Tao of Network Security Monitoring Beyond Intrusion Detection

ISBN-10: 0321246772
ISBN-13: 9780321246776
Edition: 2005
Authors: Richard Bejtlich
List price: $74.99 Buy it from $16.74
eBook available
This item qualifies for FREE shipping

*A minimum purchase of $35 is required. Shipping is provided via FedEx SmartPost® and FedEx Express Saver®. Average delivery time is 1 – 5 business days, but is not guaranteed in that timeframe. Also allow 1 - 2 days for processing. Free shipping is eligible only in the continental United States and excludes Hawaii, Alaska and Puerto Rico. FedEx service marks used by permission."Marketplace" orders are not eligible for free or discounted shipping.

30 day, 100% satisfaction guarantee

If an item you ordered from TextbookRush does not meet your expectations due to an error on our part, simply fill out a return request and then return it by mail within 30 days of ordering it for a full refund of item cost.

Learn more about our returns policy

Description: Once your security is breached, everyone will ask the same question: nowwhat? Answering this question has cost companies hundreds of thousands ofdollars in incident response and computer forensics fees. This book reducesthe investigative workload of  More...

New Starting from $53.14
eBooks Starting from $59.99
Buy
what's this?
Rush Rewards U
Members Receive:
coins
coins
You have reached 400 XP and carrot coins. That is the daily max!
You could win $10,000

Get an entry for every item you buy, rent, or sell.

Study Briefs

Limited time offer: Get the first one free! (?)

All the information you need in one place! Each Study Brief is a summary of one specific subject; facts, figures, and explanations to help you learn faster.

Add to cart
Study Briefs
Italian Grammar Online content $4.95 $1.99
Add to cart
Study Briefs
Portuguese Grammar Online content $4.95 $1.99
Add to cart
Study Briefs
Spanish Grammar Online content $4.95 $1.99
Add to cart
Study Briefs
German Grammar Online content $4.95 $1.99

Customers also bought

Loading
Loading
Loading
Loading
Loading
Loading
Loading
Loading
Loading
Loading

Book details

List price: $74.99
Copyright year: 2005
Publisher: Addison Wesley Professional
Publication date: 7/12/2004
Binding: Paperback
Pages: 832
Size: 7.00" wide x 9.00" long x 1.75" tall
Weight: 2.684
Language: English

Once your security is breached, everyone will ask the same question: nowwhat? Answering this question has cost companies hundreds of thousands ofdollars in incident response and computer forensics fees. This book reducesthe investigative workload of computer security incident response teams(CSIRT) by posturing organizations for incident response success.Firewalls can fail. Intrusion-detection systems can be bypassed. Networkmonitors can be overloaded. These are the alarming but true facts aboutnetwork security. In fact, too often, security administrators' tools can serve asgateways into the very networks they are defending.Now, a novel approach to network monitoring seeks to overcome theselimitations by providing dynamic information about the vulnerability of allparts of a network. Called network security monitoring (NSM), it draws on acombination of auditing, vulnerability assessment, intrusion detection andprevention, and incident response for the most comprehensive approach tonetwork security yet. By focusing on case studies and the application of opensourcetools, the author helps readers gain hands-on knowledge of how tobetter defend networks and how to mitigate damage from security incidents.

