Saturday, May 07, 2005

Mixed Thoughts on Inside Network Perimeter Security, 2nd Ed

I promise that I read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 books I review, so this is not a review. You won't see me post anything at Amazon.com about Inside Network Perimeter Security, 2nd Ed. I read parts of it, but nowhere near enough to justify a formal review. Here are a few thoughts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book.

The five authors and four technical editors did a lot of work to write this book. It weighs in at 660+ pages, with not that many figures or screen shots.

Despite being a second edition, I found evidence of old material. I noticed that chapter 2 describes IPChains. IPChains -- where was that last in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mainstream, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Linux 2.2 kernel? Chapter 6 implies SSH v2 isn't available on Cisco gear, but readers will remember I got that working a few months ago. Ch 19 promotes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 virtues of Big Brocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, a monitoring tool that's been declining for years since its acquisition. Nagios should have been covered instead.

A quote in ch 11 on Intrusion Prevention Systems bugged me: "SoureFire [sic] ditched Snorty cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pig and became Realtime Network Awareness (RNA), a passive sensor and visualization tool company in terms of primary internal focus." Let's ignore cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 misspellings and confusing English and answer this point. Sourcefire hasn't "ditched" Snort; RNA works with Snort. Someone doesn't understand Sourcefire or Snort.

I ended up reading most of ch 11 as it was fairly informative about network- and host-based IPSs. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise, I didn't find a really compelling reason to read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book. There is some good material on network architecture, but nothing I haven't seen elsewhere. I guess that was my overall reason to stop paying attention to Inside Network Perimeter Security, 2nd Ed: I didn't see much new material for me. I also don't really care for books that provide advice but not configuration guidance. I like to flip though technical books and see that offset courier print denoting command and configuration syntax. Aside from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 router hardening syntax in ch. 6, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a lot of suggesting in this book but not as many concrete examples as I would like.

If anyone has opinions on Inside Network Perimeter Security, 2nd Ed, please post cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

Update: I reviewed this book on 30 August 2006.

4 comments:

Anonymous said...

RNA works with Snort

Strictly speaking, not true.

I've recently been doing some work with Sourcefire on Snort and RNA, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't really play well togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. At least not on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same box.

During our recent attempts at an implementation of using Snort sensors and a Sourcefire DC, we ran into a quite a number of caveats. Here are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 major ones:

- Sourcfire doesn't support Snort 2.3 and above, only 2.2
- Sourcefire doesn't support cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Linux 2.6 kernel
- A sensor can have eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sourcefire RNA agent or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sourcefire Snort agent, not both.
- Sourcefire only supports one instance of Snort per box.

I still love Snort, and I'm still working on getting as much functionality as possible out of Sourcefire. If you have insight on how to get around some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se limitations, I'd love to hear cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

By cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way, I'm looking forward to hearing you speak at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NetOptics Think Tank next week.

Richard Bejtlich said...

Martin,

Thanks for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first-hand info. I think you know what I mean though. Sourcefire sells Snort as its IDS/IPS, and RNA is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 piece designed to make that IDS/IPS functionality more accurate. See you in California next week!

Anonymous said...

Hey Martin,

I too am using Sourcefire and using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole 3D architecutre (IS, RNA, and DC). I knew about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 appliances running a "hardened" 2.4 kernel but thought that I had seen a version of Snort running on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sensor higher than 2.3. Here is what I found...

root@IDS:~# snort -V

,,_ -*> Snort! <*-
o" )~ Version 2.4.0 (Build 7)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2005 Sourcefire Inc., et al.

root@IDS:~#

So I am running a 2.4.0 version here.

I haven't really had any issues getting RNA and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IS or DC working togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are all on separate devices.

Regarding getting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IS and RNA agents running togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same box, I had heard this was possible although I can't say for sure as I have never tried it. I may be thinking that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DC can have an RNA agent on it.

It does suck that you can only have one instance running box though I agree.

Anonymous said...

I must admit that I've only read a few bits of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second edition, specifically cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sections which are new, but I've always thought this book was a great overall introduction to network security.

It definitely isn't a technical book and shouldn't be considered one but it does give a good overall picture of network security.

In my opinion if you want a book to begin your network security knowledge this should be one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first you read. For people with experierence in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field it is obviously lacking in technical depth but if it gave implementation details on all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 topics it covers it would probably be a few thousand pages long and still probably be insufficient.

All that being said however it is poor that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second edition contains references to very old linux kernels which should have been one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most obvious things to check and update.