Susan Lauber
INLS187 – Fall 2004
Book Review

Title: The Tao of Network Security Monitoring, Beyond Intrusion Detection.
Author: Richard Bejtlich
Publisher: Addison-Wesley, Paperback, Published July 2004, 798 pages
ISBN: 0321246772

The concept of Network Security Monitoring (NSM) is not about how to use tools but rather about what type of tools to use and the process of monitoring a network.

The book is modular and it is easy to jump around and use as a reference. There are many screen shots, command outputs, and case study descriptions making it easy for the reader to visualize applications of the information presented. The system trace files are available on the author's web site and can be used to duplicate the text examples. Most tools are opensource and can be run in a live CD-ROM distribution such as FreeSBIE or Knoppix.

The book is divided into five main areas:

The author attempts to stay on the task of network monitoring, away from system monitoring, and limits its details on intrusion detection systems. The author does, however, provide many references to additional information available in those fields.

The preface includes a prerequisites section that suggests several resources for learning general security concepts, system intrusion detection, and TCP/IP concepts. This book shows TCP/IP packets (or at least headers of TCP/IP packets), uses basic intrusion tools such as ethereal, and concentrates on network security rather than system security. One of the books recommended is the text of INLS187 and others correspond to the topics of SILS course on TCP/IP. Later in the text (Part IV), the author suggests several of the Hacking Exposed series for training on what he calls “weapons and tactics” as well as books by Bruce Schneier for training on “management and policy”. There is also an appendix that covers the history of network security monitoring. The author calls it a “collection of formal papers” (p685) and each has citation information (most are available on line), an abstract or abstract excerpt, and the author's view of the significance of the resource. Some also have the author's view of highlights from the resource.

Part I of the book sets up how and where to collect network monitoring data. This includes dividing the network into zones and setting up data collection with hubs, SPAN ports, taps, and inline devices. Part II of the book is about network monitoring products. However, the author points out in this section: “It's easy to date a book by looking at the versions of software it discusses. When reading about the tools, concentrate on the types of data they collect and not the tool's version.” (p121). The first chapter in this section lays out the scenario that provides the trace data used in examples for the tools. Products with a lot of coverage in other books are discussed here more in the context of features that help with NSM or are less commonly know. These tools include libpcap, tcpdump, and ethereal. Other less commonly known products include editcap which is “useful for transforming trace files from one format to another” (P173) and mergecap which combines multiple trace files into a single file. Both are shipped with ethereal. There are also tools to replay packets captured (tcpreplay), to search packet contents (ngrep), and of interesting names (netdude which is a visual packet editor and manipulator).

The author primarily works with FreeBSD but does include some examples of tools on Microsoft systems or that are included with hardware devices such as CISCO switches and routers. Readers should already be familiar with reading the output of a packet sniffer, however, there is an appendix with a review of protocol headers.

This book would be an excellent follow on to the INLS187 course, particularly for those people with some background in *nix operating systems and TCP/IP headers. It is well written, easy to read, full of examples, and should not be dated too soon since it is focused on general practices and not specific all in one products.