Preface

The crew at John Wiley & Sons first asked me to consider writing a book on computer security in the summer of 1997. After a few meetings with Carol Long, I was convinced of the need for a book that offered a glimpse at the fascinating area of intrusion detection. During the last several months, the flow of the book was revised many times, mostly to reflect the changing landscape of the computer security industry.

I was working for Haystack Labs in Austin, Texas when Carol and Pam Sobotka approved the first outline. My original intent was to catalogue the many ways in which systems were hacked in an effort to set a baseline upon which other books could rely. However, I also saw the value of providing an overview of intrusion detection while comparing it to other computer security approaches. Many times I had worked with customers who asked questions such as, “How does intrusion detection differ from a firewall?” or “I already use encryption. Isn’t that enough?” I decided that writing a book would be better than repeating myself for the next several months while working with business partners or customers.

Several sections of the book were written in the fall of 1997, only to be revised in 1998 to include recent changes in product positioning. The experience has been analogous to trying to paint a ship while it is rocking in active seas. It has certainly been exciting.

About three quarters of the way through the writing of this book, Haystack was acquired by Trusted Information Systems. In the security industry, we had been forecasting mergers and acquisitions, but like the Web, no one expected the speed with which events unfolded. TIS was soon part of Network Associates, and many other mergers and acquisitions occurred as the major security vendors maneuvered to field better solutions. Although the environment was appealing, I decided to return to my former employee, IBM, and focus on practical applications of security.

As with any endeavor, there are the unavoidable tradeoffs. After several discussions with the Wiley team, we decided on a practical, high-level book rather than an in-depth treatment of intrusion detection. Our goal is thus to differentiate intrusion detection from other forms of computer security and to show how each product category adds value. Over time, offerings from vendors will certainly overlap more, perhaps calling for a second edition. We did not cover products in great detail either. The overall theory is more important than the minutiae of products, which changes several times a year. We also wanted to avoid a product shopping comparison. These reports are best left to the trade press and to your own laboratories. Products described in the book were chosen because they are representative. Inclusion of a product does not imply superiority in the marketplace.

I have made every effort not to judge hackers and crackers either. Many security holes are announced by people who want to plug leaks, not by people who want to exploit them. The assumption is that you want to protect information assets, and therefore, you need to understand how systems are compromised, defended, and monitored. My approach is practical and objective. Ethical arguments and legal discussions are best left to the experts in those fields.

Unfortunately, ample room was not available for coverage of intrusion detection research. Although this field is of great interest to me, I did not feel that justice could be done in a single chapter or appendix. A complete book detailing historical and current intrusion detection research would be more appropriate. The interested reader can find original papers and pointers at Web sites managed by SRI, LLNL, COAST, and U.C. Davis.

My hat also is tipped to the security professionals and researchers outside of the United States. Many excellent projects and products originate in other geographies, but these were omitted because of my lack of experience with them. Hopefully, you will investigate these alternatives on your own.

I would like to emphasize that this book and its contents are not endorsed by IBM in any way. The project was conceived and written mostly while I was at Haystack and TIS. I have tried to be impartial in my presentation of important topics, although one’s opinions certainly have a way of creeping into the text.

You might want to know that a portion of the royalties from this book are being donated to charity. The idea came to me when I had the honor of participating in a panel with Peter Neumann at a firewall conference. Dr. Neumann donated his honorarium to a foundation of personal significance to him, and I was reminded that, as researchers and professionals, we are obliged to contribute to society in other ways.

The organization to which royalties are designated may change from year to year, but I have initially chosen the National Children’s Advocacy Center (fly.hiwaay.net/∼ncacadm/). Neither I nor any members of my family were ever victims of child abuse, but I view this as one of the pivotal problems in the world today. It should be comforting to know that others less fortunate will benefit when you add this book to your collection. A growing number of child abuse cases originate on the Internet today. Often, children are electronically “stalked” through e-mail and chat rooms. Some security tools provide protection today. URL blockers, Web site ratings, and scanners that look for unacceptable phrases in packets can help reduce the risk to children. Although not addressed in this book, these security offerings for the Internet are an important part of the evolving product landscape. The usual disclaimers apply. Any errors in the book are unintentional. Mistakes are mine alone. The appearance of vendor and product names in this book does not indicate their endorsement or approval of the material. Your mileage may vary with the solutions described.

—Terry D. Escamilla, Ph.D.
June, 1998
Boulder, Colorado