Customer Reviews

Network Intrusion Detection: An Analyst's Handbook (2nd Edition)

5 star:		(33)
4 star:		(10)
3 star:		(4)
2 star:		(1)
1 star:		(1)

 

 

Of the 3 available intrusion detection texts, this is by far the best for someone who actually wants to do intrusion detection. It is breezy & chatty--like sitting down with a good friend (unfortunately, one who doesn't organize his thoughts very well and whose editor was apparently in a hurry).

This is a bits & bytes book; it assumes some knowledge of TCP/IP and security concepts, but it accomodates non-specialists. It is useful for readers of varying levels of familiarity with Internet protocols. Northcutt provides an excellent introduction to the specific mechanisms of the most common network attacks, and offers the most cogent description I've seen of the [purported] Mitnick attack on Shimomura.

I especially enjoyed his efforts at providing neophyte intrusion analysts with political advice. His insight that host-based IDS is technically superior to network-based, but politically impractical is a gem of organizational wisdom.

Network Intrusion Detection is rare among technical books - it's comprehensive, accurate, interesting, and intelligent; it's got none of the "filler" chapters which seem to be prevalent in the genre. It's well worth the relatively small investment of time and money required to read and understand it.

The author has "been there, done that" which gives him a perspective unavailable to professional technical authors who write about Java one month, CORBA the next, will be assigned a firewall book next.

This book will be useful to people responsible for intrusion detection, people who manage them, and to people who need to understand attack techniques and the forensic tools needed to detect and document them. Highly recommended; it's in the same class as Cheswick & Bellovin's classic _Firewalls and Internet Security_.

I am the chief of a 15 person intrusion detection team, with responsibility for centralized, around-the-clock monitoring of a global network. I believe I have enough experience to claim Steven's book is first rate and sorely needed. His reconstruction of a Christmas Eve system compromise and his analysis of Kevin Mitnick's TCP hijack of Tsutomu Shimomura's host are excellent case studies. His coverage of reset scans and other non-standard reconnaissance techniques prompted me to scour my traffic for the same events and write a paper on my findings. I do not agree with some of his conclusions on SYN ACK and reset scans, but his work made me investigate those topics. While I would have preferred slightly more explanation and examples of network traces (who wouldn't?), I hope this book begins a trend of sharing (sanitized) packet-level incident details within the IDS community. I recommended Steven's book to every analyst on my flight and every person in my unit, and I plan to build in-house training around it. I guarantee every person with a technical leaning and a position on the front line of intrusion detection will appreciate Steven's book. See you at SANS Network Security 99

I read the book from cover to cover and found the book very useful and interesting. The author uses a lot of tongue-in-cheek humor and makes the subject very interesting with interesting examples and anecdotes. He also includes a lot of actual log files in his examples which really makes the book practical and easy to understand.

The book also talks about intelligence gathering techniques employed by hackers, the hacker community, and selling management on the idea of intrusion detection. As a network security professional I find myself grappling with the issue of convincing management to fund network security and will use the ideas of this author who clearly has a lot of experience in getting funding from management.

I was able to immediately apply some of the ideas and principles in the book to my benefit.

When "Network Intrusion Detection" is made into a big-budget Hollywood movie, I see Harrison Ford starring in the Stephen Northcutt role. He's experienced and more than a little hard-bitten, he has no patience for the foolish and the ill-prepared, but he really knows his stuff. Plus, there's a gleam of playfulness in the way he tackles the bad guys. Think "Indiana Jones and Back Doors of Quake."

Seriously, Stephen Northcutt is a good writer. He's been there and he's done that, and this book is the summary of what he's learned so far about detecting and countering breakins to a computer network. The book is quite current, documenting exploits as recent as early '99, which is both a plus and a minus. The plus is obviously the freshness and relevance of the content, the minus lies in the somewhat unpolished nature of the book, no doubt an artifact of speedy publication (typos abound, and organization could be improved).

However, on balance, I'd recommend this book to anyone with an interest in computer security. It could also serve as an introductory textbook on hacking into networks, as Mr. Northcutt surely realizes.... But dark hackers already have their own "apprenticeship" system, as he points out, whereas the white-hat community needs books such as this for training analysts.

This book's coverage on intrusion detection is out of my expectation. It covers not only technical information on various attacks, but it also contains valuable materials on management issues. Topics on Mitnick Attack, Filters and Signatures, Future Directions, DOS, Business Case for Intrusion Detection are particular interesting and useful. Overall, this book is very well written and it will be useful to all of you who are network security practitioner or consultant.

