REVIEW: "Network Intrusion Detection", Stephen Northcutt/Judy Novak/Donald McLachlan
- BKNTINDT.RVW 20021009
"Network Intrusion Detection", Stephen Northcutt/Judy Novak/Donald
McLachlan, 2001, 0-7357-1008-2, U$45.00/C$67.95/UK#34.99
%A Stephen Northcutt stephen@... snorthcutt@...
%A Judy Novak
%A Donald McLachlan don_mclachlan@...
%C 201 W. 103rd Street, Indianapolis, IN 46290
%I Macmillan Computer Publishing (MCP)/New Riders
%O U$45.00/C$67.95/UK#34.99 800-858-7674 http://www.newriders.com
%P 430 p.
%T "Network Intrusion Detection: An Analyst's Handbook, Second Ed."
The introduction for the first edition of this work was a bit
confusing. The front matter for the second edition is much more so.
The only item listed in the table of contents is the introduction,
but, while still stating that the book is intended as a training aid
and reference for intrusion detection analysts, it is much the
smallest item of the many at the beginning of the book. There is a
longish, and not very clear, history of the "shadow" program. In
addition, there is a preface, which meanders around presenting
opinions about various aspects of the Internet and security. It does
finally provide a rather interesting definition of intrusion
detection; the purpose is to identify threats and make sure the
network is hardened against them; but does not make clear what the
book is for, or how it approaches the subject.
Chapter one is a basic overview of TCP/IP. The material is
reasonable, albeit limited, but not exemplary. TCPdump is examined
before TCP itself, in chapter two. Again, the content is informative,
but there are definite gaps. Fragmentation uses, issues, and patterns
in TCPdump are presented in chapter three. Chapter four does provide
some idea of the use of ICMP (Internet Control Message Protocol), but
not a comprehensive or clear one, and not in the stated introduction.
The coverage of ICMP attacks is neither particularly lucid nor
particularly complete. It does, however, furnish some convincing
arguments for the use of stateful inspection.
Chapter five presents a few "normal" transactions that you might see
in network traffic, and some that might indicate some type of attack.
The material is interesting, but is not displayed in a structure that
would make it useful to the reader. DNS (Domain Name Service) is
explained in some detail in chapter six, although the attack and
exploit coverage is terse. In chapter seven (chapter one, from the
first edition), we are given some details of the TCP hijacking attack
Kevin Mitnick launched against computers used by Tsutomu Shimomura.
In fact we are given rather a lot of details, and not a little C code,
much of which is simply thrown out at us. The experienced UNIX
network analyst and C programmer will, of course, have no difficulty
with the material, and any reasonably experienced computer user will
likely be able to find references in order to work through the real
implications of the text. Late in the chapter there is a promise of
explaining how to detect such an intrusion with two different systems:
this promise is not fulfilled. The concept of filters and signatures
is introduced in chapter eight, although the examples tend to be
either system specific and heavily coded, or overly simplistic.
The initial section of chapter nine attempts to present a means for
determining which events are important enough to record and analyze,
and does not succeed very well. The latter portion, on considerations
for intrusion detection system (IDS) architecture is much more useful.
Chapter ten starts out with a look at a variety of attempts at
interoperability between intrusion detection vendors (making me think
of the bygone days of standardized virus signature files: the
availability of standards is shown to be problematic) and then tenders
some ideas about suspicious types of traffic, finishing with a few
thoughts on database queries and data reduction. A number of IDSes
are described in chapter eleven, although the level of detail, and
even the general writeup structure, varies greatly.
Chapter twelve seems to be out of place: the prediction about the
future usually happens at the end of the book. Exploits, denial of
service, and scan patterns are described in chapters thirteen,
fourteen, and fifteen, repeating some of the material from chapters
five and seven. Although interesting, not all of the content would be
helpful to analysts or IDS administrators. Signatures related to the
use of RPC (Remote Procedure Calls) as an attack tool are given in
chapter sixteen. Chapter seventeen describes various options for
filtering traffic for or with TCPdump. A "cracking" session, after a
system has been penetrated, is presented in limited detail in chapter
eighteen. In this case we are presented with a log of UNIX shell
commands, and, rather ironically, a great deal more exegesis than is
available in other sections (although the attempts at humour do
confuse the issue, here and elsewhere in the book). A discussion of
blackhat communities and resources has been added in this edition. A
"detection" is outlined in chapter nineteen, but with a supremely
anticlimactic ending: the summary admits that no reason for the
anomalous traffic has been found.
Chapter twenty reviews some basic security topics, such as policy
development and risk assessment, but in a very simplistic and terse
fashion. A number of possible responses to an intrusion are outlined
in chapter twenty one. Chapter twenty two closes with suggestions on
ow to make a business case.
Those who need to know about intrusion detection should probably first
look at Bace's (cf. BKNTRDET.RVW) or Amoroso's (cf. BKINTDET.RVW)
books, both (somewhat annoyingly) titled "Intrusion Detection."
Because of the lack of structure in the work, this volume is not
usable as an overview introduction to the field, although the examples
do contain a great deal of informative content: if you can dig it out.
For those who do have the basic concepts, the material does provide
numerous practical examples, and some real-life considerations for
copyright Robert M. Slade, 1999, 2002 BKNTINDT.RVW 20021009
rslade@... rslade@... slade@... p1@...
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
November 25, 2002 November 29,2002 Toronto, ON, Canada
December 16, 2002 December 20,2002 San Francisco, CA
February 10, 2003 February 14, 2003 St. Louis, MO