Monday, February 11, 2013

Practical Network Security Monitoring Book on Schedule

First the good news: my new book Practical Network Security Monitoring is on track, and you can pre-order with a 30% discount using code NSM101.

I'm about 1/3 of the way through writing the book. Since I announced the project last month, I've submitted chapters 1, 2, and 3. They are in various stages of review by No Starch editors and my technical editors. I seem to be writing more than I expected, despite trying to keep the book at an introductory level. I find that I want to communicate the topic sufficiently to make my point, but I try to avoid going too deeply into related areas.

I'm also encountering situations where I have to promise to explain some concepts later, rather than explain everything immediately. I believe once I get the first chapter ironed out with the editor, the rest will be easier to digest. I'm taking a fairly methodical approach (imagine that), so once the foundation in chapter 1 is done the rest is more straightforward.

I'm keeping a fairly aggressive schedule. Basically I have to write a chapter each week, get it to my technical editors, and then spend additional time working with No Starch to get the text legible and ready for print. All of this is happening in parallel in order to have the books in print by Black Hat. That means the text must done by the first week in April. My family is helping me stay on track by giving me time and space to write, especially on the weekends. Thank you!

When working on the examples, I've been very pleased with the performance of VMWare Workstation 9. I have one copy installed on Windows 7, where I write with Word. I have a second copy installed on Ubuntu Server, where it acts like a "VMWare Server." I used to run a real ESXi server on server-class hardware. Now, to save electricity and to more tailor my computer power to my requirements, I run a Shuttle DS61 with a Core i5-3450S 2.80GHz CPU, 16 GB RAM, 750 GB HDD, and two onboard NICs. The two NICs are really awesome in a device this small -- 190(L) x 165(W) x 43(H) mm. With two NICs, I can devote one for management and one for network traffic collection and interpretation. I use a Net Optics Dual Port Aggregator Tap for access to the wire.

I use VMWare Workstation this way. I run a Linux VM on Workstation on my Windows 7 laptop. I connect via Workstation to the Workstation instance on Ubuntu on the DS61. Then I create whatever VMs I need on the DS61. For example, I created a Security Onion server and sensor to test that setup. With 16 GB RAM, I have plenty of RAM for both, plus another VM that I'm running as my "production" Security Onion sensor for the lab network.

Writing is going well, despite the fact that I last wrote a book in 2005. I promised my youngest daughter, who wasn't born until 2006, that this new book is for her. If you have any questions on the writing process, please post them here or ask me on Twitter.


Anonymous said...

Good news about a new book! BTW, Ubuntu here, Ubuntu there, what happened to old good FreeBSD?


Anonymous said...

Can I order the book in e-book format?

Unknown said...

Excellent news! I have pre-ordered my book

Anonymous said...

This is unrelated to the writing process, but I was interested to see your choice of hardware. I spent more hours than I can count research ESXi-compatible consumer grade hardware to build my VM server on. Finally settled on a Core i7, Seagate 2TB desktop drives, and a VT-d/VT-x capable ASRock motherboard loaded with 32GB of RAM. Probably less efficient than your build, but it's a pretty good all-around lab machine. has a lot of info on running enterprise VMWare products on consumer hardware.

I think I'll investigate the Shuttle platform to replace my aging Dell Pentium IV hardware for my pfSense box.

Anonymous said...

Does pre-ordering get you both a hard copy and an e-book copy?

Richard Bejtlich said...

Anon, the publisher said yes. Thank you.

Unknown said...

Can I preorder the book in e-book format somehow? Shipping costs to Spain nearly doubles the price.

Richard Bejtlich said...

Unknown, the publisher said:

"At the moment, we don't have the capability to accept ebook-only preorders but we're working on it. I'm hoping that we can make some progress in the next couple of weeks. I'll let you know when it's fixed or we have a workable alternative in place."

Anonymous said...

Ebook only or a distributor on this side of the pond would be great Richard, looking forward to seeing it.

Richard Bejtlich said...

Roger that, Anonymous. I believe No Starch will have ebook-only options for preorder in March. Thank you.

Alexi said...

Thoroughly enjoy your writing and am looking forward to the book. I'm excited to see that you devote time to physically gaining access to network traffic, given all of the possibilities: network taps, port mirroring, hubs, etc. I'm currently using a cheap managed switch (a Netgear GS108T) to monitor my home network via configurable port mirroring, and it seems to be working pretty well. You mention that you use a Net Optics Dual Port Aggregator Tap, which, according to my quick research, is a good deal more expensive than several other options for traffic monitoring; any particular reason you went this route?

Richard Bejtlich said...

Alexi, my earlier books talk more about methods to gain access. In the new book I keep it very simple. I prefer Net Optics taps because they are enterprise-grade and resilient. If your cheap managed switch fails the whole network goes down. I've never had a Net Optics tap fail. Also, if the power dies the tap will still pass traffic.