Bienvenue à la Bibliothèque Alo de l'Université Shalom de Bunia
Ajouter au panier
| Titre : | The Tao of Network Security Monitoring: Beyond Intrusion Detection |
| Auteurs : | Richard Bejtlich |
| Type de document : | document électronique |
| Editeur : | [S.l.] : Addison-Wesley, 2004 |
| ISBN/ISSN/EAN : | 978-0-321-24677-6 |
| Index. décimale : | 005.8 (S├®curit├® des donn├®es. Protection contre le piratage informatique) |
| Résumé : |
"The book you are about to read will arm you with the knowledge you need to defend your network from attackersÔÇöboth the obvious and the not so obvious.... If you are new to network security, don't put this book back on the shelf! This is a great book for beginners and I wish I had access to it many years ago. If you've learned the basics of TCP/IP protocols and run an open source or commercial IDS, you may be asking 'What's next?' If so, this book is for you." ÔÇöRon Gula, founder and CTO, Tenable Network Security, from the Foreword "Richard Bejtlich has a good perspective on Internet securityÔÇöone that is orderly and practical at the same time. He keeps readers grounded and addresses the fundamentals in an accessible way." ÔÇöMarcus Ranum, TruSecure "This book is not about security or network monitoring: It's about both, and in reality these are two aspects of the same problem. You can easily find people who are security experts or network monitors, but this book explains how to master both topics." ÔÇöLuca Deri, ntop.org "This book will enable security professionals of all skill sets to improve their understanding of what it takes to set up, maintain, and utilize a successful network intrusion detection strategy." ÔÇöKirby Kuehl, Cisco Systems Every network can be compromised. There are too many systems, offering too many services, running too many flawed applications. No amount of careful coding, patch management, or access control can keep out every attacker. If prevention eventually fails, how do you prepare for the intrusions that will eventually happen? Network security monitoring (NSM) equips security staff to deal with the inevitable consequences of too few resources and too many responsibilities. NSM collects the data needed to generate better assessment, detection, and response processesÔÇöresulting in decreased impact from unauthorized activities. In ** *The Tao of Network Security Monitoring* **, Richard Bejtlich explores the products, people, and processes that implement the NSM model. By focusing on case studies and the application of open source tools, he helps you gain hands-on knowledge of how to better defend networks and how to mitigate damage from security incidents. Inside, you will find in-depth information on the following areas. * The NSM operational framework and deployment considerations. * How to use a variety of open-source toolsÔÇöincluding Sguil, Argus, and EtherealÔÇöto mine network traffic for full content, session, statistical, and alert data. * Best practices for conducting emergency NSM in an incident response scenario, evaluating monitoring vendors, and deploying an NSM architecture. * Developing and applying knowledge of weapons, tactics, telecommunications, system administration, scripting, and programming for NSM. * The best tools for generating arbitrary packets, exploiting flaws, manipulating traffic, and conducting reconnaissance. Whether you are new to network intrusion detection and incident response, or a computer-security veteran, this book will enable you to quickly develop and apply the skills needed to detect, prevent, and respond to new and emerging threats. ### About the Author **Richard Bejtlich** is founder of TaoSecurity, a company that helps clients detect, contain, and remediate intrusions using Network Security Monitoring (NSM) principles. He was formerly a principal consultant at Foundstone--performing incident response, emergency NSM, and security research and training--and created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. For three years, Bejtlich defended U.S. information assets as a captain in the Air Force Computer Emergency Response Team (AFCERT). Formally trained as an intelligence officer, he is a graduate of Harvard University and of the U.S. Air Force Academy. He has authored or coauthored several security books, including *The Tao of Network Security Monitoring* (Addison-Wesley, 2004). ### Excerpt. ┬® Reprinted by permission. All rights reserved. Welcome to *The Tao of Network Security Monitoring: Beyond Intrusion Detection*. The goal of this book is to help you better prepare your enterprise for the intrusions it will suffer. Notice the term ÔÇ£will.