Slashdot Mirror
Internet Site Security
About the authors
Erik Schetina, CISSP, is the CTO for TrustWave Corporation. He spent 14 years with the U.S. Department of Defense developing information security systems and public key cryptosystems. Jacob Carlson is a senior security engineer for TrustWave Corporation. His primary role is leading the penetration testing and vulnerability assessment team. In his copious free time he likes breaking things and writing code. Ken Green is a senior security engineer for TrustWave Corporation where he works extensively on intrusion detection systems, firewalls, and virtual private network initiatives.
When you read biographies like the ones above you can be somehow reassured that the content of the book is good. All of the authors come from TrustWave Corporation and the fact that they work together has influenced the writing of this book, in a very good way.
The basicsAt the very beginning of the book the authors show us that the starting point of building a secure environment is not the implementation of a solution but rather the defining of the assets we want to protect. You have to know what's a threat to your assets in order to choose the best security solution.
The authors manage to successfully illustrate how different things such as system administration, policy and audits fit into an overall security plan. Through the book, the authors educate the reader by making sure he sees "the big picture." The bottom line is that "the transition from a techie to a security professional consists in the recognizing the importance of all the components of security." In the second chapter some great material is covered: description of the security process, assessment and policy, asset protection, monitoring and detection.
Which one is better?When describing the way things can be done, the authors always give you the pros and the cons. For example, at one point they describe the difference when using commercial scanners in penetration testing compared to using a team of people who will do it by hand. They provide good pros and cons for both ways, and that's one of the great things about this book, you always get to look at the other side of the coin.
The insecuritiesWhat we all know is that the Internet is inherently insecure -- that's why this book was published in the first place. The authors explain why it's insecure, who administers it and how it works. Some of the topics presented here are: an overview of TCP/IP, the Domain Name Service (DNS), Whois databases, anonymity, and much more.
History is also present in this book. Chapter 4 begins with a brief overview of the history of the Internet and the TCP/IP protocol suite. Also mentioned is the Morris Worm (November 1998). As we move on, the DNS is explained in greater detail (with some security issues addressed specifically), and we are slowly presented with an abundance of technical details that stretches over several chapters. Some of the things that are explained in the book include: secure protocols, virtual private network protocols and encapsulation, the secure shell (SSH) and authentication systems.
As an inevitable part of a book of this kind, there's a part dedicated to passwords (and good rules for their generation), and another on digital certificates. The authors present the shortcomings of certificates as well as their best uses. Although neither of these are explained in great detail, you'll be able to get an overview of the things presented.
Moving on, we get a plethora of information covering: firewalls, DMZs, VPNs, external and internal threats, the security of wireless networks, workstation management issues, intrusion detection systems and log processing, etc.
Operating systemsThe book also gives some good information when it comes to operating systems and server software. Some of the covered topics include:
- Windows NT and 2000 - authentication, access tokens, security identifiers, object access control lists, tightening Windows users rights, etc.
- Linux - overview of the Linux Kernel, file system permissions, authentication mechanisms, how PAM works, etc.
- Server security: web, mail, FTP, etc.
If you want information about attacks, denials of service attacks are covered in great detail, along with many other attack scenarios. Since you also want to protect yourself from all of these attacks there's naturally much material dedicated to firewalls: their functions, implementation issues and vulnerabilities. Now that's not enough, is it? Now you want more. There's a whole chapter dedicated to intrusion detection systems and one dedicated to incident response and forensics. The chapter on incident response and forensics will be of particular interest for all of you who want more knowledge of legal and privacy issues.
Secure CodeTo complete the book, there's a chapter dedicated to the developers, which discusses the development of secure Internet applications. Here you'll be able to read about common sources of programming mistakes, exploiting executable code, application-level security, coding standards, and more.
The verdictThis book manages to shade a new light on the problems of security implementation by explaining the position of the system administrator and the position of the IT manager in order to make them both understand their role in the overall process of security in the company. It's a good idea to give it to both your IT manager and your system administrator, they will both learn from it and in the process start to understand each other on a new level. With this book, you basically learn to think on a larger scale.
There are not many downsides. There are basically only two things that I didn't like about this book: the lack of resources, and (in parts) the writing style. There are not enough resources listed, and I always like to get to more information. As regards the writing style it's obvious that this book was not meant to entertain in any way, but it sometimes seems a bit too serious. I always believed that learning should be fun. That's just me :)
Overall, this is an excellent book, two thumbs up!
If you're interested in hearing what one of the authors of the book has to say, you can check out an interview with him here. You can purchase Internet Site Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Well, here was me thinking that the morris worm was in 1988, not 1998.
-- Hulver's site
I don't want to wade through 1500 pages of crap if the text can be condensed into 50 pages. I always got pissed of at those certain linux-books that had 100 pages of introductory material written by the author and 1400 pages of reprinted HOW-TOs and man-pages. That just plain sucks.
K&R book was OK. Anything beyond 500 pages is way too much, unless you're aiming at "The World Explained for Really Dumb People: From Physics to Philosophy"
Most of those huge books contain several hundred pages of pure reference in the back - for example, a large number of appendices. An html book I have here contains quick tag listings, number-->symbol conversions, etc. Sometimes they're more useful than the rest of the book's content.
I alternate between posting +5 and -1 Comments. Karma: +53 -47 = 6
at the end of the review. If you decide to buy this book consider using the /. clickthrough link. It generates revenue for the /. crew, and is a convenient way to shop. This is a new feature outside of the OSDN advertising. So support Rob and the crew directly and click on that link.
If we don't fight for ourselves no one will.
Looks like you can pick it up for about US$35.99 (I have no connection to this vendor).
When you have nothing left to burn you must set yourself on fire
Contrary to popular belief, it isn't impossible to run IIS and not get hacked.
../../../cmd.exe stuff)
;)
We ran about 30 of them, and if you are clever about it, you can do all kinds of things to keep the bugs out.
Step 1. Remove all mappings apart from asp.dll
Step 2. Keep web content on a different drive to the system (thus negating
Step 3. Disable, and never use the default website.
With those 3 things, you don't get affected by about 60% of the bugs.
Add things like making all the static content read only, and only allowed a certain secured firewalled server to update the DBs, and you're almost there. Disallowed any net connections originated by the webservers (with exceptions of course) and you rule out strange shells making connections to IRC servers, etc.
The only other thing is then to STAY PATCHED.
Having said what I've said, I wouldn't like to do it again. Keeping those things secure took up so much of my time. Should it be a full time job to keep webservers running securely?
rpm --freshen -vah apache*.rpm anyone?
Now I have lots more time to do more interesting things
Get your own free personal location tracker
Did anyone notice that there is a newer book available on amazon.com than the book mentioned it the text above? The publisher is now Addison Wesley Professional and it is also a little bit cheaper. It has the same amount of pages and seems to be the same edition.
.sigh
Some people buy cars with the turning radius of an oil tanker, books with 10 pages of useful content and 1000 pages of bug-ridden listings, and big plastic boxes with a couple of silicon chips in them, so maybe this is a cultural thing. I leave admiring the bigger is better idea to personal attributes (Jouko Ahola/Lola Ferrari/Filip Smirnov for example) or possibly monumental architecture rather than consumer items.
If you're interested writing secure applications for Linux/Unix systems, take a look at my free book, Secure Programming for Linux and Unix HOWTO, available at http://www.dwheeler.com/secure-programs.
- David A. Wheeler (see my Secure Programming HOWTO)