http://www.spinellis.gr/pubs/Breview/1999-CR-IntrDet/html/review.html
This is an HTML rendering of a working paper draft that led to a publication. The publication should always be cited in preference to this draft using the following reference:

The document's metadata is available in BibTeX format.

Find the publication on Google Scholar

This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.

Diomidis Spinellis Publications


Copyright © 1999 by the Association for Computing Machinery, Inc. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept, ACM Inc., fax +1 (212) 869-0481, or permissions@acm.org.

Intrusion detection: network security beyond the firewall

Diomidis Spinellis
University of the Aegean

Intrusion detection: network security beyond the firewall
Escamilla, Terry
John Wiley & Sons, Inc. New York, NY 1998, 348 pp. $39.99, ISBN 0-471-29000-9

Intrusion detection systems complement other approaches to information systems security by providing a mechanism to detect attacks that were not foreseen or covered by other security mechanisms. About half of the book's material provides a general overview of system security mechanisms with particular emphasis on their implementation under the Unix and Windows NT operating systems. Thus, following the introductory chapter, Chapter 2 presents a number of identification and authentication mechanisms including those provided by the above mentioned operating systems, and, in addition, Kerberos, X509, and ACE Server by Security Dynamics. Similarly, Chapter 3 presents the respective operating system native access control mechanisms as well as the Memco SeOS and the Tivoli Management Environment. Chapter 4, rounding up the introductory material, introduces network-based exploits and security approaches across all levels of the Internet protocol stack and presents firewall technologies and configurations that are routinely used to counter those attacks. The common theme across the first part of the book is that traditional approaches are not enough and need to be complemented by intrusion detection systems. A taxonomy of those systems is presented in Chapter 5, followed by a number of detailed examples in Chapter 6. Chapter 7 presents products that scan a system for vulnerabilities, while the following three chapters deal with intrusion detection systems targeting Unix, networks, and Windows NT. The book concludes with one chapter dealing with attack response procedures, and one summarising the presented information and outlining future directions for intrusion detection research. A limited number of - the nowadays obligatory - Web links are provided in an appendix. A complete list of references and a detailed index complete the book's offerings.

According to the author, the book should be read by site security officers, chief information officers, intrusion detection system implementors, and generally anyone interested in computer security. Most of the material is presented in an accessible format and can thus be understood and used by its intended audience. Interesting complementary information is conveniently presented in sideboxes. Unfortunately, the use of figures as a presentation aid is lacking: in a number of places an additional diagram would make the material more accessible; furthermore, I found many of the existing diagrams - especially those presenting network topologies - difficult to comprehend. A small number of inaccuracies such as the description of the top three bits of the Unix file permission value as the "sticky bit" or oversights such as the suggestion that a system administrator should type "su - root" at a user console to securely get superuser rights (the user could still have a Trojan "su" command installed) are minor and infrequent. By far, the greatest shortcoming of this book is its exclusive focus on commercial products aimed at the Unix and Windows-NT market. The rapidly advancing and changing technologies of our network infrastructure, attack methods, and intrusion detection tools provide research-derived, open-source products and home-grown approaches an edge that commercial products can not easily match. Prospective readers who are constrained by organisational policy or other factors to use a vendor-supported product might find the tool descriptions provided by Escamilla a useful procurement guide. Those whose system platforms or needs are not covered by the available commercial tools will be better served by the intrusion detection pages maintained by COAST [1]; researchers should also take into account the ongoing effort towards a Common Intrusion Detection Framework [2].

References

  1. Price, K. Intrusion Detection Pages. COAST. Online Purdue University, 1998. Available online http://www.cs.purdue.edu/coast/intrusion-detection. December 1998.
  2. Staniford-Chen, S., Tung, B., and Schnackenberg, D. The Common Intrusion Detection Framework (CIDF). In Proc. of the Information Survivability Workshop (ISW '98), Orlando, FL, October 1998. CERT Coordination Center, Software Engineering Institute.