ÔÇØ Once you accept that your organization will be compromised, you begin to look at your situation differently. If youÔÇÖve actually worked through an intrusionÔÇöa real compromise, not a simple Web page defacementÔÇöyouÔÇÖll realize the security principles and systems outlined here are both necessary and relevant. This book is about *preparation* for compromise, but itÔÇÖs not a book about *preventing* compromise. Three words sum up my attitude toward stopping intruders: *prevention eventually fails*. Every single network can be compromised, either by an external attacker or by a rogue insider. Intruders exploit flawed software, misconfigured applications, and exposed services. For every corporate defender, there are thousands of attackers, enumerating millions of potential targets. While you might be able to prevent some intrusions by applying patches, managing configurations, and controlling access, you canÔÇÖt prevail forever. Believing only in prevention is like thinking youÔÇÖll never experience an automobile accident. Of course you should drive defensively, but it makes sense to buy insurance and know how to deal with the consequences of a collision. Once your security is breached, everyone will ask the same question: *now what?* Answering this question has cost companies hundreds of thousands of dollars in incident response and computer forensics fees. I hope this book will reduce the investigative workload of your computer security incident response team (CSIRT) by posturing your organization for incident response success. If you deploy the monitoring infrastructure advocated here, your CSIRT will be better equipped to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps. The intruder will spend less time stealing your secrets, damaging your reputation, and abusing your resources. If youÔÇÖre fortunate and collect the right information in a forensically sound manner, you might provide the evidence needed to put an intruder in jail. ### Audience This book is for security professionals of all skill levels and inclinations. The primary audience includes network security architects looking for ways to improve their understanding of their network security posture. My goal is to provide tools and techniques to increase visibility and comprehension of network traffic. If you feel let down by your network-based intrusion detection system (NIDS), this book is definitely for you. I explain why most NIDS deployments fail and how you can augment existing NIDS with open source tools. Because this book focuses on open source tools, it is more likely to be accepted in smaller, less bureaucratic organizations that donÔÇÖt mandate the use of commercial software. Furthermore, large organizations with immense bandwidth usage might find some open source tools arenÔÇÖt built to handle outrageous traffic loads. IÔÇÖm not convinced the majority of Internet-enabled organizations are using connections larger than T-3 lines, however. While every tool and technique hasnÔÇÖt been stress-tested on high-bandwidth links, IÔÇÖm confident the material in this book applies to a great majority of users and networks. If youÔÇÖre a network security analyst, this book is also for you. I wrote this book as an analyst, for other analysts. This means I concentrate on interpreting traffic, not explaining how to install and configure every single tool from source code. For example, many books on ÔÇ£intrusion detectionÔÇØ describe the Transmission Control Protocol/Internet Protocol (TCP/IP) suite and how to set up the Snort open source IDS engine with the Analysis Console for Intrusion Databases (ACID) interface. These books seldom go further because they soon encounter inherent investigative limitations that restrict the usefulness of their tools. Since my analytical techniques do not rely on a single product, I can take network-based analysis to the next level. I also limit discussion of odd packet header features, since real intrusions do not hinge on the presence of a weird TCP flag being set. The tools and techniques in this book concentrate on giving analysts the information they need to assess intrusions and make decisions, not just identify mildly entertaining reconnaissance patterns. This book strives to not repeat material found elsewhere. You will not read how to install Snort or run Nmap. I suggest you refer to the recommended reading list in the next section if you hunger for that knowledge. I introduce tools and techniques overlooked by most authors, like the material on protocol anomaly detection by Brian Hernacki, and explain how you can use them to your advantage. Technical managers will appreciate sections on best practices, training, and personnel issues. All the technology in the world is worthless if the staff manning it doesnÔÇÖt understand their roles, responsibilities, and escalation procedures. Managers will also develop an intuition for the sorts of information a monitoring process or product should provide. Many vendors sell services and products named with combinations of the terms ÔÇ£network,ÔÇØ ÔÇ£security,ÔÇØ and ÔÇ£monitoring.ÔÇØ This book creates a specific definition for *network security monitoring* (NSM), built on a historical and operational foundation. ### Prerequisites IÔÇÖve tried to avoid duplicating material presented elsewhere, so I hope readers lacking prerequisite knowledge take to heart the following reading suggestions. I highly recommend reading the following three books prior to this one. If youÔÇÖve got the necessary backgrou |
