Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Network Intrusion Detection", Stephen Northcutt/Judy Novak/Donald McLachlan

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKNTINDT.RVW 20021009 Network Intrusion Detection , Stephen Northcutt/Judy Novak/Donald McLachlan, 2001, 0-7357-1008-2, U$45.00/C$67.95/UK#34.99 %A
    Message 1 of 1 , Nov 15, 2002
      BKNTINDT.RVW 20021009

      "Network Intrusion Detection", Stephen Northcutt/Judy Novak/Donald
      McLachlan, 2001, 0-7357-1008-2, U$45.00/C$67.95/UK#34.99
      %A Stephen Northcutt stephen@... snorthcutt@...
      %A Judy Novak
      %A Donald McLachlan don_mclachlan@...
      %C 201 W. 103rd Street, Indianapolis, IN 46290
      %D 2001
      %G 0-7357-1008-2
      %I Macmillan Computer Publishing (MCP)/New Riders
      %O U$45.00/C$67.95/UK#34.99 800-858-7674 http://www.newriders.com
      %P 430 p.
      %T "Network Intrusion Detection: An Analyst's Handbook, Second Ed."

      The introduction for the first edition of this work was a bit
      confusing. The front matter for the second edition is much more so.
      The only item listed in the table of contents is the introduction,
      but, while still stating that the book is intended as a training aid
      and reference for intrusion detection analysts, it is much the
      smallest item of the many at the beginning of the book. There is a
      longish, and not very clear, history of the "shadow" program. In
      addition, there is a preface, which meanders around presenting
      opinions about various aspects of the Internet and security. It does
      finally provide a rather interesting definition of intrusion
      detection; the purpose is to identify threats and make sure the
      network is hardened against them; but does not make clear what the
      book is for, or how it approaches the subject.

      Chapter one is a basic overview of TCP/IP. The material is
      reasonable, albeit limited, but not exemplary. TCPdump is examined
      before TCP itself, in chapter two. Again, the content is informative,
      but there are definite gaps. Fragmentation uses, issues, and patterns
      in TCPdump are presented in chapter three. Chapter four does provide
      some idea of the use of ICMP (Internet Control Message Protocol), but
      not a comprehensive or clear one, and not in the stated introduction.
      The coverage of ICMP attacks is neither particularly lucid nor
      particularly complete. It does, however, furnish some convincing
      arguments for the use of stateful inspection.

      Chapter five presents a few "normal" transactions that you might see
      in network traffic, and some that might indicate some type of attack.
      The material is interesting, but is not displayed in a structure that
      would make it useful to the reader. DNS (Domain Name Service) is
      explained in some detail in chapter six, although the attack and
      exploit coverage is terse. In chapter seven (chapter one, from the
      first edition), we are given some details of the TCP hijacking attack
      Kevin Mitnick launched against computers used by Tsutomu Shimomura.
      In fact we are given rather a lot of details, and not a little C code,
      much of which is simply thrown out at us. The experienced UNIX
      network analyst and C programmer will, of course, have no difficulty
      with the material, and any reasonably experienced computer user will
      likely be able to find references in order to work through the real
      implications of the text. Late in the chapter there is a promise of
      explaining how to detect such an intrusion with two different systems:
      this promise is not fulfilled. The concept of filters and signatures
      is introduced in chapter eight, although the examples tend to be
      either system specific and heavily coded, or overly simplistic.

      The initial section of chapter nine attempts to present a means for
      determining which events are important enough to record and analyze,
      and does not succeed very well. The latter portion, on considerations
      for intrusion detection system (IDS) architecture is much more useful.
      Chapter ten starts out with a look at a variety of attempts at
      interoperability between intrusion detection vendors (making me think
      of the bygone days of standardized virus signature files: the
      availability of standards is shown to be problematic) and then tenders
      some ideas about suspicious types of traffic, finishing with a few
      thoughts on database queries and data reduction. A number of IDSes
      are described in chapter eleven, although the level of detail, and
      even the general writeup structure, varies greatly.

      Chapter twelve seems to be out of place: the prediction about the
      future usually happens at the end of the book. Exploits, denial of
      service, and scan patterns are described in chapters thirteen,
      fourteen, and fifteen, repeating some of the material from chapters
      five and seven. Although interesting, not all of the content would be
      helpful to analysts or IDS administrators. Signatures related to the
      use of RPC (Remote Procedure Calls) as an attack tool are given in
      chapter sixteen. Chapter seventeen describes various options for
      filtering traffic for or with TCPdump. A "cracking" session, after a
      system has been penetrated, is presented in limited detail in chapter
      eighteen. In this case we are presented with a log of UNIX shell
      commands, and, rather ironically, a great deal more exegesis than is
      available in other sections (although the attempts at humour do
      confuse the issue, here and elsewhere in the book). A discussion of
      blackhat communities and resources has been added in this edition. A
      "detection" is outlined in chapter nineteen, but with a supremely
      anticlimactic ending: the summary admits that no reason for the
      anomalous traffic has been found.

      Chapter twenty reviews some basic security topics, such as policy
      development and risk assessment, but in a very simplistic and terse
      fashion. A number of possible responses to an intrusion are outlined
      in chapter twenty one. Chapter twenty two closes with suggestions on
      ow to make a business case.

      Those who need to know about intrusion detection should probably first
      look at Bace's (cf. BKNTRDET.RVW) or Amoroso's (cf. BKINTDET.RVW)
      books, both (somewhat annoyingly) titled "Intrusion Detection."
      Because of the lack of structure in the work, this volume is not
      usable as an overview introduction to the field, although the examples
      do contain a great deal of informative content: if you can dig it out.
      For those who do have the basic concepts, the material does provide
      numerous practical examples, and some real-life considerations for

      copyright Robert M. Slade, 1999, 2002 BKNTINDT.RVW 20021009

      rslade@... rslade@... slade@... p1@...
      Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
      Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
      November 25, 2002 November 29,2002 Toronto, ON, Canada
      December 16, 2002 December 20,2002 San Francisco, CA
      February 10, 2003 February 14, 2003 St. Louis, MO
    Your message has been successfully submitted and would be delivered to recipients shortly.