// Comparison

Linux Firewalls vs The Practice of Network Security Monitoring: Which Should You Read?

Two cybersecurity books on Networking, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

4/52007

Linux Firewalls

Attack Detection and Response with iptables, psad, and fwsnort

Michael Rash

Michael Rash, author of psad and fwsnort, on building and operating Linux-native packet filtering and intrusion-response tooling. Pre-nftables in detail but conceptually durable.

Intermediate

5/52013

The Practice of Network Security Monitoring

Understanding Incident Detection and Response

Richard Bejtlich

Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.

Read this if

Linux administrators and defensive practitioners who need to actually configure a firewall, not just understand the concept. Rash's iptables coverage remains the cleanest practical introduction; psad and fwsnort for the active-response side.

Every SOC analyst and detection engineer. Bejtlich's foundational text on NSM: collect-everything, alert-on-narrow, investigate-broadly. Defines the vocabulary the modern detection field still uses.

Skip this if

Readers fully on nftables / firewalld / cloud-native security groups, or anyone wanting an architecture-level treatise. The book is hands-on iptables rules and analysis, not a strategic frame.

Readers wanting current SIEM tooling specifics. The book pre-dates EDR-as-default and modern cloud-native telemetry; the principles transfer, the tooling specifics don't.

Key takeaways

iptables remains the foundational mental model; even in nftables-or-eBPF environments, understanding match-and-target chains is required to read the rule sets the field still ships.
Active response is a real defensive option that's easy to overstate; the book's chapter on the trade-offs is appropriately cautious.
Port scanning detection (psad) and signature-based blocking (fwsnort) are still useful primitives that punch above their weight in budget-constrained environments.

Detection without prevention is a strategic choice, not a fallback; Bejtlich was years ahead in arguing the case and the book remains the clearest argument.
The four data types (full content, session, transactional, statistical) are still the right framework for thinking about detection coverage.
Most SOC failures are organizational and procedural, not tooling; the book's chapters on workflows, runbooks, and analyst growth are still the best in print.

How they compare

We rate The Practice of Network Security Monitoring higher (5/5 against 4/5 for Linux Firewalls). For most readers, that means The Practice of Network Security Monitoring is the primary pick and Linux Firewalls is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Linux Firewalls and The Practice of Network Security Monitoring both cover Networking, Defensive, so reading them in sequence reinforces the same material from different angles.

Keep reading