Intrusion Detection and Prevention,9780072229547

Intrusion Detection and Prevention

by ; ;
ISBN13: 9780072229547
ISBN10: 0072229543
Format: Paperback
Pub. Date: 2003-12-16
Publisher(s): McGraw-Hill Osborne Media
  • Free Shipping Icon

    This Item Qualifies for Free Shipping!*

    *Excludes marketplace orders.

List Price: $41.99

Rent Book

Select for Price
Add to Cart
There was a problem. Please try again later.

New Book

We're Sorry
Sold Out

Used Book

We're Sorry
Sold Out

eBook

We're Sorry
Not Available

Buy from our Marketplace starting at $56.53

How Marketplace Works:

  • This item is offered by an independent seller and not shipped from our warehouse
  • Item details like edition and cover design may differ from our description; see seller's comments before ordering.
  • Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
  • Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
  • Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.

Summary

Authors Carl Endorf, Eugene Schultz, and Jim Mellander deliver the hands-on implementation techniques that IT professionals need. Learn to implement the top intrusion detection products into real-world networked environments and covers the most popular intrusion detection tools including Internet Security Systems' Black ICE & RealSecure, Cisco Systems' Secure IDS, Computer Associates'¬" eTrust, Entercept, and the open source Snort tool.

Author Biography

Carl Endorf,(Normal, IL) MS, CISSP, SSCP, MCSE, CCNA, ITIL, CIWA, GSEC, IAM is a technical security analyst for one of the largest Insurance and banking companies in the U.S. He has practical experience in intrusion attack detection, as an incident manager, forensics, corporate investigations and Internet security. Carl has written two certification study guides and has written many articles for Information Security Bulletin. Eugene Schultz, Ph.D., CISSP (Livermore, CA) is a Principal Engineer with Lawrence Berkeley National Laboratory and also teaches computer science courses at the University of California at Berkeley. He is the author/co-author of multiple security titles for New Riders and O’Reilly. Gene is the Editor-in-Chief of Computers and Security, and was the Editor-in-Chief of Information Security Bulletin from 2000 through 2001. Jim Mellander (El Sobrante, CA) Is the developer of innovative peer-to-peer control software called Kazaa Obliterator, which prevents unauthorized peer-to-peer use at LBNL. He also taught classes at community colleges, user groups and conferences on the topics of Intrusion Detection/Incident Response, UNIX vulnerabilities, Linux firewalls, and TCP/UDP basics for Network Security, and is a SANS Instructor who teaches a course on UPDATE