The next incarnation of the excellent network intrusion detection manual from SANS's Stephen Northcutt and Judy Novak is here. The book boasts an impressive amalgam of high-level issues (risk assessment, business case building, architecture design, etc.) with all the fun low-level details, all the way down to IP headers, tcpdump bit masks and writing snort rules.

A super detailed chapter on TCP/IP protocol suite is a great read for experts (as a refresher) and beginners (might require some studying time for full comprehension, but it will come). Issues such as fragmentation, packet header formats, OS fingerprinting all get a fair share of coverage.

The stimulus-response metaphor, advocated by SANS, is fully represented in the book. Upon seeing the network packet, the analyst might want to identify it as being part of stimulus (such as incoming port scan), response (such as an ICMP echo reply) or third-party effect (back scatter from a DoS attack with your IP addresses used for spoofing).

Two full chapters are devoted to writing snort IDS rules. The material is presented in an easy to learn manner, just as the rest of the book.

Incident and intrusion response with a severity evaluation based on the SANS formula is described with some useful examples. Determining a severity of an attack is also part of the GCIA practical assignment.

On the high-level side, some requirements for IDS sensors and consoles are defined in the book. In addition, many insights on selling IDS and security to management (a.k.a. "management fluffing") are described in the chapter "Business Case for Intrusion Detection." The chapter also contain tips for designing and building the IDS infrastructure, complete with project planning suggestions.

The book is the closest to what one might call "a GCIA certification prep guide," if there was a possibility of creating a prep guide for such a rich and in-depth technical cert. Apparently, some of the content (such as using tcpdump for intrusion detection) is identical to that of the GCIA course book (retailing for a several times higher price). However, the book shows a more complete picture than the coursebook, albeit with somewhat less detail. However, many detailed traffic analysis examples for scans, attacks and intelligence
gathering attempts are provided in the Appendices to the book.

Of particular interest for me was a chapter on the future direction of intrusion detection. New threats, analyst skill sets and tools and even novel approaches to intrusion data analysis are outlined there.

Anton Chuvakin, Ph.D., GCIA is a Senior Security Analyst with a major information security company. In his spare time he maintains his security portal info-secure.org

I purchased this book for our office. My firm specializes in installing, tuning, and managing intrusion detection systems. This book had come highly recommended from some sources. As a network security consultant and a writer, I was not very impressed with this book.

First, the information is a bit dated. It also focuses a great deal of its content on teaching readers how to use TCPDump, which is merely a kind of protocol analyzer (sniffer)

The other problem with this book is the abysmal writing. The information is very poorly structured. Topics jump around from concept to concept, often looping back and readdressing issues and expanding upon unmentioned ones. This also leads to sections that are far longer than they need to be. For example, the first section on basic networking spends an awful lot of time explaining very simple concepts.

Furthermore, I became rather annoyed with the writer's constant editorializing about various facts or concepts. In my opinion, a book of this nature should be consumed with presenting an unbiased and scientific approach to security issues. However, the material is full of blatant biases and thinly veiled presentation of opinions as fact. I particularly enjoyed the preface which makes it clear that the authors consider the GIAC databases to be the only "true" signature databases. Quantity of signatures does not mean quality...just because GIAC has a zillion signatures does not mean they are all useful.

The authors also have a clear bias toward Snort, which is an excellent IDS, but not a tool for the average consumer. Snort is very difficult to use and will quickly deplete the resources of most IT departments. In this way, the authors show their lack of experience working and supporting real networks where budgets are tight, training is sparse, and responsibilities are numerous.

Nevertheless, there is some valuable information in the book. Once you penetrate the annoying preface, the condescending first chapter, and the TCPdump marketing brochure 2nd chapter, the material improves considerably. The next few chapters are far better with detailed information about architectural issues, protocols, and how hacks are done.

I gave this book 3 stars because the bulk of the content is quality material, just delivered poorly. I wish the authors would hire a competent ghost writer or editor to clean up the material, remove the editorializing, and focus on delivering content more effectively.

Stephen Northcutt and his co-authors have put together an easy to read and very comprehensive work. Extensive use is made of humour, graphics and annecdotes to drive home key concepts.

The material begins with simple concepts and delves gradually deeper into the more complex concepts. This allows the reader to build up and get all of the coverage of this critical subject that will allow them to understand how important intrusion detection is within network security.

After sifting thru virtually tons of security text and documentation, one name seems to pop-up all the time: Stephen Northcutt. So, I purchased this book (based upon his experience and work with Shadow) and needless to say, I was very impressed. Not only did I immediately put his methodologies to work on our current environment, but it provided me with a vast amount of detailed information to catapult me into even deeper security topics, as well as help me get going with my preparation with the CISSP exam... A killer handbook no security analyst (or network/systems administrator, for that matter) should do without!! Awesome job!