Network Intrusion Detection [Paperback]

Caveat: As someone used to imposing security policy and maintaining the corporate IT security culture, I am somewhat new to the NID/forensics game. But this book has encouraged me to learn more about the precise workings of TCP/IP protocols more than any other impetus to date. In a year's time I might look for more comprehensive references and clinical howto's, but for now Northcutt has provided a great insight into analysis techniques, attack mindsets and bit-level quirks.

Some other reviews have lamented Northcutt's writing style. Yes, he repeats some concepts and scatters his thoughts, but I personally felt they were worth repeating and scattering. The book is probably more suited to those who can follow accounts that include gut feelings and intellectual diversion, than someone who prefers to follow a scripted, blow-by-blow transcript. Both have their legitimate place.

I put a 4 star because even if the book has not been written by an expert writer and has some bias toward specific techniques and products, the information covered is very good and accurate. A good book and one needed if you what to know an IDS a little bit more.

First, the information is a bit dated. It also focuses a great deal of its content on teaching readers how to use TCPDump, which is merely a kind of protocol analyzer (sniffer)

The other problem with this book is the abysmal writing. The information is very poorly structured. Topics jump around from concept to concept, often looping back and readdressing issues and expanding upon unmentioned ones. This also leads to sections that are far longer than they need to be. For example, the first section on basic networking spends an awful lot of time explaining very simple concepts.

Furthermore, I became rather annoyed with the writer's constant editorializing about various facts or concepts. In my opinion, a book of this nature should be consumed with presenting an unbiased and scientific approach to security issues. However, the material is full of blatant biases and thinly veiled presentation of opinions as fact. I particularly enjoyed the preface which makes it clear that the authors consider the GIAC databases to be the only "true" signature databases. Quantity of signatures does not mean quality...just because GIAC has a zillion signatures does not mean they are all useful.

The authors also have a clear bias toward Snort, which is an excellent IDS, but not a tool for the average consumer. Snort is very difficult to use and will quickly deplete the resources of most IT departments. In this way, the authors show their lack of experience working and supporting real networks where budgets are tight, training is sparse, and responsibilities are numerous.

Nevertheless, there is some valuable information in the book. Once you penetrate the annoying preface, the condescending first chapter, and the TCPdump marketing brochure 2nd chapter, the material improves considerably. The next few chapters are far better with detailed information about architectural issues, protocols, and how hacks are done.

I gave this book 3 stars because the bulk of the content is quality material, just delivered poorly. I wish the authors would hire a competent ghost writer or editor to clean up the material, remove the editorializing, and focus on delivering content more effectively.