Slashdot Mirror

LiquidEdge writes "ISP-Planet is reporting that startup M2Z wants to offer 95% of America free wireless Internet access using the 20Mhz frequency allocation. They're backed by Kleiner Perkins, one of the most successful VC firms in history, and being started by the guy who built the @Home network and a former FCC Wireless Bureau Chief. 384/128 speeds will be free and they'll sell the higher speeds and the government will get a kickback of the revenue."

Eric Stats writes: "At one point in the not so distant past, Intrusion Detection Systems (IDSs) were network security applications reserved for Fortune 500 companies with enough IT budget to fork up the Big Dollar, or hard core packetheads willing to grep through tcpdump or shadow output. Over the past few years, a new pig on the block, Snort, has put that notion to rest. Instead of having to spring for hundreds of thousands of dollars for a feature-rich, state-of-the-art, IDS; open source fans now have an IDS that meets and beats most of the performance benchmarks and features of commercial, closed source IDSs. Jack Koziol's new book, Intrusion Detection with Snort, presents a comprehensive guide that those either novice to, or richly experienced with, the field of Intrusion Detection can use to get up to speed quickly on Snort." Read on for Eric's review. Intrusion Detection with Snort author Jack Koziol pages 400 publisher Sams rating 9 reviewer Eric Stats ISBN 157870281X summary Handbook on the open source Intrusion

What Koziol implies throughout Intrusion Detection with Snort, but never states outright, is that Snort holds an inherent advantage over closed source IDSs, in that the IDS itself can be tailored and customized for each individual deployment to a level not possible for closed source competitors. If you have had the displeasure of working with a rigid, uncustomizable, IDS you already know where this is going ...

In order for an IDS to be effective, or in some high-bandwidth cases, even usable, detailed network and business context must be applied to the IDS. In a nutshell, IDSs are not as plug-and-play as firewalls or other security applications. For example, if you know you are not running any HTTP traffic on the segment where the IDS is sniffing, you may not want your IDS to waste cycles looking for attacks on Apache. On the other hand, you may feel that the mere presence of HTTP traffic may indicate something innately suspicious, so it is of value to watch for any HTTP traffic. It all depends on what you feel are legitimate threats to the network you are attempting to protect. Snort gives you the power to "watch" for specific attacks, protocol anomalies, or other chatter that has no legitimate business running on your network. Other closed source IDSs don't, or can't, have the same flexibility. Only Snort can implement something as detailed as "Send a page to the CISO's phone if this particular subnet attacks these Apache servers with the chunked encoding exploit."

With Snort, novices can easily write attack signatures (called rules) enable or disable specific protocol decoders, and detect advanced attacks such as exploits utilizing polymorphic shellcode. Without this level of flexibility, you are likely to be flooded with alerts that are not relevant, or, even worse, miss an actual attack that causes irreparable data loss.

Like many open source applications, Snort's biggest downfall has been documentation. Who wants to write boring user manuals when he can write code, right? Well, that's all fine and dandy for Snort developers, but folks that want to actually use all of the neat features can't, unless you tell them they are there, and how to use them. Intrusion Detection with Snort bridges this gap, and offers a clear, concise, guideline that helps plan, implement and maintain Snort-based IDS.

Another oft-cited problem with Snort that Intrusion Detection with Snort addresses is the lack of Snort features that are not directly related to intrusion detection. In essence, Snort's developers have concentrated on creating the world's best application for detecting unauthorized activity, and left everything else to other applications. If you want to organize and manage the alerts generated by Snort you have to use another application (ACID). If you desire alerts via email or pager you need another tool (swatch or syslog-ng). If you want to centrally manage attack signatures for multiple Snort installations, guess what? You need another tool (IDS Policy Manager or SnortCenter). Finding, installing, and getting all of these tools to work right can be frustrating, so Koziol walks us through these issues, and in the end we have an IDS rivaling the expensive commercial solutions.

On to the nitty-gritty of the book. Essentially, this book is organized into logical three sections, even though the author did not choose to make these demarcations in print. The first section introduces us to intrusion detection in general and features of Snort. The second section is a detailed installation guide, which walks through setting up and installing the various components of a distributed Snort setup. The final section focuses on post-installation and maintenance tasks, as well as advanced topics.

In the first section, the different breeds of IDS (Host and Network) are honestly presented, Koziol acknowledging in great detail some of the major shortcomings of IDS technology. The book then moves to describing Snort in great detail in an unbiased fashion. Other books on this subject written by Snort contributors are less forthcoming with Snort's disadvantages. The inner workings of Snort (such as packet decoders and libpcap) and the largely undocumented preprocessors are described in detail, giving tons real world examples. The examples are somewhat current, and describe exploits commonly found 6-18 months ago. Although the actual exploits found in the wild may change over time, the strategies for discovering them with Snort should remain relatively constant. The book then moves into the activities required in planning for a Snort-based IDS installation. Some of this is common sense for experienced security practitioners, such as establishing an incident response plan (the "Oh shit, I've been hacked, what do I do now!?!?"), but is relevant for novices. Other topics introduced in this section are:

Sensor placement: where to place an IDS from a network design perspective for maximum benefit.

Inserting a sensor into an in place network: covers using taps, span ports, and dedicated hubs.

Specific hardware and OS considerations: basically, why a flavor of Unix is best for Snort.

