book review

The Tao of Network Security Monitoring:
Beyond Intrusion Detection
Richard Bejtlich, Addison-Wesley, 2006, 798 pages
Reviewed By

I nstead of The Tao, this book would have been more aptly titled The Art of War for network administrators. Your job as an aspiring network security guru is to distinguish the forest from the trees--to identify those few packets from an attacker hidden in a flood of normal traffic, much of it created by defective network applications. As Sun Tzu says: "Movement amongst the trees of a forest shows that the enemy is advancing."

In the first part of the book, the author, a former U.S. Air Force captain and former head of the Air Force Computer Emergency Response Team (AFCERT), writes as though drawing battle plans in the sand with his bayonet before the fight. Chapters have titles like "Deployment Considerations" and "Tactics for Attacking Network Security Monitoring." Appropriately so. The enemy is out there, waiting ... they are quiet ... too quiet ....

The author says that the most salient controlling factors in protecting a network are:

  1. Points of vulnerability
  2. Capability of the enemy
  3. Motivation of the enemy
  4. Potential damage
  5. Opportunity

From what I gather, these five factors are drummed into every Air Force security person from day one. As the author says, even if you can fortify against each of these factors, it will not make your network safe; the best that can be achieved is acceptable level of risk from external and internal attacks (and, it is hoped, minimize casualties among your personnel). The presentation is logical, consisting of a four-pronged defense:

  1. How to access the traffic (gathering intel)
  2. Network monitoring software (armaments)
  3. Network monitoring processes (tactics)
  4. People (the troops)

You might think that a military guy would use expensive DoD tools unavailable to mortal humans. Not so. He uses tcpdump, ethereal, Netflow, and Argus on FreeBSD. His enthusiasm for computers and networks is contagious. Readers who enjoy working with computers will appreciate this book. His advice is generally well-considered, but beginners might find they need some basic training before reporting for duty with this book.

He also describes intrusion detection systems including snort, bro, and prelude. A variety of tools are needed to collect and analyze different types of data. The author recommends using command-line tools like tethereal whenever possible. He also recommends performing traffic scrubbing on your network to simplify the task of identifying malicious traffic, and logging the full content of all traffic. This advice is far more useful than that given by some other books that simply tell you to watch out for unusual packets.

For the most part, this book doesn't waste time describing how to install or configure software. It tells you what tools are available, and shows what information they provide. Two appendixes give a list of important literature in the field, and a brief description of protocol headers. A familiarity with Cisco IOS, Unix, and network protocols and packets is presumed. Some of the commands and utilities are FreeBSD-specific. The Linux- or Solaris-using reader must be able to figure out the corresponding management command for their OS. Even basic utilities like tcpdump behave slightly differently on the different OSs. This book is not recommended for administrators of Windows-based networks. The author makes no secret of his contempt for Windows as a server.

Now for the bad news. Many computer books these days are written in an abominable style, full of dated PCisms and awkward sentences. This book is unfortunately no exception. The text is verbose and repetitive in spots. The book starts out logically and clearly, but about halfway through the book, the author's brain seems to melt. He inexplicably puts DNS in the section on "Personnel". He breaks his promise of not wasting time teaching us how to install software. And his writing style suddenly fills up with annoying PCisms. Nowadays, using she and her as gender indeterminate pronouns, as the author does in the latter half of the book, is regarded simply as inferior writing style.

On balance, however, this is a useful book. Apart from the descriptions of monitoring tools, the most useful part of the book is the description of actual attacks, and how to recognize them. Most servers are frustratingly obtuse about providing information about attempted break-ins. Unfortunately, this section is where the presentation is the weakest. Apart from the bad writing style, most of the case studies are too simplistic. For example, one break-in consists of consultants noticing a bunch of odd things happening to their Windows PCs, such as CD trays opening and closing randomly. Conclusion: possible compromise. Action: reinstall Windows. Hey, even my boss could probably handle that.

Good points: Bad points: