Intrusion Detection: Network Security beyond the Firewall
(Publisher: John Wiley & Sons, Inc.)
Author(s): Terry Escamilla
ISBN: 0471290009
Publication Date: 11/01/98

Introduction
Preface
Acknowledgments

PART 1—Before Intrusion Detection: Traditional Computer Security
Chapter 1—Intrusion Detection and the Classic Security Model
Back to Basics: The Classic Security Model
Goals of Computer Security
Learn to Ask Tough Questions
A Basic Computer Security Model
The Reference Monitor
What Makes a Good Reference Monitor
Enhancing the Security Model Further
Identification and Authentication (I&A)
Access Control
Auditing
Classifying Security Products with a Nod to Intrusion Detection
Identification and Authentication
Access Control
Scanners
Intrusion Detection and Monitoring
Additional Product Differences
Prevention, Detection, and Response with Intrusion Detection
Where to Go from Here
Chapter 2—The Role of Identification and Authentication in Your Environment
Identification and Authentication in UNIX
Users and Groups
Superuser
What Are the Subjects in UNIX?
UNIX Login
UNIX Password Mechanism
Storing Passwords in a Central Server
Identification and Authentication in NT
Users and Groups in NT
Subjects in NT
NT Login Security
NT Authentication Using a Domain Controller
How Hackers Exploit Weaknesses in Password Security
Easily Guessed Passwords
Brute Force Attacks
Social Engineering
Trojan Horses
Network Sniffing
Electromagnetic Emissions Monitoring
Software Bugs
Improving upon I&A with Authentication Servers
Third-Party Authentication
A Cryptography Primer
Ideas for Improving I&A Security
One-Time Passwords
Strong Authentication
One-Time Passwords and One-Time Pads
Two-Factor Authentication
Challenge-Response Authentication
The Need for Intrusion Detection
Biometrics
Chapter 3—The Role of Access Control in Your Environment
Configuration Problems
Program Bugs
What Is Access Control?
How Are Access Control Decisions Made?
Access Control Lists
Who Are You?
Access Control in UNIX
Who Are You in the UNIX Environment?
UNIX File and Directory Permissions
Are You Remembering to Ask Tough Questions?
Link Counts, Hard Links, and Symbolic Links
Increasing Your Privileges or Capabilities
Background Processes and Credentials
Access Control in NT
NT Rights and Privileges
Who Are You in NT?
Permissions for NT Files and Directories
How Hackers Get around Access Control
How to Improve upon Access Control
Memco SeOS
APIs
Impact of SeOS on Base Operating System Security
SeOS Auditing
Other SeOS Features
Going beyond SeOS
Why You Still Need Intrusion Detection
Chapter 4—Traditional Network Security Approaches
Layers of Network Security
Security between Layers on a System
Security between Peer Layers across Systems
I&A for Network Security Entities
How Hackers Exploit Protocols
How Many Network Entities Are There?
I&A for Users and Groups in a Network
Security Models within Models
Network Node I&A
Software Can Be a Network Entity
Network Access Control
Network Application Access Controls
The Importance of Naming
The Internet Protocol (IP)
Probing Network Paths
Problems at the IP Layer
Are Your Mission-Critical Applications Safe from Attacks?
IPsec
Supporting Protocols for IP
Address Resolution Protocol (ARP)
Domain Name System (DNS)
Routing Interchange Protocol (RIP)
User Datagram Protocol (UDP)
Port Security
UDP Security Concerns
Transmission Control Protocol (TCP)
TCP/IP Security Concerns
TCP/IP Application Security
Trusted Hosts
The Role of the Firewall in Traditional Security
What Is a Firewall?
Packet Filters Provide Access Control Services
Application Proxies Provide Access Control
Firewalls Provide IP Security
IP Sec or Application Security
How Complex Is Your Network Security?
Why Intrusion Detection Is Needed after Network Security

PART 2—Intrusion Detection: Beyond Traditional Security
Chapter 5—Intrusion Detection and Why You Need It
Do You Have Protection?
The Role of Intrusion Detection
Beyond I&A
Beyond Access Control
Beyond Network Security
Intrusion Detection: Concepts and Definitions
IDS Engine Categories
Real Time or Interval Based
Data Source
A Generic IDS Model
Getting Ready to Look for Hacker Trade
Chapter 6—Detecting Intruders on Your System Is Fun and Easy
Classes of Attacks
Internal Attacks
External Threats
Layers of Information Sources
Warning: Opportunities for Hackers!
Commercial IDS Layering
How Does One Get the Data?
Intrusion Detection Inside a Firewall
Relying on Others for Data
System Data Sources
syslog
Audit Trails
Tracing the Path of Activity Can Be Difficult
Monitoring Policies
Simple or Complex Attacks
Prepare to Scan for Weaknesses
Chapter 7—Vulnerability Scanners
What Is a Scanner?
Characteristics of Scanners
Local Scanners
Remote Scanning
How a Scanner Works
Improving Your Security with Scanners
ISS SAFESuite
Other Scanners
Ballista
IBM Network Security Auditor
Keeping the Scanners Current
Are You Done Yet?
Chapter 8—UNIX System-Level IDSs
Detecting Hacks with Stalker
Audit Management
Tracer/Browser
Misuse Detector
Attacks Detected by Stalker
Is Stalker Right for You?
Some Alternative Stalker Configurations
Detecting Hacks with the Computer Misuse Detection System
How CMDS Works
Other IDS Features to Consider
Ease of Set Up
Distributed Intrusion Detection
Monitoring and Privacy
Finding New Attacks
General Event Monitoring or Intrusion Detection
Using Audit Logs to Find Attacks
Two Main Reasons for Vulnerabilities
Notation
A Word about Sequences
Focusing on Local Attacks
An IDS Limitation
The Scope Problem and Memory Requirements
Why You’re Not Finished Yet
Chapter 9—Sniffing for Intruders
How Network IDSs Work
Networks and Subnets
Network IDSs Sniff Network Traffic
Other Network IDS Features
Network IDS Attack Recognition
Fragmented IP Packets
Advantages of Network IDSs
Limitations of Network Packet Sniffing
Network Sniffers Do Not See All Packets
Network Sniffers Are Blinded by Encryption
Missed System-Level Attacks
The Network IDS Is Not the Destination Node
Getting around the Encryption Problem
Which Product Has the Best Nose?
IBM and NetRanger
RealSecure
Network Flight Recorder
Will Intrusion Detection Be Enough?
Chapter 10—Intrusion Detection for NT
NT Security Review
Sources of Data for NT IDSs
NT Event Log
Event Records
What to Monitor on NT
Increased Privileges
Impersonation
Remote Attacks
Local Vulnerabilities
Intrusion Detection Products for NT
Look for These Features
Centrax
For Further Thought

PART 3—Rounding Out Your Environment
Chapter 11—You’ve Been Hit!
Be Prepared
Discovery and Detection
Responding to Intrusions
Should You Pursue Your Attacker?
Chapter 12—Intrusion Detection: Not the Last Chapter When It Comes to Security
Traditional Computer Security
The Basic Security Model
I&A
Access Control
Network Security
The Rationale for IDSs
Types of IDSs
Scanners
System-Level IDSs
Network Sniffers
Improving upon IDSs
Increase Application-Level Detection
Adapt to Changing I&A
Support Common Systems Management
Simplify Development of Attack Signatures
Combine Products
Support Integration into Other Products
Support Research
Self Reference and IDSs
Take It Away
Bibliography
Appendix A
Index