Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
The tao of network security monitoring : beyond intrusion detection
Bejtlich R., Addison-Wesley Professional, 2004. Type: Book (9780321246776)
Date Reviewed: Mar 7 2005

If you are starting network security monitoring (NSM) inside your organization, are considering an NSM provider, or want to review how you monitor network security, this book will be a close friend. Be prepared to look at very technical details. If you just want an idea of the NSM basics, you will have to sift through other information to find it. The book contains six parts: an introduction to NSM, NSM products, NSM processes, NSM people, the intruder versus NSM, and appendices.

The first part, an introduction to NSM, contains three chapters, covering the security process, what NSM is (and what it is not), and deployment considerations. The first chapter reminds the reader of the purpose of NSM. The second chapter sets the scene by defining what NSM is, and also what it is not. The third chapter dives deep into the technical elements of NSM, including taps, span ports, filtering bridges, and device polling versus interrupt driven actions. All of these elements matter a lot in NSM, and they are often learned the hard way. For readers starting with NSM, chapter 3 will save lots of time and money.

Part 2 contains seven chapters, covering the reference intrusion model (chapter 4), full content data (chapter 5), additional data analysis (chapter 6), session data (chapter 7), statistical data (chapter 8), and alert data (chapters 9 and 10. The reference model (chapter 4) is based on a described hypothetical attack, and how it could be observed via NSM. Full content data (chapter 5) introduces some of the basic workhorses of NSM: tcpdump, tethereal, ethereal, and snort as packet logger. The tools for additional data analysis (chapter 6) are built on top of the basic capturing tools, and support analysts in their search for what is happening or has happened. Some allow arbitrary packet creation, graphical views, system identification, or trace manipulation. Once two communicating parties have been isolated as interesting, the sessions (chapter 7) between them should be investigated. This is where session tools come in handy; analysts are confronted with too much information. Statistical data (chapter 8) can help spot anomalies that need further investigation. Bro and Prelude (chapter 9) are two network intrusion detection systems (IDS). Snort is not discussed in depth, since it has been extensively documented already. Sguil (chapter 10) builds on an IDS (snort) and full content data to provide support for the collection, analysis, validation, and escalation of NSM information.

Part 3, about NSM processes, contains two chapters, covering best practices (chapter 11) and case studies for managers (chapter 12). Chapter 11 follows the security life cycle approach: assessment, protection, detection, and response, after which the cycle is repeated. There are two case studies presented in chapter 12 that describe a realistic set-up. These are supposed to be for managers, but such managers would have to be very technology-savvy. One of the last sentences in this chapter says: “Effective security rests with the people who must implement it.” This statement expresses clearly an important message of this book.

Part 4, on NSM people, starts with analyst training programs (chapter 13), and then continues on with discovering DNS (chapter 14), harnessing the power of session data (chapter 15), and packet monkey heaven (chapter 16). The analyst training program (chapter 13) is clearly about the people. The required training exposes the author’s view on what an NSM analyst is: she needs to master weapons and tactics, telecommunications, system administration, scripting and programming, and management and policy. The domain name system (DNS) is used as a case study to show various aspects of the job. Session data (chapter 15) can help find out if a real compromise has happened, what the intruder did, and which systems are affected. Packet monkeys (chapter 16) play with transmission control protocol/Internet protocol (TCP/IP) packet headers, looking for anomalies or things like covert channels.

The last part discusses the intruder versus NSM. NSM is a system that itself can be attacked (chapter 17). What are the tools that can make the analyst’s life difficult? More importantly, how can the analyst recognize the use of such a tool, to thwart the attack? Tools keep changing, but tactics (chapter 18) have a much longer life: promote anonymity, evade detection, appear normal, and degrade or deny collection. Each is further refined in this chapter, and examples are added. The epilogue discusses the future of NSM.

The book contains a lot of detailed, valuable information. It does not try to sell any particular product, but instead presents the pros and cons of many. It covers all the relevant material, leaving out information that has been the subject of other books. It expects a broad background in network security.

The author refers to actual experience and cases. The main objective is to make the reader good at NSM, using whatever tools are available to do the job, in the best available way. The author does have a clear bias toward open source tools and FreeBSD, but commercial systems are mentioned as well.

Reviewer:  A. Mariën Review #: CR130923 (0512-1286)
Bookmark and Share
  Reviewer Selected
Featured Reviewer
Would you recommend this review?
Other reviews under "Security and Protection": Date
Protection and security on the information superhighway
Cohen F., John Wiley & Sons, Inc., New York, NY, 1995. Type: Book (9780471113898)
Jan 1 1997
Network security: private communication in a public world
Kaufman C., Perlman R., Speciner M., Prentice Hall PTR, Upper Saddle River, NJ, 2002.  713, Type: Book (9780130460196)
Sep 9 2002
The KryptoKnight family of light-weight protocols for authentication and key distribution
Bird R., Gopal I., Herzberg A., Janson P., Kutten S., Molva R., Yung M. IEEE/ACM Transactions on Networking 3(1): 31-41, 1995. Type: Article
Oct 1 1996

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 2004™
Terms of Use
| Privacy Policy