Network Intrusion Detection. An Analyst's handbook, 2nd ed.
by Stephen Northcutt and Judy Novak
New Riders 2001.
430 pages,  index
Softcover. ISBN 0-7357-1008-2.    $45.00

Reviewed by  Robert Bruen   April 13, 2001


This book is a typical New Riders production, well done, detailed, written for folks who know (or would like to know) what they are doing by folks who do know what they are doing.  It is not a large print, full of white space, over hyped book.  It is a well crafted journey through protocols, diagrams, dumps, logs, forensics and how to be gentle with victims who receive your assistance.

There is a large and growing number of security related books available today.  Many of these tell you practical information, such as how to use Secure SHell (SSH) instead of telnet and ftp because it will encrypt traffic. This is one helpful item is a large array of helpful items that will help secure your site. Unfortunately, this is not enough, because nothing will replace expertise. If you are going to spend significant time securing your site, you will need to understand what happens under the hood. While I like practical books, I really like books that explain the important details in a cohesive manner, so that I can learn to cope with the unexpected, new situation. If all you learn is the superficial level, you will be unable to handle the situation that does not come listed in that book. If you have a grasp of how the pieces work together, the new situation will have recognizable parts which you you will be able to join together so that it makes sense. My recommendation is to read and use the practical books, but also read the theory books and read books that explain the details, especially if they are done as well as Northcutt's book.

The twenty-two chapters cover topics like filters, signatures, protocol manipulation, attacks, responses to attacks and lots of software tools. The tools discussed are of the commercial and free variety for both attack and defense. There are two chapters describing particular attacks, Mitnik and Timex, each of which provide interesting stories and important lessons.

The scope of the book reaches to often ignored issues that are critical to dealing with security problems in general. Taking the technical path to protect your systems or networks can lead you past the big picture approach of looking at architecture and organization. It also generally bypasses the business problem, as well. These three ideas are related in that one must be able to integrate the structure of the organization and the configuration of nets, subnets and systems that ought to reflect that organization. How these are arranged makes a great difference in how difficult it will be to protect them. It makes a difference in determining whether traffic patterns within the enterprise are a problem or not. Above all of this are the managers who may or may not fund your attempts to protect the enterprise. Northcutt deals effectively with these issues.

Network Intrusion Detection should be acquired and read by any one who wants to understand the basis for intrusion detection.