Monday, January 19, 2004

Review of Intrusion Detection and Prevention Posted just posted my three-star review of Intrusion Detection and Prevention. From the review:

"I had high hopes for "Intrusion Detection and Prevention" (IDAP) as it is the first book to devote chapters to different vendor IDS products. It's also the first to explicitly mention the buzzword "intrusion prevention" in its title. Unfortunately, the book does not deliver the value I expected...

I took exception to some of the authors' conclusions. (Keep in mind a team wrote this book.) A cheap shot on page 187 shows the ISS chapter author doesn't understand what real analysts need to "trust" their IDS: "These increases in product signatures have given more customers the capability to trust the comprehensive nature of RealSecure over every other product, including the freeware power player, Snort." Analyst trust is built on transparency and validation, meaning he can see why the product generated an alert, and use additional data to confirm its validity. Snort and NFR offer this; ISS does not. Furthermore, if you don't like how Snort works, you can modify the source code -- try that with a proprietary system."

No comments: