Book Reviews

Secure Fundamentals

Network Intrusion Detection: Third Edition builds the foundation for an informed network security analyst.

• By T. Brian Granier
• 03/01/2003

With global concerns of terrorism, many organizations have identified the need to increase their infrastructure's technical security. To answer the need for more thorough information security toolsets, intrusion detection systems, among other tools, have been quickly evolving in the past few years. Network Intrusion Detection: Third Edition provides the information necessary to understand the purpose, capabilities and limitations of these devices. This book is the culmination of the common body of knowledge available in the industry and is presented in a manner capable of jump-starting the career of security analysts everywhere.

Beginning the discussion with the fundamentals of TCPI/IP theory, this book lays the groundwork for an intrusion analyst to understand and interpret his or her network. With this information, you can follow the packet stream and determine if an activity is normal or abnormal. This sounds like a daunting amount of information to absorb, but this book identifies what's most important about TCP/IP standards, conveys the information a network intrusion analyst needs, and presents it in a clear and concise manner.

By the time you reach the second section, you're ready to dig in and look for unusual behavior on your network; but how do you look at it and what should you look for to find attacks? First, the authors provide information about "tcpdump," which is an application that can be used to look at raw data on your network. Windows users need not be afraid; they can use this information with "windump" the same way.

The second section finishes by going over the different aspects associated with protocol headers such as how they can be manipulated to perform an attack, how this information can be used to identify intent, and how it can also be used to determine specific information about the host that most likely generated the packet.

Now that you have knowledge of fundamental TCP/IP theory and the important aspects of network packets that can be used to derive information about a potential attack, it's time to build and configure your intrusion detection system. The authors cover tcpdump filters, which are used to extract network traffic fitting a very precise signature, and how snort signatures are written to look for network attacks. With this information, an analyst can quickly sort through mounds of network traffic to find relevant information. This is the heart of modern signature-based intrusion detection systems.

The fourth and final section of the book steps back from the nitty-gritty and covers higher level topics related to intrusion detection. This includes network architecture, business issues, and the authors' take on the future of the intrusion detection community. This material is essential for using the knowledge gained from the previous sections, correctly applying it in your environment and knowing the consequences of your decisions.

This book is one of the best organized and most relevant technical books I've ever read. The information provides the timeless theories that intrusion analysts must understand and is littered with practical, real-world examples. Although the authors don't go into detail about how to use any commercial IDS systems, the knowledge gained is applicable to anyone responsible for providing advanced security analysis techniques in any network. The only downside to this book I can think of is that it lacks a companion CD-ROM with a PDF version of the book and practical examples for the reader to apply what they've learned.