We'll I'm going to show my roots by declaring the Naval Surface Warfare Center (NSWC) Shadow as one of the first and favorite intrusion detection systems I used. I'd installed this at the urging of Stephen Northcutt and discovered a great tool in Shadow and a great friend in Stephen. It is based on tcpdump; and using tcpdump and Shadow required that I become very familiar with TCP/IP otherwise I would be totally clueless. To this day, even though IDS' have made phenomenal advances, I still like using Shadow along with the more modern IDS' to collect background traffic.

Snort is another favorite tool since it rivals a lot of commercial IDS' and is easy to install and configure. It's pretty easy to write simple or complex rules and I like that you see the offending packet when it alerts. If you don't have access to the guts of the rule that triggered the alert and the dump of offending packet, you don't know if an alert is real or a false positive. Too many commercial IDS' don't let you see the signatures, rules, etc. and don't dump the packet. You are at the mercy of the IDS with no way of validating the accuracy of the alert. You can end up crying wolf if you believe the IDS all of the time or you end up simply ignoring it if you don't.

We just finished up a red team exercise using nothing more than freeware - nmap, nessus, and the Center for Internet Security (CIS) benchmark tools. This gave us a combination of tools to map the network using nmap, expose the vulnerabilities remotely using nessus, and examine host configurations using the CIS benchmark tools.

How long did it take you to co-write "Network Intrusion Detection 3/e" and what was it like?


For my portion of the 3rd edition, it took about 6 months. But, many of the chapters were based on SANS material I'd previously written and chapters from the 2nd edition. It's a pretty intense experience trying to create material that is useful and coherent without taking yourself too seriously. Luckily, I had Stephen's footsteps to follow from his solo rendition of the 1st edition. His was one of the first technical books I'd read that had a lot of humor that allowed his light-hearted character show through.

In your opinion, what are the most important things an administrator has to do in order to keep a network secure?

I don't think I can offer any startling insight into the standard precautions of using VPN's, stateful packet-filtering or proxy firewalls, IDS, anti-virus, applying patches, etc. Obviously, the administrator(s) have to have management support in supplying strong policies and ample manpower to maintain and watch the network.