Extrusion Detection

Risk=Threat x Vulnerability x asset value リスクの本質とそれを意識した運用の大切さがよくわかる参考書です。

Il lavoro di Bejtlich si pone nell'ambito della sicurezza di rete. Contrariamente a quello che fanno decine di testi sull'argomento però, questo non tende a monitorare la rete per controllare e bloccare tentativi di accesso dall'esterno (internet) verso l'interno (server farm, DMZ).Bejtlich parte dal presupposto che le possibilità di attacco non sono soltanto i servizi esposti verso il mondo internet ma anche la parte client ovvero la LAN della network. Ormai esistono diversi attacchi che prendono di mira la parte client (browser exploit, phishing, XSS, etc.) ed è quindi molto probabile che durante le normali attività quotidiane un client del network possa divenire un bersaglio.Il testo propone diverse metodologie su come monitorare il traffico interno del network alla ricerca di dispositivi che cerchino di comunicare con l'esterno in modo non autorizzato. Implementando queste tecnologie risulta possibili prendere immediatamente atto di traffico non autorizzato quale ad esempio una botnet che cerca di comunicare con il proprio C&C attraverso il protocollo IRC e pervi rimedio.Ottima anche l'illustrazione di network difendibile visto come un network: MONITORABILE in qualsiasi punto dell'infrastruttura per verificare il tipo di traffico che circola, CONTROLLABILE in modo da permettere la gestione del flusso di pacchetti in base a regole precise (ACL), MINIMALE con la minima esposizione di servizi necessari sui singoli dispositivi e AGGIORNATO con la gestione sistematica degli aggiornamenti dei sistemi e degli applicativi.

Let's hear it for another exceptionally well written book on network monitoring. Aside from a very clearand easy to understand writing style, Richard hits home with practicality and rich detail. I've becomea big fan of his writings including those on his informative blog, [taosecurity].[blogspot.com].First, the praise. New material, different from that in Tao his former book, includes a more extensive lookat taps, along with defense and mitigation ( and lots of it), querying NMS data from databases, Ra tools, handlingNMS data properly and with care, and network design and filtering. There's a lot of discussion on implementingdefensive measures with Cisco products and proxies. I was glad to see more examples of argus use and theutilization of shell redirection to grab and format what you want. With that said, other things I really appreciatethat tend to be innate of Richards books are his heavy use of foot notes and citations, recommended and furtherreadings, explanations of all command-line options and arguments, methodical case-studies, and line numberand font emphasized addendum to help the reader focus on key elements when looking at large output.Richard also makes an effort to provide new tools and material not covered elsewhere as stated in his book.I always end up making notes of new tools to check out and play with. e.g. netsed, flowgrep, dhcpdump, ntsyslog.I especially enjoy his use of FreeBSD when choosing a platform, not because I think it's a good operating system ( I do),but because tech literature on the BSDs is not as abundant as it is for other operating systems. This will attract theinterest of newer and non-users.Finally, the criticism. This is probably less of the author but I really didn't like that the page numbers in this bookwere on the inside corners ( next to the binding) rather than the outside. You have to really open the book in roomsthat are not well lit to see the page numbers. There is a formatting error on pg 52 where the 22 foot note is:"Start Squid by simply executing squid.2 2" 22 is separated by what looks to be two spaces and the leastsignificant 2 :) runs into the letter "Y" on the word "You" in the next sentence. Again, less the author and morethe editor (maybe?), there's a mistake on page 100. In the sentence, "This means we could forge any TCP packetwith content uid=0(root0) and...", I believe the sentence means uid=0(root) rather than uid=0(root0). Personalrequests: I would have liked to seen more examples of BRO, rather than snort, a case study of a web app attack,and more use of ARGUS and its Ra tools.Conclusion: This book was informative and an enjoyable to read, I highly recommend it.

You don't need to be an Analyst within the government to find value here. The book gets into understanding ports, protocols and how they work to assist in determining odd traffic on the network. Today we have tools like ArcSight with serve up a lot of data to comb thru yet their courses do not teach you how to be an analyst. This book is based on teach anyone how to become a very good analyst.I started as an Analyst in 2003 and the first real event was one trying to get out of the network. So this book, while dated, has some great tools for IA analysts out there to use everyday. It's interesting how network flow is just becoming a tool we use regularly today. Mr. Bejtlich provides alot of basic tools here for anyone to learn and then use on their network.Can't wait to attend one of his classes.

Fantastic book