The book is made up of 14 chapters, each of which considers a specific aspect of intrusion detection. The first chapter is an introductory one. It describes the common drawbacks of traditional information security tools, such as firewalls. It also gives examples of real cases of compromised information systems of various companies and organizations, and describes various methods of bypassing firewalls that can be used by intruders to penetrate corporate networks.
Chapter 2 explains such concepts as "vulnerability", "attack", and "security incident". The classification provided in this chapter will help you understand why contemporary intrusion detection systems (to say nothing about traditional security tools) are not always capable of identifying the actual intruder. In addition, the material in this chapter describes the main steps in the implementation of an attack and the methods used by intruders to conceal traces of unauthorized activities.
Chapter 3 explains why it is necessary to use intrusion detection technologies, all of which are based on the following three principles:
Signs of security policy violations
Information sources in which it is necessary to search for traces of security policy violations
Methods of analyzing the information gathered from the appropriate sources.
Chapter 4 is dedicated to detailed coverage of the three above-mentioned foundations of intrusion detection technology. It contains a large number of facts illustrating various criteria that allow you to draw a conclusion as to the presence of an attack within the controlled space. After studying this chapter, the reader will be able to answer the three major questions: "WHAT", "WHERE", and "HOW" to detect. There are two ways of using this knowledge. The first method implies manual usage of the simplest methods of analyzing the information sources when searching for signs of an attack. This approach will be covered in Chapter 5. The second approach requires performing the same tasks in automated mode using specialized intrusion detection tools. These tools will be considered in Chapter 6, which provides a classification for them and presents the most typical examples.
Chapter 7 discusses some steps that are absolutely necessary, even if you have deployed the most advanced and efficient intrusion detection system. The list of such actions includes:
Educating the staff
Developing the security policy
Selecting and using the mechanisms of system and network logging
Creating the network map
Chapter 8 discusses such important aspects as justifying the choice of the intrusion detection system to upper management using a language easily understandable to financial specialists. It covers how to calculate the Total Cost of Ownership (TCO) and Return on Investment (ROI), and also deals with several specific aspects of bringing intrusion detection systems into operation in a large network.
Chapter 9 is particularly important, since it provides many various IDS evaluation criteria. Evaluating and assessing the system according to these criteria will allow specialists to make the correct choice in favor of one of the specific intrusion detection systems available on the market.
Chapter 10 is dedicated to one of the most important aspects of IDS deployment, namely, choosing the right place to install IDS components, especially in contemporary switched networks. This chapter, along with Chapters 7, 8, 9, 11, and12, are the key chapters of this book.
Chapter 11 considers various aspects of practical use of intrusion detection systems, such as:
Selection of software and hardware for the intrusion detection system
Installation and deployment of intrusion detection systems
Specifying the rules for intrusion detection
Configuring responses
Improving the security level of the intrusion detection system
Chapter 12 investigates the most common problems related to intrusion detection technology, and gives examples of things that might complicate intrusion detection technologies, as well as methods of eliminating them.
Chapter 13 is dedicated to standardization in the field of intrusion detection. It provides a list of organizations and standards in the field of intrusion detection technology. Chapter 14 covers incident response, and attempts to answer the question: "What should you do when you detect an attack?".
The appendixes contain useful materials that might be necessary during the actual operation of the intrusion detection system. They include the following:
A list of ports frequently used by Trojan horses
A list of the ports that are most frequently scanned
A list of address ranges that can be the origin of packets that can arrive to the external interface of the perimeter router or firewall
A list of first-level domains
A list of identifiers of the IPv4 protocols
The text contains a large number of Internet links, where you can find information on intrusion detection. Certain aspects of this information can only be found there. This information is constantly changing at a rapid rate; therefore, some facts might have lost their importance by the time this book appears. If this is the case, I recommend that you follow these links to find newer or more detailed information.