Table of Contents

Foreword xxv
Acknowledgments xxvii
Introduction xxix
Part I Intrusion Detection: Primer
1 Understanding Intrusion Detection
3(20)
Intrusion-Detection and Intrusion-Prevention Basics
4(6)
What Is an Intrusion-Detection System (IDS)?
4(3)
Types of IDS Systems
7(1)
What Is an Intrusion-Prevention System (IPS)?
7(2)
IDS vs. IPS
9(1)
The History of Intrusion Detection and Prevention
10(2)
WHY IDSs AND IPSs ARE IMPORTANT
12(1)
IDS and IPS Analysis Schemes
13(6)
What Is Analysis?
13(1)
The Anatomy of Intrusion Analysis
14(2)
Rule-Based Detection (Misuse Detection)
16(1)
Profile-Based Detection (Anomaly Detection)
17(1)
Target Monitoring
18(1)
Stealth Probes
18(1)
Heuristics
18(1)
Hybrid Approach
18(1)
Example IDS Rules
18(1)
IDS/IPS Pros and Cons
19(1)
Intrusion Detection
19(1)
Intrusion Prevention
20(1)
Intrusion-Detection and Intrusion-Prevention Myths
20(2)
Summary
22(1)
2 Crash Course in the Internet Protocol Suite
23(26)
An Introduction to the Seven-Layer OSI Reference Model
24(3)
The Physical Layer
25(1)
The Data-Link Layer
25(1)
The Network Layer
25(1)
The Transport Layer
26(1)
The Session Layer
26(1)
The Presentation Layer
26(1)
The Application Layer
26(1)
TCP/IP vs. the OSI Reference Model
27(1)
Internet Protocol (IP)
28(6)
Best-Effort Delivery
28(1)
Encapsulation
28(1)
The IP Header
29(3)
IP Fragmentation
32(1)
Path MTU Discovery
33(1)
Transmission Control Protocol (TCP)
34(5)
TCP Reliable Delivery
35(1)
TCP Communications Model
35(2)
The TCP Header
37(2)
User Datagram Protocol (UDP)
39(1)
UDP Header
39(1)
Internet Control Message Protocol (ICMP)
40(1)
ICMP Packet Format
40(1)
Address Resolution Protocol (ARP)
41(5)
ARP Packet Format
42(1)
Routing
43(1)
A Practical Example of Routing
44(2)
Domain Name System (DNS)
46(1)
Summary
47(2)
3 Unauthorized Activity I
49(20)
General IDS Limitations
50(1)
Network Protocol Abuses
51(17)
ARP Abuses
51(2)
IP Abuses
53(9)
UDP Abuses
62(1)
TCP Abuses
62(4)
ICMP Abuses
66(2)
Summary
68(1)
4 Unauthorized Activity II
69(24)
Pros and Cons of Open Source
70(1)
Types of Exploits
71(7)
Memory Buffer Overflow
71(5)
Format String Overflows
76(1)
Polymorphic Shell Code
76(1)
Defense Against Buffer Overflow Attacks
77(1)
Commonly Exploited Programs and Protocols
78(10)
Cleartext Communications
78(1)
Encrypted Communications
79(2)
Web Services
81(7)
Viruses and Worms
88(3)
A Brief History of Worms
89(2)
Summary
91(2)
5 Tcpdump
93(22)
Tcpdump Command Line Options
94(3)
Tcpdump Output Format
97(2)
Tcpdump Expressions
99(3)
Shorthand Expressions
101(1)
Bulk Capture
102(2)
How Many Bytes Were Transferred in That Connection?
104(1)
Tcpdump as Intrusion Detection?
105(3)
Tcpslice, Tcpflow, and Tcpjoin
108(3)
Tcpslice
108(1)
Tcpflow
109(1)
Tcpjoin
110(1)
Summary
111(4)
Part II Architecture
6 IDS and IPS Architecture
115(22)
Tiered Architectures
116(3)
Single-Tiered Architecture
116(1)
Multi-Tiered Architecture
117(1)
Peer-to-Peer Architecture
118(1)
Sensors
119(8)
Sensor Functions
119(2)
Sensor Deployment Considerations
121(4)
Sensor Security Considerations
125(2)
Agents
127(4)
Agent Functions
127(2)
Agent Deployment Considerations
129(1)
Agent Security Considerations
130(1)
Manager Component
131(5)
Manager Functions
131(3)
Manager Deployment Considerations
134(1)
Manager Security Considerations
135(1)
Summary
136(1)
7 IDS and IPS Internals
137(24)
Information Flow in IDS and TPS
138(8)
Raw Packet Capture
138(1)
Filtering
139(1)
Packet Decoding
140(1)
Storage
141(1)
Fragment Reassembly
141(2)
Stream Reassembly
143(2)
Stateful Inspection of TCP Sessions
145(1)
Firewalling
145(1)
Putting It All Together
145(1)
