Slashdot Mirror
Internet Site Security
About the authors
Erik Schetina, CISSP, is the CTO for TrustWave Corporation. He spent 14 years with the U.S. Department of Defense developing information security systems and public key cryptosystems. Jacob Carlson is a senior security engineer for TrustWave Corporation. His primary role is leading the penetration testing and vulnerability assessment team. In his copious free time he likes breaking things and writing code. Ken Green is a senior security engineer for TrustWave Corporation where he works extensively on intrusion detection systems, firewalls, and virtual private network initiatives.
When you read biographies like the ones above you can be somehow reassured that the content of the book is good. All of the authors come from TrustWave Corporation and the fact that they work together has influenced the writing of this book, in a very good way.
The basicsAt the very beginning of the book the authors show us that the starting point of building a secure environment is not the implementation of a solution but rather the defining of the assets we want to protect. You have to know what's a threat to your assets in order to choose the best security solution.
The authors manage to successfully illustrate how different things such as system administration, policy and audits fit into an overall security plan. Through the book, the authors educate the reader by making sure he sees "the big picture." The bottom line is that "the transition from a techie to a security professional consists in the recognizing the importance of all the components of security." In the second chapter some great material is covered: description of the security process, assessment and policy, asset protection, monitoring and detection.
Which one is better?When describing the way things can be done, the authors always give you the pros and the cons. For example, at one point they describe the difference when using commercial scanners in penetration testing compared to using a team of people who will do it by hand. They provide good pros and cons for both ways, and that's one of the great things about this book, you always get to look at the other side of the coin.
The insecuritiesWhat we all know is that the Internet is inherently insecure -- that's why this book was published in the first place. The authors explain why it's insecure, who administers it and how it works. Some of the topics presented here are: an overview of TCP/IP, the Domain Name Service (DNS), Whois databases, anonymity, and much more.
History is also present in this book. Chapter 4 begins with a brief overview of the history of the Internet and the TCP/IP protocol suite. Also mentioned is the Morris Worm (November 1998). As we move on, the DNS is explained in greater detail (with some security issues addressed specifically), and we are slowly presented with an abundance of technical details that stretches over several chapters. Some of the things that are explained in the book include: secure protocols, virtual private network protocols and encapsulation, the secure shell (SSH) and authentication systems.
As an inevitable part of a book of this kind, there's a part dedicated to passwords (and good rules for their generation), and another on digital certificates. The authors present the shortcomings of certificates as well as their best uses. Although neither of these are explained in great detail, you'll be able to get an overview of the things presented.
Moving on, we get a plethora of information covering: firewalls, DMZs, VPNs, external and internal threats, the security of wireless networks, workstation management issues, intrusion detection systems and log processing, etc.
Operating systemsThe book also gives some good information when it comes to operating systems and server software. Some of the covered topics include:
- Windows NT and 2000 - authentication, access tokens, security identifiers, object access control lists, tightening Windows users rights, etc.
- Linux - overview of the Linux Kernel, file system permissions, authentication mechanisms, how PAM works, etc.
- Server security: web, mail, FTP, etc.
If you want information about attacks, denials of service attacks are covered in great detail, along with many other attack scenarios. Since you also want to protect yourself from all of these attacks there's naturally much material dedicated to firewalls: their functions, implementation issues and vulnerabilities. Now that's not enough, is it? Now you want more. There's a whole chapter dedicated to intrusion detection systems and one dedicated to incident response and forensics. The chapter on incident response and forensics will be of particular interest for all of you who want more knowledge of legal and privacy issues.
Secure CodeTo complete the book, there's a chapter dedicated to the developers, which discusses the development of secure Internet applications. Here you'll be able to read about common sources of programming mistakes, exploiting executable code, application-level security, coding standards, and more.
The verdictThis book manages to shade a new light on the problems of security implementation by explaining the position of the system administrator and the position of the IT manager in order to make them both understand their role in the overall process of security in the company. It's a good idea to give it to both your IT manager and your system administrator, they will both learn from it and in the process start to understand each other on a new level. With this book, you basically learn to think on a larger scale.
There are not many downsides. There are basically only two things that I didn't like about this book: the lack of resources, and (in parts) the writing style. There are not enough resources listed, and I always like to get to more information. As regards the writing style it's obvious that this book was not meant to entertain in any way, but it sometimes seems a bit too serious. I always believed that learning should be fun. That's just me :)
Overall, this is an excellent book, two thumbs up!
If you're interested in hearing what one of the authors of the book has to say, you can check out an interview with him here. You can purchase Internet Site Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This may have been suggested before: /. should add what the "average price" for the book is in the review summary.
I know some subjects are "priceless" for some but for the common mortals affordability is the main concern :-)
The ENIAC Demo Competition
Are always horribly obsolete.
Due to the delay between when you write a book, and it's on the shelf at the store...
