Slashdot Mirror
Designing Network Security
Weighing in at a hefty 745 pages, Designing Network Security is a concise and authoritative guide to the sometimes daunting task of designing secure networks - with a special emphasis placed on Cisco solutions, of course. The book is divided into three major sections:basic theory and essentials; policy design and best practices; and implementation with Cisco hardware. In my opinion this book is best suited as a reference book for those who already have a firm foundation in security and networking, but could also be of value to beginner level techs with a bit of patience. While the topics that are covered have all pertinent information discussed, some might wish that there were a bit more explanation of the Hows and Whys.
The first section, "Security Fundamentals," is an especially valuable part of the book in that it provides a great desk reference to the building blocks of secure networks. The first chapter deals with the basics of encryption technologies - symmetrical/asymmetrical cryptography, digital hashes, public key systems, etc. From there the book moves into what is probably its meatiest chapter, covering the application of encryption to security technologies which range from TACACS+ authorization to TLS encryption. Building on previous chapters, the third chapter deals with the application of these security technologies in protecting real world installations. I was especially impressed with the attention paid to wireless and VoIP technologies in this chapter - this is one of the first discussions of VoIP security I have seen in a general reference book. The first section winds up with a fairly exhaustive discussion on routing protocol security which I also thought was excellent.
The second section, "The Corporate Security Policy," is a good reference to infosec management. Many topics covered in this section are applicable to the CISSP exam - so if that is a career goal for you, this can act as one of your study guides. The section begins with a discussion of threats in the enterprise environment. Types of threats as well as common protocol vulnerabilites are discussed. I felt that some of the material in this chapter was a bit dated, in particular the sections on TCP sequence number attacks (most recent OSes have improved their sequence generation routines to make it nearly impossible to do this) and the ping of death (which I don't remember working on anything after Windows 95 or Linux 2.0.23). The next chapter is a bit more valuable in its discussion of the basics of risk assessment and management. This leads into a discussion of actual design and implementation of security policy. Sample topics include physical/logical controls, data confidentiality, and policies/procedures for staff. And finally this section concludes with a good chapter on incident handling and response.
The final section, "Practical Implementation," is the Cisco-centric third of the book. Many parts of this section are a good reference to points covered on the CCSP exams, especially the SECUR test. The first chapter deals with configuring access controls and audit on Cisco devices from the PIX to switches and routers. A brief discussion of intrusion detection implementations is also included. The next chapter consists of primarily information dealing with firewall/screening router construction - content filtering, packet screening, and the various types of IOS filters. Several implementation examples are included to walk you through the process of configuring CBAC (content-based access control) and the Cisco PIX. From there the section moves to remote access security, with good sections on all Cisco based AAA (authentication, authorization, and accounting) features including lock-and-key and accounting-based billing. Finally, the book wraps up with a chapter on securing VPN, Wireless, and VOIP networks which focuses more on design than implementation, although there are still some Cisco (PIX) based examples. The book's appedices cover DDOS attacks, well-known port numbers, and guidelines for reporting and preventing intrusions.
Overall, I felt this was an excellent book which clearly fufilled its purpose. For the intermediate to advanced network security engineer this could act as an excellent desktop reference, while still being accessible enough to teach to the beginner. The writing style is clear and precise, and I found no technical errors in the material presented. As I mentioned, the book could act as an additional study aid for several security certifications, including the CISSP or the CCSP. I look forward to the next volume by Ms. Kaeo.
You can purchase Designing Network Security, 2nd Ed. from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Cisco was actually sending this book out for free a few months ago, and thanks to somebody's making me aware of this deal I managed to snag a copy.
:)
I'm no network security guy, more just a mundane perl hacker, so most of the chapters were over my head and I'm not really qualified to comment on the contents, but I can at least assert that the book is indeed very comprehensive and well-written, and I liked the diagrams, though I couldn't exactly recall what they were about. My only complaint was that the focus seemed exclusive at times on only securing Cisco equipment, which means that it has a rather narrow focus if one isn't deploying their technologies.
Hopefully some day when some corporation views my over-inflated resume and decides to trust me with their datacenter, I'll remember everything I skipped over in this quality book
Compared to the first version of this title, the second version offers information regarding leading edge technologies such as Voice over IP (VoIP) and wireless networks. Another topic covered in the second version is Virtual Private Networks (VPN). Making the second version of this title a very well rounded resource. Another new chapter in the second addition is on Routing Protocol Security. The Routing Protocol Security chapter has some good information on several of the widely deployed Interior Gateway Protocols such as RIP, EIGRP and OSPF. The chapter covers information mostly on the authentication pieces and fundamental rules of each routing protocol and not much more.
I found the small section on BGP in the chapter to be a little sparse and expected BGP to be covered in a bit more detail. Nonetheless, is does mention briefly, some of the challenges with BGP and a few of the proposed successors of the BGP protocol such as S-BGP and SoBGP.
This is an all-a-round good reference for network security.
Although I don't think I have needed any... been running Windows Server 2003 for about 2 years now and have never been without problems for a single day.
Exactly.
Designing network security is easy, I already learned about this in movies and books by Gibson. First, you need to cyberjack a killer ICE. If you use a BLACK ICE, you can actually kill the jackers that are cracking into your mainframe by overloading their neural interfaces.
Something else you might do is write defensive viruses that sit on your router and can be deployed against attackers.
Another thing that has good success is having circuit breakers hooked to your network interface that can channel all the power from your corporate reactor straight into the network. This will cause any attackers machine to burst into flame.
Artificial intelligence bots can be a cheap way to get good security, but keep in mind that they can go rogue, so also keep a stable of CircuitRunners, basically AI Bounty Hunters that can track down your security AIs and terminate them if they go rogue. Symantec makes good CircuitRunners, I hear.
Oh, be sure to hire a network administrator that 'knows linux'. It's probably best to hire someone young who has the dexterity to use the 3d flythrough administration interface.
Good luck, and be secure in the knowledge that you can now jack into your iron in safety!
Honestly, unless you are selling a book, I heave heard that the only real problem with Linux network security involves the fact the patches for it's many security flaws are often themselves compromised and infected with trojans, etc.
I realize that I'm just feeding the troll, but I've never run across a single 'security patch' that has introduced a single trojan into any of the Linux systems I administrate. In addition, Debian (my distribution of choice), as well as every other major vendor (to my knowledge) signs and checksums their packages to prevent tampering. Sure, the package archives don't use SSL, but that's because you don't need to -- it would be much easier to break in to the package repository than it would be to properly rewrite the packet stream in such a fashion so that it would even be functional, much less provide an appropriate checksum.
A good case-in-point of how well this system works is the recent Debian break-in, in fact. Despite losing *four* crucial systems to a compromise, the integrity of the package archive was kept intact, because of GPG signatures, md5 checksums, and a massive pile of worldwide archive sites against which to verify. The compromise, recovery, and analysis of the break-in was kept open to the public, with factual updates made available at every step of the way. No cover-ups, no spin, no attempts to conceal the severity of the compromise. Just plain honesty.
This prompts a very important question: Would you expect the same from Microsoft if they had faced a similar break-in?
--
I Hit the Karma Cap, and All I Got Was This Lousy
Sounds like an interesting book. If you're interested in security topics, I can't recommend Bruce Schneider's (author of Applied Cryptography, among other things) Crypto-gram newsletter. It's free and gives a great overview of the news on computer security. His focus is often on ineffective security measures that people manage to avoid and how they can be improved. Well worth reading.