Foreword
Preface
About the Author
About the Contributors
Introduction to Network Security Monitoring
The Security Process
What Is Security?
What Is Risk?
Threat
Vulnerability
Asset Value
A Case Study on Risk
Security Principles: Characteristics of the Intruder
Some Intruders Are Smarter Than You
Many Intruders Are Unpredictable
Prevention Eventually Fails
Security Principles: Phases of Compromise
Reconnaissance
Exploitation
Reinforcement
Consolidation
Pillage
Security Principles: Defensible Networks
Defensible Networks Can Be Watched
Defensible Networks Limit an Intruder's Freedom to Maneuver
Defensible Networks Offer a Minimum Number of Services
Defensible Networks Can Be Kept Current
Conclusion
What Is Network Security Monitoring?
Indications and Warnings
Collection, Analysis, and Escalation
Detecting and Responding to Intrusions
Why Do IDS Deployments Often Fail?
Outsiders versus Insiders: What Is NSM's Focus?
Security Principles: Detection
Intruders Who Can Communicate with Victims Can Be Detected
Detection through Sampling Is Better Than No Detection
Detection through Traffic Analysis Is Better Than No Detection
Security Principles: Limitations
Collecting Everything Is Ideal but Problematic
Real Time Isn't Always the Best Time
Extra Work Has a Cost
What NSM Is Not
NSM Is Not Device Management
NSM Is Not Security Event Management
NSM Is Not Network-Based Forensics
NSM Is Not Intrusion Prevention
NSM in Action
Conclusion
Deployment Considerations
Threat Models and Monitoring Zones
The Perimeter
The Demilitarized Zone
The Wireless Zone
The Intranet
Accessing Traffic in Each Zone
Hubs
SPAN Ports
Taps
Inline Devices
Wireless Monitoring
Sensor Architecture
Hardware
Operating System
Sensor Management
Console Access
In-Band Remote Access
Out-of-Band Remote Access
Conclusion
Network Security Monitoring Products
The Reference Intrusion Model
The Scenario
The Attack
Conclusion
Full Content Data
A Note on Software
Libpcap
Tcpdump
Basic Usage of Tcpdump
Using Tcpdump to Store Full Content Data
Using Tcpdump to Read Stored Full Content Data
Timestamps in Stored Full Content Data
Increased Detail in Tcpdump Full Content Data
Tcpdump and Berkeley Packet Filters
Tethereal
Basic Usage of Tethereal
Using Tethereal to Store Full Content Data
Using Tethereal to Read Stored Full Content Data
Getting More Information from Tethereal
Snort as Packet Logger
Basic Usage of Snort as Packet Logger
Using Snort to Store Full Content Data
Using Snort to Read Stored Full Content Data
Finding Specific Parts of Packets with Tcpdump, Tethereal, and Snort
Ethereal
Basic Usage of Ethereal
Using Ethereal to Read Stored Full Content Data
Using Ethereal to Rebuild Sessions
Other Ethereal Features
A Note on Commercial Full Content Collection Options
Conclusion
Additional Data Analysis
Editcap and Mergecap
Tcpslice
Tcpreplay
Tcpflow
Ngrep
IPsumdump
Etherape
Netdude
Using Netdude
What Do Raw Trace Files Look Like?
P0f
Conclusion
Session Data
Forms of Session Data
Cisco's NetFlow
Fprobe
Ng_netflow
Flow-tools
Flow-capture
Flow-cat and Flow-print
sFlow and sFlow Toolkit
Argus
Argus Server
Ra Client
Tcptrace
Conclusion
Statistical Data
What Is Statistical Data?
Cisco Accounting
Ipcad
Ifstat
Bmon
Trafshow
Ttt
Tcpdstat
MRTG
Ntop
Conclusion
Alert Data: Bro and Prelude
Bro
Installing Bro and BRA
Interpreting Bro Output Files
Bro Capabilities and Limitations
Prelude
Installing Prelude
Interpreting Prelude Output Files
Installing PIWI
Using PIWI to View Prelude Events
Prelude Capabilities and Limitations
Conclusion
Alert Data: NSM Using Sguil
Why Sguil?
So What Is Sguil?
The Basic Sguil Interface
Sguil's Answer to "Now What?"
Making Decisions with Sguil
Sguil versus the Reference Intrusion Model
Shellcode x86 Noop and Related Alerts
FTP Site Overflow Attempt Alerts
Scan nmap TCP Alerts
Misc Ms Terminal Server Request Alerts
Conclusion
Network Security Monitoring Processes
Best Practices
Assessment
Defined Security Policy
Protection
Access Control
Traffic Scrubbing
Proxies
Detection
Collection
Identification
Validation
Escalation
Response
Short-Term Incident Containment
Emergency Network Security Monitoring
Back to Assessment
Analyst Feedback
Conclusion
Case Studies for Managers
Introduction to Hawke Helicopter Supplies
Emergency Network Security Monitoring
Detection of Odd Orders
System Administrators Respond
Picking Up the Bat Phone
Conducting Incident Response
Incident Response Results
Evaluating Managed Security Monitoring Providers
HHS Requirements for NSM
HHS Vendor Questionnaire
Asset Prioritization
Deploying an In-House NSM Solution
Partner and Sales Offices
HHS Demilitarized Zone
Wireless Network
Internal Network
"But Who Shall Watch the Watchers?"
Other Staffing Issues
Conclusion
Network Security Monitoring People
Analyst Training Program
Weapons and Tactics
Definition
Tasks
References
Telecommunications
Definition
Tasks
References
System Administration
Definition
Tasks
References
Scripting and Programming
Definition
Tasks
References
Management and Policy
Definition
Tasks
References
Training in Action
Periodicals and Web Sites
Case Study: Staying Current with Tools
Conclusion
Discovering DNS
Normal Port 53 Traffic
Normal Port 53 UDP Traffic
Normal Port 53 TCP Traffic
Suspicious Port 53 Traffic
Suspicious Port 53 UDP Traffic
Suspicious Port 53 TCP Traffic
Malicious Port 53 Traffic
Malicious Port 53 UDP Traffic
Malicious Port 53 TCP and UDP Traffic
Conclusion
Harnessing the Power of Session Data
The Session Scenario
Session Data from the Wireless Segment
Session Data from the DMZ Segment
Session Data from the VLANs
Session Data from the External Segment
Conclusion
Packet Monkey Heaven
Truncated TCP Options
SCAN FIN
Chained Covert Channels
Conclusion
The Intruder versus Network Security Monitoring
Tools for Attacking Network Security Monitoring
Packit
IP Sorcery
Fragroute
LFT
Xprobe2
Cisco IOS Denial of Service
Solaris Sadmin Exploitation Attempt
Microsoft RPC Exploitation
Conclusion
Tactics for Attacking Network Security Monitoring
Promote Anonymity
Attack from a Stepping-Stone
Attack by Using a Spoofed Source Address
Attack from a Netblock You Don't Own
Attack from a Trusted Host
Attack from a Familiar Netblock
Attack the Client, Not the Server
Use Public Intermediaries
Evade Detection
Time Attacks Properly
Distribute Attacks Throughout Internet Space
Employ Encryption
Appear Normal
Degrade or Deny Collection
Deploy Decoys
Consider Volume Attacks
Attack the Sensor
Separate Analysts from Their Consoles
Self-Inflicted Problems in NSM
Conclusion
Epilogue: The Future of Network Security Monitoring
Remote Packet Capture and Centralized Analysis
Integration of Vulnerability Assessment Products
Anomaly Detection
NSM Beyond the Gateway
Conclusion
Appendixes
Protocol Header Reference
Intellectual History of Network Security Monitoring
Protocol Anomaly Detection
Index

×
Free shipping on orders over $35*

*A minimum purchase of $35 is required. Shipping is provided via FedEx SmartPost® and FedEx Express Saver®. Average delivery time is 1 – 5 business days, but is not guaranteed in that timeframe. Also allow 1 - 2 days for processing. Free shipping is eligible only in the continental United States and excludes Hawaii, Alaska and Puerto Rico. FedEx service marks used by permission."Marketplace" orders are not eligible for free or discounted shipping.

Learn more about the TextbookRush Marketplace.

×