There's plenty of good reading though.
on the shelves of my former colleagues. One fellow in particular ws adamant about collecting these books. Unfortunately, he was not as rabid about IMPLEMENTING security. My point is, regardless of the size of the book or the library, it is all worthless unless the measures outlined and detailed are followed.
If we don't fight for ourselves no one will.
Yes, big books are kind of a trend in the computer-book realm. Where else in the bookstore would you find monstrous tomes like the ones you see on Visual Basic or Java?
:-) Much like the huge portions that restaurants now serve, people want to feel that they are getting some value for the obviously inflated prices. Even if they were only going to eat a small amount, they are happy to see a huge plate of food for their $12.
It has a lot to do with how much they charge for these books. You want $50 for a book that costs $3 to print? (I can hear the anti-RIAA trolls now
If you were to get a normal sized entree (or book) for the amount of money you are spending, you would feel that something is wrong, that you are getting ripped off somehow. Big books sell more than small books. Even if the content is the same. They will make the typeface larger and include tons of screenshots if that is what it takes to make a massive volume.
Let's look at some previous work of theirs, reprinted here
This demonstrates that as an industry we have a lot of work to do in security
I think that this comment by a M$'ie is the key point. If OS people sit around patting themselves on the back because of how much more secure OS is because of all those "talented eyes" that are poring over the code, then they are going to be in for a very rude awakening. All this "your software is less secure than mine" blustering just simply points out that the overwhelming majority of software that is used out there (regardless of the religious camp from which it originated) has serious security issues. The OpenBSD camp seems to be the only ones that are making a focused effort to try to shore things up in this regard, and until others (M$ and Linux) tackle the issue with the same zeal, we'll continue to have problems.
Big books are only worth it if they're a decent reference. Take my HTML reference book. It's huge, but most of it is a dictionary like reference to HTML tags, entity tables, etc. Most of the books I learn from these days aren't beginner books, and unless the subject is huge, don't need to be very thick. The thinnest book I bought in recent years (4 ago) was UML Distilled - it was excellent and downright thin.
>We all want 'big books'
No we don't. Personally, since reading Kernighan & Ritchie, I've been convinced that good books have to be slim.
(another precondition is that it doesn't have a "Learn X in x minutes/hours/days" title)
I honestly will not buy a technical book in the 1,000+ page range, especially if the title:
Why? Because I know I'm unlikely digest the contents of 1000+ pages of text on one subject, if I manage to finish it. I also generally suspect large books of rehashing FAQs or other widely-available docs just to fill pages.
I don't consider myself an O'Reilly bigot, though I do lean towards their books since they tend to publish smaller, focused books. If a book is pure reference, I may consider buying it if it's 1000+ pages. Following are examples of some great books I've bought that I found very useful and readable due to their small size:
The Internet already offers me an overwhelming, disorganized pile of information on any subject--and at least it's searchable via Google. Dead tree books have use when they're usable and organized, and I've found that generally translates into a smaller book.
Not only is a big book not necessarily better; it is almost invariably worse. For simple reasons: Writing well is difficult. It takes a lot of work for an author--or a team of two or three working closely--to produce 200 quality pages. 1000 quality pages would be a monumental effort that, frankly, nobody's going to put into a book on Visual Basic. Further, concision is a mark of good writing, so when you see a big book, you should wonder, "why were they not able to get this into 200 pages?". Not to mention that a big book takes longer to read, is harder to find things in, and is less convenient to use and carry.
For most technical books, the only ways to get to 1000 pages are to write sloppily, add filler, or employ many authors working independently. The last tends to produce an incoherent whole, and make each author care less about his contribution.
The main exceptions are books with a justifiably large reference section (large because there is truly a lot of valuable material to reference, which is uncommon), and, to some extent, books that have been through several editions, whose authors have put new effort into each edition.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
Actually, we just want good books.
The idea behind "big" books, is that it's a reference book. You only open it once or twice a week when you want a specific information (aka phone book).
if you want a book to introduce you to a subjet, it should'nt be 10000+ pages... just a small good read... that you read once and you can easily re-read when you to refresh you memory.
I live in Soviet Canuckistan you insensitive clod!
Honestly, if IIS was as insecure as Slashdot likes to think it is, wouldn't the Microsoft site have been hacked more often?
Microsoft's site isn't the problem. The problem is the hundreds of thousands of sites run by people that don't have unlimited budgets like Microsoft, nor the knowledge of the internals, nor the tweaked OSs. MS tried tweaking the hell out of their Hotmail backend to no avail.
MS works OK on the desktop, heck I have one Windows machine at home for gaming but that's it. Robustness and security are not on the MS game plan, point-&-clickability and profit are.
Trolling is a art,
why the parent post got modded down as a troll. I don't find anything particularly incindiery about what the poster said. Unlike a lot of posters here on slashdot, he actually took the time to think of something unique to say rather than repeating the same tired old arguments.
You may not agree with what he said, but I think he made his points rather well. If you disagree with what the poster said, why not post a reply?
The society for a thought-free internet welcomes you.