if 90 percent of the rest of the world is using a different product.
You have little control over some tradeoffs because they are handed to you from above. Other tradeoffs you have the freedom to influence. Your company might be using a product because you share a member of the Board of Directors between your two companies. You might prefer to use a different security product, but your hands are tied. This is a common market reality. What can you do about this situation, and how will this book help?
You should know precisely what a product can and cannot do. This book is designed to make you think critically about how a product works, what features it provides, and why you might need it. A computer network without security is a risky venture. A false sense of security based upon the wrong products or upon incorrectly configured products is worse. In the first case, at least people know the environment is not safe, and they will proceed with caution. In the latter situation, people think the network is safe when it really is not. They will be more careless, possibly sending confidential mail to another site because they are under the impression that the network traffic is secure.
Sometimes tradeoffs are not in the products, but in your configurations. These tradeoffs can involve variables that are inversely related. For example, if you want all user passwords stored in a central server, you definitely will make tradeoffs in network latency and network traffic. At 8 A.M. when 10,000 employees log in across the site, you can expect network delays and a spike in network traffic. On the other hand, all of your passwords will be stored in one or more authentication servers that can be physically secured. You will have reduced the threat of password theft but sacrificed some network performance. Despite the fact that you’ve improved security, at some cost in network performance, threats to your environment still exist. You still need to worry about social engineering, weak user passwords, flaws that might leave the passwords in local cache areas on your network clients, and other problems. Tradeoffs are unavoidable in computer technology. Only by being informed can you expect to make the right ones.
All of the products mentioned in this book are quality solutions that go a long way towards solving your problems. Indeed, all of the vendors deserve praise for stepping up to the challenges of computer security. Like the decisions you face, these vendors also make tradeoffs between a daunting set of variables. Educate yourself and use this knowledge to improve your understanding of the alternatives.
The focus of this book is intrusion detection. Like many topics, a rich history exists that tells why intrusion detection has become a market necessity. This book walks you through the background of classic security problems. It explains how classical security products address these problems and why intrusion detection is needed beyond I&A, access control, and network security products such as firewalls. Computer security is a fascinating field with many turns, bends, secrets, tricks, and plenty of strong opinions. You will see that intrusion detection contains all of these elements of computer security.
| Table of Contents |