Detection of Exploits
146(8)
Types of Exploits
147(2)
Signature Matching
149(2)
Rule Matching
151(2)
Profile-Based Matching
153(1)
Other Matching Methods
154(1)
Malicious Code Detection
154(2)
Types of Malicious Code
154(1)
How Malicious Code Can Be Detected
155(1)
Challenges
155(1)
Output Routines
156(1)
Defending IDS/IPS
157(1)
Summary
158(3)
Part III Implementation and Deployment
8 Internet Security System's RealSecure
161(36)
Installation and Architecture
162(9)
Architecture Considerations
162(2)
Windows Installation
164(2)
Solaris Installation
166(4)
Linux Installation
170(1)
Configuring RealSecure
171(9)
Increasing Efficiency
171(1)
Enabling PAM
172(5)
Creating and Implementing Packet Filters
177(3)
Creating and Implementing Event Filters
180(3)
Handling Network Devices
181(1)
Getting Acquainted with Your Network
181(1)
Using SiteProtector for Central Management
182(1)
Complementing Your Deployment with Proventia
182(1)
Reporting
183(3)
Executive Reporting
183(1)
Technical Management
184(1)
Engineering Reports
184(2)
Signatures
186(3)
Creating RealSecure Signatures
188(1)
Upgrading
189(5)
Upgrading from the RealSecure 6 Series to 7.0
190(1)
Preface for Remote Upgrades
190(1)
Upgrading Windows Sensors
191(1)
Upgrading Unix and Linux Sensors
192(1)
Migrating from Sentry to RealSecure
193(1)
Summary
194(3)
9 Cisco Secure IDS
197(34)
Designing Your Cisco-Based Solution
199(31)
Collecting Requirements
200(1)
Defense in Depth
200(5)
Management and Operations
205(1)
Event Viewer
205(1)
Network IDS
206(1)
System Features
207(1)
Assigning Packet Capture to Signatures
207(1)
Session Sniping and Shunning
207(1)
TAME
208(3)
Catalyst Switch Module The IDSM-2
211(5)
Endpoint Protection
216(11)
Evaluation
227(1)
Train/Learn
227(2)
Agent Maintenance
229(1)
Summary
230(1)
10 Snort
231(18)
About Snort
232(1)
Snort Modes
233(1)
Sniffer Mode
233(1)
Packet Logger Mode
233(1)
Network Intrusion Detection Mode
234(1)
Snort's IDS Components
234(2)
Packet Capture Engine
234(1)
Preprocessor Plug-Ins
235(1)
Detection Engine
235(1)
Output Plug-Ins
236(1)
Snort Rules
236(3)
The Nature of Snort Rules
236(1)
Rule Order
237(1)
Writing Snort Rules
238(1)
Snort Filters
239(1)
Snort Output
239(1)
Alerts
239(1)
Log Files
240(1)
Special Requirements
240(2)
Hardware
241(1)
Software
241(1)
More About Snort 2.0
242(3)
New and Optimized Features
242(1)
Protocol Flow Analyzer
243(1)
Improved Protocol Decoding
244(1)
Additional Tools
245(1)
Evaluation
245(2)
Summary
247(2)
11 NFR Security
249(26)
NFR Detection Methodology
250(1)
NFR Architecture
250(2)
Sentivist Sensor
250(1)
Sentivist Central Management System CMS
251(1)
Administrative Interface (AI)
252(1)
Sentivist Signatures
252(2)
Organization of Signatures
253(1)
A State Model in N-Code
254(1)
Alerts and Forensics
254(3)
Alerts
254(2)
Record Statements (Forensics)
256(1)
Cool Things You Can Do with N-Code
257(1)
Central Management Server
257(4)
Starting Sentivist
258(1)
Sentivist Services
258(3)
sentivist Deployment Strategy
261(10)
NFR Reporting
271(1)
Extending NFR
271(1)
Summary
271(4)
Part IV Security and IDS Management
12 Data Correlation
275(18)
The Basics of Data Correlation
276(5)
Data Correlation Definitions
277(2)
The Value of Data Correlation
279(2)
Advanced Approaches to Data Correlation and Fusion
281(2)
Data Fusion
281(1)
Alert Fusion
282(1)
Understanding and Using Statistical Correlation
283(4)
The Basics of Statistical Correlation
283(1)
Correlation Coefficient
284(2)
Statistical Inference
286(1)
Pearson Product-Moment Correlation
286(1)
Baysian Inference
287(2)
Real-Time Versus After-the-Fact Correlation
289(3)
Summary
292(1)
