Building Open Source Network Security Tools

Mike Clark writes "There are many security books on the shelves today. Most of them describe the same hacker tools and methods. They don't get very technical and once you've read one, you've read them all. Building Open Source Network Security Tools is a different breed of security book." Read on for the rest of Mike's review.

Building Open Source Network Security Tools
author	Mike D. Schiffman
pages	424
publisher	John Wiley & Sons
rating	9
reviewer	Mike Clark
ISBN	0471205443
summary	How to use open source libraries, such as libpcap and libdnet, to build network security tools.

Building Open Source Network Security Tools , just as the name suggests, is about how to build network security tools. This is a technical book, so you are going to have a little knowledge of C and your networking principles. This is definitely not a manager's book.

First the book describes some basic principles in developing security software. This is a quick primer in case you have never been involved in software development. Next the book goes on to describe several commonly used libraries like libnet and libpcap. For each library, the structures and functions are explained, then there is sample code. I have written programs using libpcap and libnet before, and I still learned something. There is even a section on OpenSSL programming. OpenSSL is a rather large and cryptic, no pun intended, library (in my experience anyways). This book sheds some light on it! These chapters are a great reference to have when making a new security tool.

The author then goes on to explain the several techniques like attack and penetration and active reconnaissance. Not only does the author tell you how they would in a technical sense, he provides code that does it, and explains each piece. This is very useful since most tools in the wild aren't very well commented ;) There is also a chapter on buffer overflows and format string vulnerabilities. These chapters are very well done and do a good job in explaining how they work and how to write code to use them. It may sound like this is an offensive hacker book, but it also gives examples on how to write defensive programs, like a port scan detection tool. At the end of the book the author ties it all together with a large program that utilizes many of the techniques mentioned in the book.

I found this book to be very refreshing. I had been waiting for a good security programming reference, and this is it. As a part of the Honeynet Project, I have seen a large number of compromises and tools, and one thing I've found is that in order to truly know who your enemy is, and how they operate, you need to know how their tools work. I wish this book had been released years ago when I first became interested in network security. It would have saved me from stumbling around old web pages and dead links. If you're an information security professional, this book is a must have for your library.

---

You can purchase Building Open Source Network Security Tools from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

About time, too

[Vendekkai]

I've been looking for a book like this for a long time... All the security books that you see in bookshops are so superficial that any slashdot reader is (usually) better informed.

Nessus

[bhsx]

For those looking for a great open source remote security scanner, check out www.nessus.org. Nessus is client/server (clients for a few platforms, server runs on unix only) scanner that runs through thousands of exploits and DoS attacks and gives you a full report on what you have open/running and how to secure it along with CERT advisories and all kinds of info. It's a great way to see just how easy it is to break into an unpatched box, whether it's *nix or win32. First few times I ran it I crashed every box on my LAN, by the fourth time I ran it, I was possitively secured. Great tool, can't say enough about it.

oh goody

[Anonymous Coward]

I always prefer your embedded referrals to RedWolves2's. There must be 200 people who post on Slashdot regularly, and only you and good old Ralph Whitbeck seem intent on using Slashdot for personal financial gain. Way to go.

Re:Store Links (RW2 rules ...)

[RedWolves2]

hehe..I am somewhat of a celebrity around here now!

Other books?

[illsorted]

What other books would people recommend for someone interested in network security (specifically using Open Source tools)? I'm currently reading Building Internet Firewalls [oreilly.com] which has been extremely helpful to my understanding of architecture issues. Any other jems I should be looking at?

Thanks.

Re:Other books?

[foosnarf]

get a free account to the SANS Reading Room [sans.org]; they have whitepapers galore and a few more applied guides, including some on nessus and snort, iirc. with a good theoretical background, you should be able to proceed to use documentation for each product you choose in a mostly referential manner.

Re:Other books?

[Clover_Kicker]

>What other books would people recommend for someone
>interested in network security

Definitely start out with TCP/IP Illustrated, Volume 1, W. Richard Stevens, ISBN 0-201-63346-9 [kohala.com]. I can't say enough good things about this book.

Internetworking With TCP/IP Volume 1, Douglas Comer, ISBN 0-13-01830-6 [purdue.edu] is another very good book, but Stevens' book is better.

Re:Other books?

[Rudeboy777]

I liked Linux Firewalls [linuxcentral.com] quite a bit. Network security is more hobby than profession for me, but this book's progression made it easy (for me) to get the hang of ipchains and iptables.

Re:Other books?

[rlg1000]

I've been a subscriber to Safari Books Online for a while now. It's been useful to me. I do prefer having a book in hand but Safari is especially convenient because it is accessible anywhere you have an Internet connection.

Re:Other books?

[illsorted]

Why not check it out yourself? They offer a free 14-day introduction, and you can cancel any time within that span without paying anything. I tried it, and love it, it's definitely worth the 10 bucks I pay every month.

Sounds like an info-mercial. Oh well.

Re:Other books?

[mattsouthworth]

First, Northcutt's Network Intrusion Detection [newriders.com] (published with SANS) is a great introduction to using simple tools like TCPDump to understand network traffic. Second, although I refuse to buy books with 'Hackers!' in the title on principle, one slipped by: Hack Proofing Your Network [syngress.com]. Each chapter is by a different author, most of whom are very reputable, and it give an excellent introduction to an array of different topics. And of course you have a copy of Applied Cryptography...

Re:Other books?

[chakradeo]

You would definitely love (and need) this [amazon.com] gem.
Sorry could not help :)

Re:Other books?