Creating a unidirectional sniffing cable: allows network traffic to flow in a single direction, minimizing risk to an IDS segment.

The second section is a detailed guide to building a distributed or 3-tiered Snort IDS. Getting the three components, the sensor (where Snort is actually installed), the server (database, alert management, and reporting server), and the analyst console (secure place to access other components and store config files and scripts) up and working on Linux takes up the bulk of this section. The analyst console chapter walks through the ever-popular Analysis Console for Intrusion Databases (ACID). Attention is paid to configuring a secured setup that encrypts traffic between the various sensors, servers, and consoles. Various packages and tools are described, as well as condensing all of the Snort tiers onto one physical box. Installing and configuring on Windows is covered as well, although this choice of setup is not as thoroughly explained as the others. The third and final section picks up where most books that deal with a specific application or software package too often leave off, namely, keeping the damn thing working. A chapter is dedicated to tuning Snort, and what thresholds can be configured to maximize benefit and performance. Getting real-time alerting via email working with ancillary tools, is covered in a dedicated chapter. Developing a targeted ruleset (a set of automagically generated signatures that will only detect attacks that have the potential to be successful) using a custom shell script is described.

A very important topic in Snort administration, writing custom rules (attack signatures) gets its own chapter. The syntax for creating rules is clearly described, followed by concrete examples. The book works through writing rules by reading through raw packet captures (last year's Slapper worm is a particularly good example). This is followed by upgrading and managing rules, which is highly useful if you have a number of Snort installations to manage. Finally, Intrusion Detection with Snort closes with a chapter on advanced topics. The advanced topics chapter primarily covers the latest fad 'Intrusion Prevention.' Snort can be made into an IPS device via packet scrubbing or shunting. For packet scrubbing, the Snort Inline patch is used and the box is placed in between a trusted and untrusted network, dropping packets that match specifically created rules. Shunting is accomplished with SnortSam, which basically sends a request to a border router or firewall to block an attacking IP address for a predetermined period of time.

Overall Jack Koziol's Intrusion Detection with Snort is a viable text for learning Intrusion Detection with the worlds premier open source IDS, even if it is light on diagrams and pictures, but it still comes highly recommended from this reviewer.

You can purchase Intrusion Detection with Snort from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

TheReckoning writes "ISP Planet has an article by Alex Goldman about the FCC's policy review, happening now. To quote: 'The Federal Communications Commission (FCC) is reviewing the rules that allow CLECs and ISPs access to incumbent phone companies' infrastructure. The FCC reviews rules every three years. This is the second triennial review since 1996, and the first under the new Republican administration.' It's a long read, but very educational."

TheReckoning writes "ISP Planet has an article by Alex Goldman about the FCC's policy review, happening now. To quote: 'The Federal Communications Commission (FCC) is reviewing the rules that allow CLECs and ISPs access to incumbent phone companies' infrastructure. The FCC reviews rules every three years. This is the second triennial review since 1996, and the first under the new Republican administration.' It's a long read, but very educational."

TheReckoning writes "ISP Planet has an article by Alex Goldman about the FCC's policy review, happening now. To quote: 'The Federal Communications Commission (FCC) is reviewing the rules that allow CLECs and ISPs access to incumbent phone companies' infrastructure. The FCC reviews rules every three years. This is the second triennial review since 1996, and the first under the new Republican administration.' It's a long read, but very educational."

genrader writes "broadbandreports.com just posted a news article which had an interesting story about the new ADSL2, which should be approved in 2003. They say it should be backward compatible with current hardware. It seems pretty interesting. ISP-Planet has the featured in-depth look at it, so you might want to see if it is of any intrest to you."

bradipo writes "A large number of lawsuits have been filed against companies that have not complied with the anti-spam statute in Utah. I'm not sure how this will turn out, but it should be interesting nonetheless." And reader spoton writes "The governor of Ohio has signed into law a bill that allows internet subscribers to sue for up to $50,000 and ISP's for up to $500,000. It allows you to sue for $100 per email + court and lawyer fees incurred. Looks like the cost of spamming is going up."

portmonk writes: "Interesting article on ISP-Planet regarding subterranean co-lo. Bomb shelter and hosting in one easy package..."

portmonk writes: "Interesting article on ISP-Planet regarding subterranean co-lo. Bomb shelter and hosting in one easy package..."

i8u writes ""It's hard to tell whether these things are a threat or an opportunity for ISPs. I'm talking about community wireless networks using inexpensive 802.11b radios and antennas operating in the 2.4 GHz spectrum band, and possibly other license-free bands." "

Bartbrn writes "Here's an article ripped from today's headlines! Though this sounds like one of those Reader's Digest articles like "Ten Ways to Make Herpes Work For You!", it's actually a pretty interesting nugget written by Stephen Heins, Director of Marketing (uh oh) for NorthNet LLC, concerning the current political state of broadband access in the USA." Although this guy has a vested interest in the process, his take on the situation looks pretty accurate as far as I can tell.

schvin writes: "ISP Planet has a brief article about rolling your own DSL connection. One person in Washington state has extensive information on how he got his home-brewed SDSL fully functional." This is great, and I wish I knew about it before I had all this hooked up here. Save money! Do it yourself! It's the GNU way!

\\ writes "Tucows is going allow people to resell domains for 13 bucks a year, story here, and the site they`ll be doing it at, which has more info is here.. looks like the competetion is reaping its rewards :)"