A.P. Lawrence

Network Intrusion Detection

• Stephen Northcutt & Judy Novak
• New Riders
• 0735710082

Order (or just read more about) Network Intrusion Detection  from Amazon.com

This is NOT a general security book. It is very specifically what the title says it is: a book about detecting network activity.

The authors write in an easy to read, conversational style. Everything is explained extremely well, unlike so many technical books which presume prior knowledge. Sometimes that can be a little maddening- for example, they devote two entire pages to explaining how a logical AND is used to extract bit fields. I can't imagine anyone actually interested in this subject who wouldn't already understand that, but I suppose it is better to have too much explanation rather than too little. This is the first place I've seen a lucid explanation of the infamous "Mitnick" attack- most references assume that you will instantly comprehend the weakness of predictable sequence numbers. This book completely explains the exploit from start to finish. Smurf, Ping of Death, and Teardrop attacks are also completely explained.

The text includes numerous tcpdump examples which are fully commented and explained. Whenever some part of the dump is particularly important, that part is shown in bold. You can learn quite a bit about just tcpdump alone from these examples.

As I was reading this, I was again reminded that the security weaknesses that have caused so much trouble are all due to bad code and/or just plain dumb design. For example, many real attacks have used spoofed IP addresses. Why should a router pass a packet that cannot have legitimately originated on the interface it came in on? It shouldn't. Why should network stacks accept packets with bits set that shouldn't be set? They shouldn't. Why should code assume that unimplemented bits will be zero? It shouldn't. The authors are certainly aware of these issues, and even devote some editorializing to such things. It's therefor rather amazing that they give code examples to detect attacks where the detect is badly coded- testing a bit field with an XOR rather than masking with AND, for example. The authors note the problem- I'm just surprised that such code was even used as an example- that might be of value for illustrative purposes (don't make THIS mistake), but that's not how it was presented.

However, this is a very worthwhile read. I think I would have organized the chapters differently - you might like to start at chapter 9 and then pickup 1 through 8 after you finish the book - but I read it through twice cover to cover and I'm quite sure I'll be thumbing through it again.

Publish your articles, comments, book reviews or opinions here!

Psst - Wanna work for yourself?

Comments


Add your comments

Why no "Digg this!" etc.?

Need eyes on the ground at your customer's site?
Installation and light training Boston and New England
Reliable and experienced, punctual and professional.

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

Unix and Linux Support

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here