Authors: Stephen Northcutt and Judy Novak
Publisher: New Riders
Available for download is chapter 10 entitled “Real-World Analysis”.
With the increase of use of computer networks, people are taking every aspect of computer security more seriously. Or they should anyway. What this book is here to teach us is what network intrusion detection is all about. Although intrusion detection is just another part of the security architecture that should be present on a network, it’s still extremely important and the authors of this book made sure you realize why and learn how to use it to strengthen your defenses.
About the authors
Stephen Northcutt is the co-author of Incident Handling Step by Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security, and the previous two editions of this book. He was the original author of the Shadow intrusion detection system and leader of the Department of Defense’s Shadow Intrusion Detection team before accepting the position of Chief for Information Warfare at the Ballistic Missile Defense Organization. Stephen currently serves as Director of Training and Certification for the SANS Institute.
Judy Novak is currently a senior security analyst working for Jacob and Sundstrom, Inc. She primarily works at the Johns Hopkins University Applied Physics Laboratory where she is involved in intrusion detection and traffic monitoring and Information Operations research. Judy was one of the founding members of the Army Research Labs Computer Incident Response Team where she worked for three years. She has contributed to the development of a SANS course in TCP/IP and written a SANS hands-on course, Network Traffic Analysis Using tcpdump, both of which are used in SANS certifications tracks.
An interview with Judy Novak is available here.
Inside the book
“Network Intrusion Detection” is divided into five parts: TCP/IP, Traffic Analysis, Filters/Rules for Network Monitoring, Intrusion Infrastructures and Appendixes. The book starts at the basics and the authors slowly work their way up.
The first part, TCP/IP, is different from other TCP/IP texts since it’s not based purely on theory but it’s based on how packets perform on the network. If you’re new to TCP/IP you’re going to benefit a lot from this first very detailed part. If you’re a veteran when it comes to TCP/IP give it a look anyway, you’ll certainly find it a good one to refresh your memory. The topics covered are: the TCP/IP Internet model, packaging of data on the internet, physical and logical addresses, TCP/IP services and ports, Domain Name Systems and routing. Moving on you’ll learn about using the analysis tool TCPDUMP complemented by a discussion on one of the most common protocols – TCP.
Since it’s important for a system administrator to be acquainted with the techniques attackers use to penetrate networks and hide their activities, there’s a chapter dedicated to to fragmentation. Fragmentation is used to mask and facilitate probes and exploits, so you see the importance of this part of the book. You’ll learn to analyze fragmented traffic and discover if it’s normal fragmentation or not.
Also covered in great detail is the chapter dedicated to the Internet Control Message Protocol (ICMP). What you’ll learn here is some theory, mapping techniques, and more. One of the most interesting things is the description of the malicious uses of ICMP.
As many network intrusion detection systems give high amounts of false positives, you have to learn how to distinguish from valid alarms and false positives. With a variety of examples the authors show us what normal and abnormal traffic looks like.
As DNS servers are one of the most common targets of exploit efforts, the authors decided to dedicate an entire chapter to the subject. They give you the reasons why attackers may want to attack your DNS servers.
In the second part of the book entitled “Traffic Analysis” the authors talk about packet dissection using TCPDUMP, examining IP header fields and embedded protocol header fields, real world analysis and mystery traffic. The authors explain why packet dissection is important and give you in-depth information on the subject. As a good tool to use to decode packets the Ethereal is recommended. When it comes to the examining of IP header fields the authors illustrate how this knowledge will be very handy when detecting problem packets or malicious traffic. The part dedicated to read world analysis analyzes traffic from several viewpoints and it brings many examples that show how traffic looks for real.
In the third part of the book – “Filters/Rules for Network Monitoring” – the authors show us how to write TCPDUMP filters and give an overview on how to use Snort and write Snort rules. This is where we realize how much the authors love Snort.
The fourth part of the book entitled “Intrusion Infrastructure” brings us once again several topics. In the “Mitnick Attack” the authors talk about one of the most famous cases of intrusions ever – the time when Kevin Mitnick attacked Tsutomu Shimomura‘s systems. In the chapter dedicated to architectural issues the authors consider some of the issues that intrusion detection builders and users face. Although it’s noted that this part is more theoretical then others, we are still presented with real world examples. When it comes to organizational issues you can learn about the organizational security model, various risks and threats. If you’re wondering on what you can really do to defend yourself, there’s a chapter dedicated to automated and manual response that will answer many of your questions.
The fifth and last part of the book consists of appendixes where you can find out information about exploits and scans to apply exploits, Denial of Service and detection of intelligence gathering.
My 2 cents
What gives this book great value is a variety of examples we get from intrusion detection mechanisms. This is much more helpful in understanding how things work than just theory. All the materials are presented clearly and each chapter builds on the previous one, which gives you a practical insight into the world of network intrusion detection. This is a serious book intended for a serious audience.