Building Open Source Network Security Tools. Components and Techniques
by Mike D. Schiffman

Wiley 2003.
ISBN 0-471-20544-3. 424 pages. Index, references, code. $45.00

Reviewed by  Robert Bruen   January 13, 2004 

Many of us have all used open source tools for one thing or another. How nice it is when someone else does the work, leaving you only with downloading and installing it. Often enough, the tools are excellent. In the early days, these tools were tied to particular operating systems; however, times have changed. Now there are libraries that not only function across operating systems, but also make it easier to write the tools.

The downside, of course, is that now you need to learn the libraries. And there are several of them. One benefit and problem with open source is that there is a constant flow of new code. When you find that cool tool that does just you want, you need to go find the other required code to make it work. There are at least a half dozen libraries for network tools, not to mention the GUI code that improves the interface. It is probably better that we do not have a monoculture of security libraries, but it means that we have to know more about the various libraries.

This is where Schiffman's book comes it. He has put together some of the clearest explanations of the most common network security libraries to date. He has full chapters on Libpcap, Libnet, Libnids, Libsf, Libdnet and OpenSSL. Each chapter details the installation, datatypes, dependencies and functions of each library. He also provides working code examples which uses each library. If you want to write a cool tool, start here.

The other half of the book details techniques: Passive and Active Reconnaissance, Attack and Penetration, and Defensive techniques. The presentation of each technique is clear, easy to follow and culminates in working code. The source of all the code is available online. C is his language of choice, which is actually quite readable, unlike a lot of C code. A software development lesson is included in the book and his code reflects his understanding of things like modular code, comments, meaningful variable names, etc. Even flow charts appear.

Building Open Source Network Security Tools is a pleasure to read. It is obvious that Schiffman knows what he is talking about. The last chapter is an in depth look at his tool Firewalk, with complete source code. Firewalk was developed to get around limitations imposed on traceroute. More than a few tool developers could benefit from his description of the process used to develop Firewalk. The requirements are listed, as are the analysis and design pieces. Such discipline has not received its just due for quite a while. Perhaps that is the reason that so much vendor code is less than adequate.

This is a highly recommended book for anyone who wants to develop network security tools and for anyone who wants to understand the technical details that the good tool writers know. More work needs to be done in this arena and here is the leader.