Originally Published: Thursday, 15 June 2000 Author: Paul Gray
Published to: interact_articles_lugs/Articles Page: 1/1 - [Std View]

LUG Book Review

CedarLUG's Paul Gray sent in a great review on New Rider's "Network Intrusion Detection, An Analyst's Handbook" by Stephen Northcutt.

This review was posted as a part of the LUG/Vendor incentive program, encouraging Vendors to participate with LUGs. If you're a vendor and want to encourage a LUG relationship, or if you currently participate with a LUG and want your product reviewed by one of the LUG members, contact Kara@linux.com.

Title: Network Intrusion Detection, An Analyst's Handbook Author: Stephen Northcutt Publisher: New Riders


It was not too long ago, and certainly an experience to remember. If you had ever shared in such an experience, you would know the tell-tale signs too. It coincides with a deep, sinking feeling; not in your stomach, but in the back of your head, bringing on the type of sensation that makes your vision a bit unfocused and makes your thoughts slightly more acute. Yes, those of you who have experienced this know all to well the emotions associated with the realization that an unwelcome guest has paid your system a visit.

That's right: "cracked!" An intruder had violated my system boundaries and had taken liberties with who-knows-what.

You can learn a lot from a cracker, especially in the newly-discovered time that you now find yourself with as you reinstall the operating system from the ground up. After pulling the remains of your system off onto a Jaz drive or 8mm tape, you are alone with a distribution CD and the screen showing the progress of the what used to be the system partitions being reformatted. So, while the disk is being formatted and the CD is spinning, there's plenty of time to educate yourself with the trails left behind by the cracker -- from the safety of a laptop -- that is not hooked up to the network -- that you will be returning to your buddy soon anyway.

As you may have guessed, this is not an academic program that I would recommend enrolling in. Instead, you may prefer to give yourself an education with Stephen Northcutt's book "Network Intrusion Detection, An Analyst's Handbook." This book, one of the many outstanding books from New Riders Publishing, clearly shows the insight of a seasoned networking professional and expert in the field of intrusion.

There are many books on the shelf that would claim to make you "cracker wise" but approach the subject material with too much of a superficial and passive approach to administration: run SATAN, install tripwire, etc. The approach taken by Stephen Northcutt is entirely different. The author's presentation of the material leaves the reader with the realization that the subject of the book, "Intrusion detection," is more preemptive than post mortem.

In the first chapter of the book, the author walks the reader through the infamous "Mitnick Attack," accompanied by a full breadth of illustrative comments on relevant TCP constructs, scans, and port/services liabilities. Not to fear; the discussion includes explanations on ways in which a savvy administrator could usurp the attack. Chapter 2, "Introduction to Filters and Signatures" provides another solid example of the author's preemptive strategy. Here he shows how to use filters for detecting the precursors to an intrusion.

Double check your schedule and make sure that you have a good block of time free before reading the next chapter. Chapter 3, "Architectural Issues," discusses where to place your intrusion detection sensors, network- and host-based intrusion detection, the tradeoffs in too-little verses too-much reporting, and knowing when to elevate your defensive measures because someone knows a specific vulnerability of your system. After reading this chapter, don't be surprised if you find yourself clearing your schedule for the rest of the day so that you can re-tune all of your system's defenses. However, if you're working in the corporate setting, read chapter 14 before turning off your cell phone and pager.

If you're going to collect information, then put it to good use. Chapter 4, "Interoperability and Correlation" gives tips on how to log information, put it together, and to parse it so as to know when an exploit script is staring you in the face. Chapter 5, "Network-Based Intrusion Detection Solutions" discusses some of the more operating-specific issues. RealSecure, which is a commercial product geared toward NT, is discussed as are the Network Flight Recorder for Unix-based systems, NetRanger from Cisco, GOTS, EPIC, NID, shadow, and other related topics. If you are curious as to how these systems compare, chapter 5 concludes with results from several "intrusion detection bake-offs."

If your system was cracked in the past, chances are you'll find the signature of the attack somewhere in chapter 6, 7, or 8. These chapters are an exceptional tutorial on the curiosities of network traffic flow.

The material in chapter 9 was all-too-familiar, having walked through the ".bash_history" of the cracker's recent takeover of our system. The premise for Chapter 9 is to show where a cracker gets their tools, and what they might try to do once they've gained entry into a system. This includes discussions on what they look for, why they cut services, and just how badly they type.

And, in case you were under the impression that intrusion detection consisted of the ongoing battle between you and a single cracker, Chapter 10 brings you back to reality. "Coordinated Attacks" points out the differences between structured and unstructured attacks.

In chapter 11, you see the tools of the trade. That is, the tools of both the cracking trade and the intrusion detection trade. Here is where you'll find a discussion on "tripwire" and lesser-known uses of the widely-used "nmap" program.

Chapter 12 offers a diversion into "Risk Management." This chapter may be more relevant than you might first expect. Being able to personally relate to "laptop separation anxiety" at the airport X-ray machine, there are some very pertinent points discussed with regard to risk management in this chapter.

While the meat of chapter 13 is "Automated and Manual Response", I found myself most interested in the honey pots, a topic that I have read up on in the past, but never had enough time (nor resources) to implement. As such, I was glad that I could live vicariously through the author's experiences.

Unless your business *is* the intrusion detection business, you're probably working as a security professional for a corporation that relies on you for information. And, the level at which you are able to provide intrusion detection is largely determined by higher (or lower, as the case may be) authorities. Chapter 14 sets you up with the ammunition that you should have to present a solid case for what needs to be implemented, what it should cost, and how much supervision is warranted.

Chapter 15, "Future Directions," is the last chapter of the book but the first chapter in many books to come. Java code is running rampant throughout the network and users are becoming lazy when clicking on each and every pop-up window that would warn of danger. These and other issues would make a strong case that the next generation of attacks will come from within. What else looms ahead? This chapter touches on several pending dangers and predictions.

This book is far-and-away one of the more relevant and well-written books on security issues, and should be required reading for every system administrator and network professional. If you hold the responsibility for system administration at any level and this book doesn't inspire you to rethink your approach to intrusion detection, you should be fired.

Paul Gray Cedar Valley Linux Users' Group (CedarLUG) Cedar Falls, Iowa gray@linux.com