Although most readers are probably familiar with the term intrusion detection and its general underlying function, they are probably not familiar with extrusion detection, a new concept that may become an emerging key technology in network security. Behind this concept is a series of techniques and approaches for monitoring outbound connections in order to detect a potential intruder or a violation of in-place security policies. Outbound connections are initiated from your network toward the outside, and, at a first glance, monitoring them seems to be just a simple and straightforward extension of general network monitoring. I then tried to imagine what would happen if I had to deploy an outbound monitoring architecture on a high-speed network. Many nontrivial technical questions quickly overwhelmed me. What hardware should I use? A simple FreeBSD box with some monitoring software might work well for a small enterprise, but will it work for a lar!ge campus network with high-speed connections in the gigabit range? Beyond having the right hardware, where would I install it? Should it be in the demilitarized zone, within the internal network, or in both? How does network address translation (NAT) affect the monitoring process? What type of traffic and network behavior should I look into? How should I do the monitoring, which might be used as evidence in court one day?
Bejtlich does a superb job in his book of addressing these questions, and provides directly applicable solutions and precise technical answers. He starts with defining the scope and challenges of extrusion detection, and then goes into all the required details and technical issues associated with it. The book covers the essentials, providing information on how to get the right hardware, how to install a multiport tap (including graphic illustrations), and how to deploy it correctly so that both the internal and the demilitarized networks are monitored. He also describes some traffic-specific analysis using open source tools (sguil, snort, argus, and sancp are the most important). An important part of the book is dedicated to describing defensible networks and implementing access control mechanisms.
This book is not limited to detecting malicious human-initiated activities. Two chapters are essential, and address bots--malicious pieces of software that turn a computer into a zombie, remotely controlled by a hacker.
Having read Bejtlich’s two other books [1,2], I was familiar with his technical accuracy and easy-to-follow writing style. Difficult concepts and technologies are clearly explained and abundantly illustrated with figures and do-it-yourself instructions. A reader with average skills can easily follow both the theoretical contents and the practical details.
I strongly recommend this book to any reader interested in intrusion detection, general network security, and network security monitoring. I also encourage potential readers to visit the author’s Web site (http://www.taosecurity.com), where he maintains a daily technical blog that is highly relevant to network security monitoring and extrusion detection.