A large and comprehensive amount of IT literature now focuses on the threats to networked systems from outside forces. An example of just one of those books is Richard Bejtlich's "The Tao of Network Security Monitoring."
But another area of major concern for systems administrators, IT managers, network controllers, and analysts is the increasing number of attacks on systems that are surreptitiously initiated from within companies and organizations.
That can be achieved when intruders successfully compromise users' Web browsers, email applications, and chat clients, or some other form of Net connected software. To address the issue of internal client based attacks, Bejtlich has written a follow-up book to his previous text, and this one is titled "Extrusion Detection: Security Monitoring for Internal Intrusions."
Before examining the contents of that particular book in detail in this review, it is important to first understand the ramifications of the term "extrusion detection" as used in the book's title.
Bejtlich explains that this type of detection is the "process of identifying unauthorized activity by inspecting outbound network traffic." In contrast, he defines traditional intrusion detection systems (IDSs) as systems that "inspect traffic inbound from the Internet for attacks against exposed Internet facing systems."
Bejtlich strongly believes that extrusion detection systems represent an "excellent way for perimeter focused security monitoring operations to detect the compromise of internal systems."
The content of "Extrusion Detection: Security Monitoring for Internal Intrusions" has been divided into three major parts. In the first part, the emphasis is on both the theory and the architectural considerations associated with implementing network security monitoring (NSM). For instance, Bejtlich is quick to point out that "NSM is not the same process as intrusion detection or prevention."
It is in this part of the book too that readers are introduced to the concept of "defensible network architecture," along with the four activities that need to be regularly carried out to maintain that architecture.
Those activities are:
- Monitoring the defensible network.
- Controlling the defensible network.
- Defensive techniques that can be deployed to contain extrusions include blocking, throttling, proxying and/or modifying outbound traffic.
- Minimizing the defensible network. Removing unnecessary services and applications from a system makes that system so much easier to protect.
Bejtlich makes the point that it is "much simpler to protect a bank with two doors than it is to defend a similar building with ten doors." Keeping the defensible network current by constantly monitoring the network in order to remove/upgrade any out of date or obsolete services and applications.
The third chapter of the book, titled "Extrusion Detection Illustrated," is essential reading. It is in this chapter that the theory behind extrusion detection, as well as its practical application, is fully explored. This sets the stage for the remainder of the book.
Scenarios are provided there that demonstrate extrusion detection using the following four different forms of network security monitoring data: Full content data; session data; statistical data; and alert data.
The second part of the "Extrusion Detection: Security Monitoring for Internal Intrusions" text examines network security operations from the perspectives of traffic threat assessment, network incident response, and network forensics.
The importance of network forensics should not be underestimated. It is this sort of information that is often required to support an employee termination for misconduct, from both the legal and scientific points of view.
However, for the forensic evidence to be accepted in a court of law, Bejtlich advises that it is "important to rely, whenever possible, on network forensic procedures that have been tested, published, quality controlled, and generally accepted."
Most readers of the book will benefit from the third part of the book because of the two case studies that it contains. The first case study shows how theory, which was presented in an earlier chapter of the book, is applied in a practical manner to traffic threat assessment. The outcome in this case study is the discovery of an internal system that had joined a malicious botnet. A full explanation of bots is provided in the book. The second case study looks at bots and the botnet phenomenon in greater detail.
Sometimes you find that the appendices that are included in computer books are nothing more than fillers that authors have used to increase the number of pages in their books. This is not the case with the four appendices that are an integral part of "Extrusion Detection: Security Monitoring for Internal Intrusions."
The first of those appendices walks readers through two methods that can be used to collect vital session data in an emergency situation. The methods in question are Cisco NetFlow, and an alternative approach to NetFlow, the standalone "Argus" application.
Appendix B covers the steps that are involved in getting the Snort network intrusion detection systems (NIDS) up and running on your network. Snort, an open source detection system, incorporates a rule driven language that delivers the benefits of signature, protocol and anomaly based inspection methods.
The third appendix discusses various technologies that can be utilized to assess vulnerabilities in your systems. It is only by unearthing those vulnerabilities that you can successfully proceed to the next two stages of tightening security, that is, first, accurately determining the actual security exposure, and then second, cutting down the exposure to an acceptable level, or eliminating it altogether.
Host enumeration is all about knowing what you need to protect from attack. Bejtlich argues that "knowing what one is defending is also a tenet of preparation for network incident response."
But because it is an activity that is often ignored, the last appendix in the book discusses a number of open source tools that are ideally suited to carrying out host enumeration of an enterprise network.
When you visit the companion web site to "Extrusion Detection: Security Monitoring for Internal Intrusions" (www.extrusiondetection.com), you will be able to browse through Bejtlich's "TaoSecurity Blog," which is centered around the key question of "Do you want a defensible network or not?"
In addition, it is also worthwhile visiting Bejtlich's other site, "Bejtlich.net" (www.bejtlich.net). That site concerns itself with a variety of digital security interests including network security monitoring, incident response, forensics, and FreeBSD.
For example, the resources section of this site has been subdivided into the following areas: scripting and programming; weapons and tactics; system administration; telecommunications; and management and policy.
In order to get maximum benefit from reading Bejtlich's book, you need to already possess an intermediate to advanced knowledge of network security. The book's intended audience includes IT architects, engineers, analysts, senior operators, systems administrators, project leaders, and IT managers.
If you have not already read Bejtlich's other book, "The Tao of Network Security Monitoring," I would recommend that you read that before tackling "Extrusion Detection: Security Monitoring for Internal Intrusions."
While it is true that his latest book can be read in isolation from the previous one, I agree with Bejtlich when he says, "in many ways, Extrusion Detection is an attempt to extend The Tao to the addressing of internal threats."
By reading both books, and by rigorously applying the strategies that are described within them, it becomes possible to significantly increase the odds in your favor of not having your company's systems violated, either from an external threat or from an internally generated attack.
Author: Richard Bejtlich
Publisher: Addison-Wesley Professional (www.awprofessional.com)
Sample chapter: The fourth chapter of the book, "Enterprise Network Instrumentation," is available online (www.awprofessional.com)
Published: November 2005
ISBN: 0321349962
Format: Soft cover, 416 pages
Price: $49.99