The Tao of Network Security Monitoring is one of the most comprehensive and up-to-date sources available on the subject. It gives an excellent introduction to information security and the importance of network security monitoring, offers hands-on examples of almost 30 open source network security tools, and includes information relevant to security managers through case studies, best practices, and recommendations on how to establish training programs for network security staff.

Book Review

Author: Richard Bejtlich
Publisher: Addison Wesley
Pages: 798


To be honest, this was one of the best books that I've read on network security. Others books often dive too deeply into technical discussions and fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant. One of the greatest virtues of this book is that is offers real-life technical examples, while backing them up with relevant case studies. Network security engineers, system administrations, and security management will find value in this book. It is a must-read for anyone interested in getting into the field, but would still be useful as a reference for the experienced expert.

The book is written in an easy to follow manner and is filled with diagrams, tables, screen shots, and relevant examples. Richard Bejtlich attempts to help network engineers go beyond what is offered by today's intrusion detection systems. He provides a basis for developing an entire network security monitoring architecture, which gives administrators a much clearer view of network activity. I highly recommend this book to anyone involved in network security on a day-to-day basis.

Inside the Book

Pentesting Network SecurityThe Tao of Network Security Monitoring is written in 6 parts with 18 chapters and several appendixes. Part I gives an introduction to network security monitoring, part II introduces available network security tools with examples of usage as well as how the tool can be acquired. Part III and IV outline the network security monitoring process through best practices and case studies while explaining role of those individuals involved. Part V describes what tools and tactics attackers use to evade network security monitoring systems. Part VI, the appendixes, offer a protocol header reference, an intellectual history of network security monitoring, and an introduction to protocol anomaly detection.

Chapter 1 offers a decent introduction to information security, but it focuses specifically on background material that is relevant to network security monitoring. Rather than viewing security in a traditional light, Richard Bejtlich offers an explanation that puts threats and vulnerabilities into the concept of risk management. The characteristics of an intruder are given as well as the phases of a typical network compromise. (Reconnaissance, Exploitation, etc.) One of the more interesting parts of this chapter is the author's description of the phrase 'defensible network.' Defensible networks can be monitored, limit an intruder's maneuverability, keep services to a minimum, and can be managed more easily. Chapter 2 goes more deeply into network security. This chapter is slightly more technical, but still offers a high-level explanation of the principles and concepts necessary when developing a network security plan. Chapter 3 continues to prepare the reader to understand the entire network security environment. This chapter offers an introduction to the security perimeter, demilitarized zone, wireless networks, and intranets. It discusses the use of hubs, span ports, taps, inline devices, monitoring architecture, and monitoring administration considerations. After the first three chapters, readers should have a firm understanding of the role the network security plays in an organization.

The next seven chapters offer detailed information about many of the network security monitoring tools available to administrators. The author chose to include only software that is presently available for his FreeBSD 4.9 test platform. However, this should not be a discouraging factor for Linux readers. The sources and binaries for nearly all of the software examined is also available for Linux. Chapter 5 focuses on 'full content' software such as Tcpdump, Tethereal, and Snort as a packet logger. For each tool examined, a basic introduction and usage examples are given as well as extended examples which show how each tool can be used in specific scenarios. Chapter 6 discusses 'additional data analysis' tools such as tcpslice, tcpreplay, ngrep, etherape, etc. Chapter 7 gives examples and usage suggestions for tools that deal with session data and chapter 8 does the same for statistical based tools.

Chapters 11 and 12 are probably much more interesting to seasoned information security professionals. Network security best practices are discussed as well as case studies that offer interesting examples of network security incidents.

Chapter 13 is an excellent piece of writing that lays out the parts necessary to create a network security analyst training program. This chapters does a good job of outlining the skills necessary to help a security manager determine who should be doing what, how tools are established and used within an organization, how policies are created, and the tasks associated with each area of network security monitoring. It includes weapons and tactics, telecommunications, system administration, scripting and programming, management policy, and examples of training in action.

The last two chapters, 17 and 18 will probably be two of the most interesting chapters to the casual reader. Rather than focusing solely on the security engineer, these two chapters consider the perspective of the intruder. Tools used to disrupt the integrity of network security monitoring systems are discussed as well as tactics to promote anonymity, evade detection, and affect the integrity of data collection tools. These chapters show the importance of thinking like the enemy.

About the Author

Richard Bejtlich is a security engineer in the Computer Forensic and Intrusion Analysis division of ManTech International. He has also worked as a consultant for Foundstone, and managed network security operations for Ball Aerospace & Technologies Corporation. He served in the Air Force Computer Emergency Response Team (AFCERT) as well as support law enforcement investigations. He is well known in the wider security community for writing papers and giving technical lectures at SANS, FIRST, Infragard, ISSA, and SHADOW conferences. He has a Bachelor of Science degree from the United States Air Force Academy, a Master's from Harvard, CISSP, and Certified Information Forensics Investigator certification.