Sunday, December 21, 2014

Book Review: Practical Intrusion Analysis

With a core emphasis on intrusion detection systems(IDS) in networks, the bookincludes further topics like wireless IDS, Intrusion Prevention System(IPS),etc. 
SNORT and Bro are the two main IDS tools discussed. Both of them are open-source tools. While SNORT is representative of signature-based IDS, Bro is an example of anomaly-based IDS. A signature-based IDS looks for signatures in the network transmission indicating an attack in progress whereas an anomaly-based IDS goes by a normal traffic pattern and raises alert if there is an abnormality detected.
There is some discussion on writing signatures for SNORT. There are sites on the internet where signatures can be downloaded. However, any intrusion analyst using SNORT in detail, would need to know the techniques for writing signatures. There are methods discussed in this book for strategy to create good signatures while going through a vulnerability' life cycle.
Some of the other network analysis tools described in this book include vulnerability assessment scanners(ex. Nessus, Nikto, router audit tool a.k.a RAT), packet sniffers(ex. Wireshark, TCPDump), file integrity checker(ex. Tripwire, RANCID, AIDE), password auditing(ex. Cain and Able, Brutus, RainbowCrack), wireless security toolkits(ex. AirCrack, AirSnort, Kismet), vulnerability exploitation tools(ex. Metasploit), network reconnaissance toolkits(ex. Hping2, nmap, ngrep, ntop). The distinctions between these may be small and sometimes even overlapping such as an essential packet sniffer in an intrusion detection system.
There is some discussion on web application firewalls, wireless IDS/IPS, some other less frequent topics like physical intrusion detection and geospatial intrusion detection. Web Application Firewalls are specialized IDS to cater to the practicalities like more percentage of secure network protocols in use and wide variations from web applications across organizations. This makes the the general IDS tools practically ineffective as a intruder can go within a tunneled traffic which is not configured for monitoring out-of-the-box.
To summarize, the book covers a lot of topics within its scope. It is a good read for a introduction to current intrusion analysis,detection and prevention techniques. A more continuous discussion with more real-world examples and their solutions within the topics would have made this a delightful read.

No comments: