Secure Fundamentals
Network Intrusion Detection: Third Edition builds the foundation for an informed network security analyst.
- By T. Brian Granier
- March 01, 2003
With global concerns of terrorism, many organizations have identified
the need to increase their infrastructure's technical security. To answer
the need for more thorough information security toolsets, intrusion detection
systems, among other tools, have been quickly evolving in the past few
years.
Network Intrusion Detection: Third Edition provides the
information necessary to understand the purpose, capabilities and limitations
of these devices. This book is the culmination of the common body of knowledge
available in the industry and is presented in a manner capable of jump-starting
the career of security analysts everywhere.
Beginning the discussion with the fundamentals of TCPI/IP theory, this
book lays the groundwork for an intrusion analyst to understand and interpret
his or her network. With this information, you can follow the packet stream
and determine if an activity is normal or abnormal. This sounds like a
daunting amount of information to absorb, but this book identifies what's
most important about TCP/IP standards, conveys the information a network
intrusion analyst needs, and presents it in a clear and concise manner.
By the time you reach the second section, you're ready to dig in and
look for unusual behavior on your network; but how do you look at it and
what should you look for to find attacks? First, the authors provide information
about "tcpdump," which is an application that can be used to look at raw
data on your network. Windows users need not be afraid; they can use this
information with "windump" the same way.
The second section finishes by going over the different aspects associated
with protocol headers such as how they can be manipulated to perform an
attack, how this information can be used to identify intent, and how it
can also be used to determine specific information about the host that
most likely generated the packet.
Now that you have knowledge of fundamental TCP/IP theory and the important
aspects of network packets that can be used to derive information about
a potential attack, it's time to build and configure your intrusion detection
system. The authors cover tcpdump filters, which are used to extract network
traffic fitting a very precise signature, and how snort signatures are
written to look for network attacks. With this information, an analyst
can quickly sort through mounds of network traffic to find relevant information.
This is the heart of modern signature-based intrusion detection systems.
The fourth and final section of the book steps back from the nitty-gritty
and covers higher level topics related to intrusion detection. This includes
network architecture, business issues, and the authors' take on the future
of the intrusion detection community. This material is essential for using
the knowledge gained from the previous sections, correctly applying it
in your environment and knowing the consequences of your decisions.
This book is one of the best organized and most relevant technical books
I've ever read. The information provides the timeless theories that intrusion
analysts must understand and is littered with practical, real-world examples.
Although the authors don't go into detail about how to use any commercial
IDS systems, the knowledge gained is applicable to anyone responsible
for providing advanced security analysis techniques in any network. The
only downside to this book I can think of is that it lacks a companion
CD-ROM with a PDF version of the book and practical examples for the reader
to apply what they've learned.
About the Author
T. Brian Granier, CCNA, MCSE, MCP+I, A+, has been working in the computer industry since 1995. After receiving a degree in computer engineering technology from the University of Houston in 1999, Brian worked with Zebec Data Systems Inc. where he currently serves as the information security architect. His current projects involve major infrastructure revisions and technical security improvements in accordance with federal HIPAA regulations.