[octaene]

Yes! I highly recommend Network Intrusion Detection: An Analyst's Handbook (2nd Edition)" [amazon.com]. This is one of the best books I've ever read.

From glancing at the title, you'd think it is only about Network Intrusion Detection - but the information on tcpdump alone is priceless! This book reads like a novel, I tell you! The author is from SANS / Windows MCSE fame, and he writes the book as if he's speaking to you.

I cannot say enough about this book!

Review damns with faint praise

[Dick Click]

While the reviewer seems to like this particular book, I must confess I am not sure why.

The reviewer claims: "They (other books) don't get very technical and once you've read one, you've read them all".

It is not clear to me what level of technical detail the book includes, nor how the book really differs from other books.

It is also not clear if there is any focus on creating defensive security tools (monitoring tools, etc), or offensive tools (vulnerability scanners).

I also agree with another poster: nessus is a great tool; a section in the book detailing NASL would have been nice, considering the lack of good (IMO) documentation available.

Re:Review damns with faint praise

[DevNull Ogre]

This book is more technical because it talks about source code. Rather than explaining what a tool does, it shows you how. Showing you source is a huge step in terms of technical detail.

Written by the author of Libnet.

[Effugas]

Mike Schiffman wrote Libnet, i.e. the library that creates a unified interface to actually *writing* raw packets to a wire.

This is his baby -- lets just say I don't have any doubts.

--Dan

How about ...

[Greedo]

... the /. editors take a few seconds to convert submissions with characters like ' to '.

Picky, I know. But when the /. homepage is full of undisplayable characters because the encoding doesn't match the content, it's a bit annying.

Open source is not secure!

[carl67lp]

...at least, that's what Microsoft and companies like them would like you to believe.

I've thought a lot about the idea of securing systems with open source products, and it makes sense to me. The old argument was that a potential hacker could look at the source code to invade a system, and find the weaknesses therein. But there lies the biggest strength of open souce--the fact that, indeed, everyone can see the problems with the code and contribute towards the betterment of the product.

Let me use a rough example. If I purchase a set of blueprints from a home plan book, make no adjustments to the plan before I build it, how does this information grant a burglar any more information than simply casing the house and looking for weaknesses? That's not the best example in the world, but it'll do for now.

True, closed-source (e.g., commercial) software doesn't have the source in full view to scrutinize, and so is ever so slightly more "secure" (at least in the minds of those purchasing the product), but reverse-engineering is still possible, and brute-force, psychological, and other hack tactics can and do work.

Simply put, and to summarize, the idea that open-source software is insecure is simply false. In fact, it's the opposite of the truth--open-source projects benefit from a large community ensuring that all the bugs are squashed, all the holes are sealed, all the back doors are locked, and the software is more secure than anything a commercial entity could produce.

Re:Open source is not secure!

[Anonymous Coward]

The amount of dedicated professional time that goes into software's development is the only thing that counts. "Open source" or "closed source" is really a side issue. Your software does not become secure if/when you publish your source code. The assumption that there are crowds of elite hackers who can't wait just to tinker with it and scrutinize security holes is false. It may be the case for a few very popular projects, but that's all. An average open source project relies on a not so huge number of key contributors who really know their code inside-out and a far greater number of users who just use their work. Same can be said about a commercial project, mind you.

Re:Open source is not secure!

[Weird Dave]

You're talking about "security through project obscurity", and I don't buy it. If I were an evil cracker, I might start with a source-based linux distribution, and search for gets in all of the source files. There are probably other obvious buffer overflows that are easily identified. Next, I figure out a way to exploit the hack. Sure, I didn't get onto every computer, but I got onto yours, didn't I?

If anything, Open Source authors should be more alert to exploits, as I can only do this in open source software, though I'll bet a smart person could figure out how to analyze the executable to see if it uses an insecure library function, or something.

Re:Open source is not secure!

[Effugas]

It wasn't hard for me to acquire blueprints of my home -- they're on file with our neighborhood association. As far as I'm aware, some branch of the US government possesses blueprints of every single major and minor structure in the country, and I do believe it's even possible for average citizens to gain access to these plans.

Why? Because the costs of a building not built to spec greatly exceed the benefit of security through obscurity. By forcing building specifications to remain open to some degree, it becomes difficult to hide egregious faults in building design -- and thus, lives are spared.

As I've been pointing out for some time -- every single non-military technology that mankind has considered important has tended towards greater and greater openness -- from legal systems to building codes to the contents of our food. Software is a rare exception.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Complementary books

[Thyrsus]

From the review, it sounds as if this book is a good antidote to the unfortunate simplification that (network security === firewall). Good!

Nonetheless, firewalls and VPN's are still important tools in creating a secure network. My old 1995 edition of Chapman & Zwicky's "Building Internet Firewalls" has been useful to me; I've no reason to think newer versions would be any less so. If you want to build a stateful firewall, Ron Ziegler's "Linux Firewalls" does a good job with the concepts and details of iptables. Another highly recommended book is Kolesnikov & Hatch's "Building Linux Virtual Private Networks". Whenever you do security, you *must* understand what you're doing, and these authors help you do that; that understanding is portable to any OS.

Secure Programming for Linux and Unix HOWTO

[dwheeler]

If you're trying to write secure applications, I suggest taking a look at my book Secure Programming for Linux and Unix HOWTO at http://www.dwheeler.com/secure-programs [dwheeler.com] - it's free, just download and print. I just released the 29 October 2002 (version 3.000) edition.