Disappointing due to language difficulties and fuzzy thought

While perusing a bookstore in Saskatchewan (don't ask!), I found "Protect Your Information with Intrusion Detection" (PYIWID). I was pleasantly surprised to see an old version of a paper I had written several years ago cited in the bibliography, and the table of contents seemed to mention all the right subjects. I hadn't heard any "buzz" about this book, but I thought I might have found a hidden gem. I should have left the book on the shelf!

The first aspect of PYIWID that strikes the reader is the awkward English. The author appears to be Russian, and his editors gave him little support. Many times where the word "block" should be used, "lock" appears! For example: "Most network devices and programs lock ICMP packets and do not pass them" (p. 55). "If you detect an attack and start trying to lock it with firewalls..." (p. 60). These were followed on p. 84 by mentions of "Red Code" and "Blue Code," instead of "Code Red." Other sections make questionable, if not totally false, claims. For example: "Agent installation is especially dangerous for open systems, such as Linux and OpenBSD, since the agent can be introduced into the OS kernel." Ever hear of kernel mode Windows rootkits?

Other quotes just make no sense, such as first describing hiding processes on p. 62 and then saying "Using the rootkit or SunOS represents an example of this method." I was sad to read that "the White House server was blocked for tree hours and, on May 22, the server was unavailable for six hours." (p. 42). Some material indicated fuzzy thinking using sweeping statements, such as "Intrusion detection systems can identify and block practically all propagation methods used by hybrid attacks" (p. 49). The author seems to think math will solve your problems; this quote was outrageous: "Since intrusion detection technologies still lack a solid mathematical foundation, there is no possibility of developing efficient methods of detecting attacks and efficiently counteracting them." The author also thinks vulnerability assessment products are intrusion detection systems, covering scanners and such in ch. 6.

On the positive side, I think PYIWID has a great bibliography. It mentions lots of useful papers, some of which are mentioned in the book. I also liked the TAP diagram on p. 369. I initially thought the inclusion of various security "was stories" was useful, until I realized they appeared at random times and were often uncited. The exception was the heavy reliance on stories from books by Vacca. I was sad to see the author mainly relied on other people's packet traces for this book! "Most of the listing examples provided in this and subsequent sections were taken from [the SANS Internet Storm Center], or are based on practical exercises performed within the framework of preparing for [GIAC certification]" (p. 96".

It was my fault that I bought this book. I should have been tipped off by the odd choice of "key points" on the cover: "describing firewalls, indicating security policy violations, analyzing the information sources, improving the IDS security level." These sound awkward, and PYIWID follows that theme throughout. I give it three stars because the author did a lot of working bringing disparate sources of information together in this single volume, but he did not present it coherently.

Other Reviews

• Disappointing due to language difficulties and fuzzy thought