Saturday, May 07, 2005

Mixed Thoughts on Inside Network Perimeter Security, 2nd Ed

I promise that I read the books I review, so this is not a review. You won't see me post anything at about Inside Network Perimeter Security, 2nd Ed. I read parts of it, but nowhere near enough to justify a formal review. Here are a few thoughts on the book.

The five authors and four technical editors did a lot of work to write this book. It weighs in at 660+ pages, with not that many figures or screen shots.

Despite being a second edition, I found evidence of old material. I noticed that chapter 2 describes IPChains. IPChains -- where was that last in the mainstream, in the Linux 2.2 kernel? Chapter 6 implies SSH v2 isn't available on Cisco gear, but readers will remember I got that working a few months ago. Ch 19 promotes the virtues of Big Brother, a monitoring tool that's been declining for years since its acquisition. Nagios should have been covered instead.

A quote in ch 11 on Intrusion Prevention Systems bugged me: "SoureFire [sic] ditched Snorty the pig and became Realtime Network Awareness (RNA), a passive sensor and visualization tool company in terms of primary internal focus." Let's ignore the misspellings and confusing English and answer this point. Sourcefire hasn't "ditched" Snort; RNA works with Snort. Someone doesn't understand Sourcefire or Snort.

I ended up reading most of ch 11 as it was fairly informative about network- and host-based IPSs. Otherwise, I didn't find a really compelling reason to read the book. There is some good material on network architecture, but nothing I haven't seen elsewhere. I guess that was my overall reason to stop paying attention to Inside Network Perimeter Security, 2nd Ed: I didn't see much new material for me. I also don't really care for books that provide advice but not configuration guidance. I like to flip though technical books and see that offset courier print denoting command and configuration syntax. Aside from the router hardening syntax in ch. 6, there's a lot of suggesting in this book but not as many concrete examples as I would like.

If anyone has opinions on Inside Network Perimeter Security, 2nd Ed, please post them.

Update: I reviewed this book on 30 August 2006.


Martin McKeay said...

RNA works with Snort

Strictly speaking, not true.

I've recently been doing some work with Sourcefire on Snort and RNA, and they don't really play well together. At least not on the same box.

During our recent attempts at an implementation of using Snort sensors and a Sourcefire DC, we ran into a quite a number of caveats. Here are the major ones:

- Sourcfire doesn't support Snort 2.3 and above, only 2.2
- Sourcefire doesn't support the Linux 2.6 kernel
- A sensor can have either the the Sourcefire RNA agent or the Sourcefire Snort agent, not both.
- Sourcefire only supports one instance of Snort per box.

I still love Snort, and I'm still working on getting as much functionality as possible out of Sourcefire. If you have insight on how to get around some of these limitations, I'd love to hear them.

By the way, I'm looking forward to hearing you speak at the NetOptics Think Tank next week.

Richard Bejtlich said...


Thanks for the first-hand info. I think you know what I mean though. Sourcefire sells Snort as its IDS/IPS, and RNA is the piece designed to make that IDS/IPS functionality more accurate. See you in California next week!

ids said...

Hey Martin,

I too am using Sourcefire and using the whole 3D architecutre (IS, RNA, and DC). I knew about the appliances running a "hardened" 2.4 kernel but thought that I had seen a version of Snort running on the sensor higher than 2.3. Here is what I found...

root@IDS:~# snort -V

,,_ -*> Snort! <*-
o" )~ Version 2.4.0 (Build 7)
'''' By Martin Roesch & The Snort Team:
(C) Copyright 1998-2005 Sourcefire Inc., et al.


So I am running a 2.4.0 version here.

I haven't really had any issues getting RNA and the IS or DC working together but they are all on separate devices.

Regarding getting the IS and RNA agents running together on the same box, I had heard this was possible although I can't say for sure as I have never tried it. I may be thinking that the DC can have an RNA agent on it.

It does suck that you can only have one instance running box though I agree.

Mairtin said...

I must admit that I've only read a few bits of the second edition, specifically the sections which are new, but I've always thought this book was a great overall introduction to network security.

It definitely isn't a technical book and shouldn't be considered one but it does give a good overall picture of network security.

In my opinion if you want a book to begin your network security knowledge this should be one of the first you read. For people with experierence in the field it is obviously lacking in technical depth but if it gave implementation details on all of the topics it covers it would probably be a few thousand pages long and still probably be insufficient.

All that being said however it is poor that the second edition contains references to very old linux kernels which should have been one of the most obvious things to check and update.