Product: Intrusion Prevention and Active Response

‘Intrusion Prevention and Active Response’ (IPAAR) is a good book, as long as you confine your expectations to open source solutions. The foreword says ‘Security professionals are going to be approaching management for funding in the next year or two to procure intrusion prevention devices, especially intelligent switches from 3Com (TippingPoint), as well as host-based intrusion prevention solutions like Cisco Security Agent, Platform Logic, Ozone, or CrossTec.’ This foreword was the first time I had heard of several of these products, but unfortunately none of them receive any coverage at all in IPAAR. Aside from a short discussion of the Enterasys Web IPS, eEye’s SecureIIS, and improvements in Microsoft IIS 6.0, IPAAR squarely concentrates on open source products. Nevertheless, the book does a better job covering so-called prevention solutions than the previous book with ‘prevention’ in the title, e.g., Osborne’s ‘Intrusion Detection and Prevention.’

Without doubt the best part of IPAAR is chapter 6, ‘Protecting Your Host Through the Operating System.’ This chapter explains memory operations and ways to protect memory contents. The author, probably Graham Clark of Enterasys, mentions both Windows and Linux memory management. He uses a sample C program and a custom Metasploit exploit to demonstrate buffer overflows. Using GDB he shows how the exploit affects a target and then describes multiple ways to mitigate these attacks.

I also enjoyed chapter 5, ‘Network Inline Data Modification.’ The author makes creative use of Tcpdump traces to explain how Netfilter string replacement and Snort_inline protect vulnerable services. His justification of this defensive strategy is tempered by a good discussion of the pros and cons of inline data modification. Chapter 8 also skillfully leverages Tcpdump traces to show network IPS in action.

I did not have major problems with IPAAR, aside from the lack of even a mention of almost all commercial intrusion prevention products. This is a deficiency because it is tough to find unbiased discussions of the capabilities of network- and host-based IPSs. On the technical front, chapter 8 presented several slight TCP sequence number problems. On p. 317 we see packets with ‘ack 358’; this means bytes of data relatively numbered 1 to 357 have been received, and the next byte of expected data is relative number 358. The client did not receive ‘all data ending at server sequence number 358,’ as stated on p. 319 and elsewhere; ‘ack 358’ means it received 1 through 357 and is awaiting 358.

I found it silly to call the application layer on p. 258 ‘layer 5’ instead of layer 7, the universally recognized way to refer to the services available to applications. I also laughed at this statement on p. 37: ‘Many widely deployed mainstream products deviate from the protocol specifications. Hopefully, new packet inspection devices that check for protocol compliance will force these vendors to update and correct any noncompliance with protocol standards.’ Sorry, any IPS component that complains about business-critical application protocols will end up turned off. Security vendors always lose the battle with application vendors!

In places IPAAR demonstrates a serious understanding of the limitations of so-called ‘intrusion prevention systems,’ which when network-based are really layer 7 firewalls. For example, p. 75 states ‘the fundamental problem with this technology is that in order to prevent an attack, it first has to be detected. Hence, it is no surprise that the detection mechanisms employed by both active response and IPSs are borrowed from IDSs, and therefore subject to the same limitations.’ This is the fact Gartner conveniently overlooked when it pushed ‘firewalls with deep packet inspection’ ahead of IDSs in 2003.

I recommend reading IPAAR if you are considering deploying open source layer 7 firewalls (aka ‘IPSs’) or want to augment host-based defenses. There are few reasons not to try running a product like ModSecurity on an Apache Web server, and it helps to understand new anti-overflow features in the latest Fedora and Red Hat Linux releases. Keep in mind most of the host-based open source solutions in IPAAR are Linux-specific, in a world where Windows is the target of the day. If you need help evaluating IPS for Windows, IPAAR won’t be able to specifically help you.
Rating: 4
193226647X
Count: 5