Intrusion Prevention and Active Response (IPAR) is a welcome departure from many books covering intrusion prevention and detection. The authors clearly distinguish between intrusion detection systems (IDS) and intrusion prevention systems (IPS), a distinction often conflated in media, training manuals and other educational material. The level of presentation is well suited for someone familiar with security principles, techniques and methods. If you are new to Linux, then you will probably need supporting materials to get through the more complex chapters. IPAR covers several key areas of IPS. Though many chapters focus on network and data link layers, the section on protecting your system through host-based IPS can be used on a wide number of systems. Too many IPS/IDS books focus only on perimeter security and fail to address what can be done at the host level. With the increase use of WAN, VPN and other applications, the perimeter is dissipating, making host security increasingly important.
The section on host IPS touches on a number of items with a rather detailed treatment of buffer overflows. Although I find reading source code in a book painfully boring, this detailed treatment of buffer overflows is welcomed. If you go through this section carefully, you will have a very good understanding of why buffer overflows are often exploited and more importantly how they can be defeated with tools like PaX and StackGuard. There is a brief treatment of hardened OS's and SELinux. Personally, I think the SELinux treatment was a bit light, especially as SELinux is now standard for Fedora Core 3 and Red Hat Enterprise Linux 4. Few books touch on SELinux, so a more expanded treatment of it here would have been welcomed. Nonetheless, the section on host based IPS is recommended to any server owner, especially those that lease or co-locate equipment that is in a network environment which they cannot control.
Chapter 7 focuses on application layer IPS controls. The best part of this chapter is a good review of common web application attacks such as cross-site scripting, form field manipulation, and SQL injection. These types of attacks are frequent entry points for hackers. The chapter also includes information on tools like ModSecurity, IIS Lockdown and others that can be used to protect your applications.
The remaining chapters provide background IPS information and details on how to protect the network layer. If you are a network manager, these chapters are a good starting point to IPS theory and practice. The last chapter provides brief accounts about deploying various open source tools, such as fwsnort, SnortSAM, LIDS, PSAD, and PortSentry. The inclusion of these tools is great but I think most will find that the treatment is too brief to provide a full-scale implementation. The authors point you in the right direction and get you started but you will need to rely on another resource if you plan to deploy many of these solutions.
Intrusion Prevention and Active Response is very good for anyone looking to secure their hosts and/or network. Some sections can become a bit tedious at times as they include packet captures, traces, and other highly detailed and technical information. I am not sure that showing a page full of a packet capture is too beneficial. I would rather see this replaced with CD-ROM that can simulate such events. Aside from this caveat, the treatment and background information on IPS is very strong.
I recommend this book to anyone considering deploying IPS systems or simply want to learn more about the differences between intrusion detection and intrusion prevention. As one of the few books focusing strictly on IPS, I think any security manager or system administrator can find some useful tidbits inside.
Intrusion Prevention and Active Response: Deploying Network and Host IPS, by Michael Rash, Angela Orebaugh, Graham Clark, Becky Pinkard, and Jake Babbin. Syngress. 424 pages, $49.95 US, $69.95 CA, £27.99 UK.