Book Reviews: Information Security Books and Product Reviews – Network Flow Analysis

Book Title:  Network Flow Analysis

Author: Michael W. Lucas

Publisher: No Starch Press

Date of Publishing: June 2010

ISBN(13): 9781593272036

Price (UK&US price – full price, not discounted price): £31.49,  $39.95

URL of Publisher Site: No Starch Press

URL of Amazon UK web page: Network Flow Analysis

URL of Amazon UK (Kindle) web page: Network Flow Analysis

URL of Amazon US web page: Network Flow Analysis

URL of Amazon US (Kindle) web page: Network Flow Analysis

 Network Flow Analysis is a superbly written dive into network flow data analysis, from building the collection system to analyzing the data. In a slim, 189 pages, Michael Lucas covers the subject concisely and at impressive depth. Lesser authors might easily have expended twice as many pages to cover the subject half as well. Lucas’s smattering of “bastard operator from hell” humor, along with his knack for getting quickly to the point, keeps some highly-technical content from becoming overly dry. Lucas begins by describing the general problems that analysis of flow data can help to solve, including its ability to help with that most fundamental of network administration problems: our “abiding and passionate desire for […] our users to shut up.” He then explains what network flow is, provides a brief history of the technology, and describes, in stepwise fashion, how to implement an open source flow monitoring system using softflowd and flow-tools. In that regard, a more accurate book title would have been “Network Flow Analysis with Flow-Tools,” as the bulk of the book deals, in great detail, with configuring and using the flow-tools suite. Unfortunately, a side effect of this choice is that more time is spent explaining the intricacies of flow-tools than is spent on how to make use of the collected data. This is the one big flaw in Network Flow Analysis. Most of the text is spent looking at using flow-tools, and too little is afforded to real-world applications of flow analysis. To be fair, Lucas does suggest real-world applications for the data at various points throughout, but these serve mostly to illustrate his explanations and do not dive deeply into solving specific problems.At the end of the book, a seven-page section entitled, “Problem Solving with Flow Data,” provides most of what constitutes the analysis portion of the book. A few case studies illustrate how one might use flow data to solve problems, such as, broken applications, miss-configured NAT rules, and identification of infected computers. I expected to find more of this in a book entitled Network Flow Analysis and wish that an additional fifty pages had been dedicated to this type of content. Nevertheless, the few case studies that are presented may well be enough to trigger ideas for other searches or reports that could be useful. The only other weakness in Network Flow Analysis is its reliance on the flow-tools software. This is not the author’s fault, but merely a function of time. When the book was published in 2010, flow-tools was still receiving some active maintenance and was a logical software choice. Indeed, it may still be serviceable for many purposes, including learning the fundamentals. However, at the time of this review, flow-tools has not been updated since August 2010. So, anyone seeking to implement a free and/or open-source solution in production may need to look elsewhere. I have heard good things about the Argus Project from QuoSient, LLC, but have not used it.

Regardless of its few flaws, Network Flow Analysis still lives up to and exceeds most expectations. Readers will learn, in what is likely the fastest way possible, how to use the selected tools to deploy a flow monitoring architecture and analyze the resulting data. But even those readers who already have a system in place, be it open-source or commercial, can still find value in Lucas’s beginning-to-end presentation of network flow. Because he describes the nature of the raw data before diving into specific tools, Lucas provides a firm foundation for readers to interpret and analyze flow data using any platform. This is especially valuable as many systems have a tendency to overlay and obscure the raw data for the sake of adding features. By first describing the raw flow data, Lucas makes it clear what the data can and cannot tell us. That is knowledge readers can easily apply to any flow monitoring architecture they may have. Furthermore, the analysis case studies, while fewer than I would like, provide helpful examples and can point to other possible uses for the data.

Network Flow Analysis is a crystal clear technical guide into a subject every network administrator and network security practitioner should understand. This is simply a must-read book for anyone in those fields. It may well prove to be the only book on the subject that you ever need to read.

Marks: 4 out of 5
****