13 Incident Response
293(18)
Response Types
295(1)
Automated Responses
295(1)
Manual Responses
296(1)
Hybrid Responses
296(1)
The Incident-Response Process
296(6)
Performing a Risk Analysis
296(1)
Designing an Incident-Response Methodology
297(2)
Creating an Incident-Response Team
299(2)
Responding to an IDS or IPS Incident
301(1)
IDS and IPS Incident-Response Phases
302(4)
Confirmation Phase
303(1)
Applicability Phase
303(1)
Source Phase
304(1)
Scope Phase
304(1)
Response Phase
304(2)
Forensics
306(1)
Forensic Analysis on IDS Logs
306(1)
Corporate Issues
307(3)
Standard of Due Care
307(1)
Accountability
308(1)
Public Relations
308(1)
Rules of Evidence
309(1)
Summary
310(1)
14 Policy and Procedures
311(8)
Policies, Standards, Guidelines, Procedures, and Baselines
312(5)
IDS/IPS Policy
312(1)
Creating an IDS/IPS Policy
313(3)
Legal Review
316(1)
Procedure for Implementation of Your Policy
317(1)
Keeping Your Policy Current
317(1)
Summary
317(2)
15 Laws, Standards, and Organizations
319(14)
Understanding Legal Systems
320(1)
Common Law
320(1)
Civil Law
320(1)
Islamic Law
321(1)
U.S. Computer-Related Laws
321(2)
Computer Fraud and Abuse Act, 18 U.S.C. § 1030
321(1)
Electronic Communications Protection Act, 18 U.S.C. § 2510-22 and 2701
321(1)
Health Insurance Portability and Accountability Act (HIPAA)
322(1)
Gramm-Leach-Bliley Act
323(1)
State Laws
323(3)
California Statute SB1386
325(1)
International Cyber Security-Related Laws
326(1)
The § 28 EC European Union Privacy Directive
326(1)
United Kingdom Computer Misuse Act, 1990
326(1)
Germany's Datenschutz Law
327(1)
Republic of China Laws
327(1)
The Problems with International Law
327(1)
Standards
327(3)
The Common Intrusion Detection Framework (CIDF)
328(1)
Intrusion Detection Working Group (IDWG)
328(1)
Common Vulnerabilities and Exposures (CVE)
328(1)
ARACHNIDS
329(1)
International Symposium on Recent Advances in Intrusion Detection (RAID)
329(1)
Organizations
330(1)
National White Collar Crime Center (NW3C)
330(1)
National Cybercrime Training Partnership (NCTP)
331(1)
High Technology Crime Investigation Association (HTCIA)
331(1)
Legal Resources on the Web
331(1)
Summary
331(2)
16 Security Business Issues
333(12)
The Business Case for Intrusion Detection and Prevention
334(2)
Overall Security Strategy
334(1)
Attack Metrics
335(1)
Proactive vs. Reactive Technology
336(1)
IDS Deployment Costs
336(2)
Justifying the Cost
336(2)
Acquisition
338(4)
Requirements
338(1)
Research
339(1)
Vendor Selection
340(1)
Testing
341(1)
Selection
342(1)
Managing Intrusion Detection
342(1)
Deployment
342(1)
Managing in a Distributed Environment
343(1)
Summary
343(2)
17 The Future of Intrusion Detection and Prevention
345(16)
Lower Reliance on Signature-Based Intrusion Detection
346(6)
Protocol Analysis
348(1)
Target Detection
349(1)
Rule-Based Intrusion Detection
350(1)
Neural Networks
351(1)
Intrusion Prevention
352(3)
Data and Alert Correlation
355(1)
Source Determination
356(1)
Integrated Forensics Capabilities
357(1)
Use of Honeypots in Intrusion Detection and Prevention
357(1)
Final Caveat
358(1)
Summary
359(2)
A Intrusion Detection and Prevention Systems 361(4)
Index 365

An electronic version of this book is available through VitalSource.

This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.

By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.

Digital License

You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.

More details can be found here.

A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.

Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.

Please view the compatibility matrix prior to purchase.