Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Security Assessment

Posted by timothy on from the no-such-anything dept.

Ben Rothke writes "There is a very simple albeit unscientific two-step test to see if a book about security assessments is for the serious security practitioner or for the script kiddie. Step one: Does the book use the term bulletproof or hacker-proof? Such nebulous terms are utterly meaningless. Especially since bulletproof deals with physical objects, and nothing, not anything, can ever be made hacker-proof. The second step is to see the books discussion and placement of the nmap tool within the book. While nmap is a invaluable and important security tool; it is nonetheless but one tool in a large security toolbox. Books that place the bulk of their discussion of nmap at the beginning of a book are generally focused on the blind running of tools without insight or analysis. Those that place nmap towards the latter parts of the book generally focus on the big picture." Rothke reviews below Chris McNab's book Network Security Assessment; read on to see how it handles his assessment. Network Security Assessment author Chris McNab pages 396 publisher O'Reilly rating 8 reviewer Ben Rothke ISBN 059600611X summary To-the-point and practical book for testing your own network, an important tool in the fight to keep out malicious electronic visitors.

With those two tests in mind, Network Security Assessment (NSA) passes with honors. The terms bulletproof or hacker-proof are not found at all. And at 355 pages in length, the book's discussion of nmap starts on page 324; a good sign indeed. NSA is written for a person who needs a thorough introduction to performing network assessments, but does not need the elaborate background that the Hacking Exposed series offers. The book's technical requirements are not that extensive; a basic understanding of security, IP networks, and generic networking is enough to understand the core concepts of the book.

The book's preface starts out with a simple fact, one that is not always obvious to many: It is never impossible for a hacker to break into a computer system, only improbable. When designing and security a network, it is the job of the security architect to maximize that level of improbability as much as possible. Anyone who makes their network even a little bit more security resilient will quickly find a drop in the number of security breaches.

The publication of Hacking Exposed a few years ago started a new era in books about network scanning. Hacking Exposed was the first popular book that detailed how to go about performing a penetration test. In a similar vein, NSA is comparable to Hacking Exposed in that it provides a framework for doing security assessments. The big difference is that NSA provides a much more structured approach to performing the assessment, whereas Hacking Exposed lacked that formal approach. Hacking Exposed also goes into more details in many areas, and its initial title has morphed into many other different titles.

This more formal approach is manifest in the books 14 chapters. The first two chapters of NSA start out with the fundamental need and requirements for performing a network security assessment, and then details the tools and methodologies required to bring that assessment to fruition.

Chapter 3 details the ins and outs of network enumeration and also shows how to use standard utilities such as whois and nmap for network enumeration. Perhaps one of the most beneficial features of the book is the selection of countermeasures that are found at the end of each chapter. These countermeasures are very useful in ensuring that any vulnerabilities are appropriately fixed.

Besides listing methods which an intruder might use to elude common security applications, the book also goes into numerous hacking tools. While some may see this as providing fuel to the fire, it is clear that the tools are readily available (and have been for years). Listing of such tools won't make hacking easier for miscreants and script kiddies; rather it provides a level playing field for systems administrators who need to defend against such hackers.

After network and host enumeration, NSA steps forward into topics such as dealing with web servers and CGI, remote access issues, and ftp and database security issues. Chapter 9 does a good job of focusing on Microsoft Windows security issues. While entire books have been written about weak Windows security protocols such as NetBIOS, SMB and CIFS, NSA does a good job encapsulating ways to keep vulnerabilities here in check. Readers are highly advised to put the Windows networks services countermeasures listed at the end of the chapter into use.

Chapters 10-12 deal with the myriad security issues with email, VPN and RPC issues. While most of the information in these chapters (and the book as a whole) has been elucidated elsewhere, there is nonetheless a lot of valuable information contained in the chapters.

Chapter 13, "Application-Level Risks," is important in that many organizations put far too much emphasis on security the perimeter and forgetting about the application. The need for more emphasis on application-level security is eloquently put by Marcus Ranum when he notes that "these days, with the kind of plug-ins that come in your typical browser, combined with all the bizarre undocumented protocols used by new Internet applications, make it highly unlikely that a firewall is doing anything more complex than a thin layer of policy atop routing. As such, the applications behind the firewall are now more critical to security than the firewall itself. Which should scare the holey moley out of you."

Chapter 14 closes the book with a methodology for running a network security assessment. The author notes that running an assessment requires more thought than simply running security tools in a haphazard manner.

Overall, Network Security Assessment provides a good framework for anyone who is serious about running network security scans to security his perimeter and interior networks. The book is written in a style that is readable and understandable style; while more of an introductory text, it does not treat the reader as a dummy.

When it comes to running a network security assessment, the methodology is often more important than the running of the tools. While there is nothing radically new detailed in NSA, it does provide an effective and comprehensive overview of the issues involved in only 355 pages. If you are looking for a to-the-point book that does not get bogged down with screen prints and meaningless hacker stories and myths, Network Security Assessment is a good place to start.

You can purchase Network Security Assessment from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

92 comments

  1. Preface by Rubberpants.net · · Score: 0, Troll

    Preface by Betty Carty

    1. Re:Preface by Anonymous Coward · · Score: 0

      Mod parent down -1 Useless Drivel To Gain Karma

    2. Re:Preface by SuneSpeg · · Score: 1

      I dont think he gives a sh*t about modpoints or karma, exposing his referal link to get a free monitor, seems top priority.

    3. Re:Preface by Rubberpants.net · · Score: 0, Redundant

      And since you noticed, it seems to be working.

    4. Re:Preface by Anonymous Coward · · Score: 2, Funny

      Speaking of security, to make this otherwise troll post ontopic, I broke into Rubberpants's freeflatscreen account, stole his info, and am now in the process of maxing out his credit card. Not only that, but I expect to make a good chunk of change selling his friends' email addresses to the most notorious spammers in the world. So think about it people, before giving your personal data to some shady site like this with no security.

  2. Hackerproof? by seagar · · Score: 5, Funny

    My old windows box is hackerproof. It's unplugged, under my desk being used as a footrest. I guess my physical security could get a bit lax when I fall asleep at my de..........

    --

    home of the original cupholder
    1. Re:Hackerproof? by sumdumass · · Score: 1

      yep it is laxed. I just snuck in and booted it up. had a little problem at first but i managed to get her to boot. I installed a wirless nick and a battery powered power suply so every day at 10 pm it will fire up and i can now use it to spam with.

      BTW you might want to get the toe jam fungus thing on your foot checked out. It looked really frightning

    2. Re:Hackerproof? by Anonymous Coward · · Score: 0

      Your login name is very appropriate...

  3. "How to hacker-proof your server with nmap" by SpaceCadetTrav · · Score: 5, Funny

    That's the name of my book. Does it qualify?

    --
    Life in Orange County
    1. Re:"How to hacker-proof your server with nmap" by JohnnyGTO · · Score: 2, Funny

      How to hacker-proof your server with the bullet-proof software nmap

      --
      Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
  4. Nmap by Mateito · · Score: 4, Interesting

    Forget books. Everything you ever needed to know about nmap you can learn from this woman.

    --
    Norman Cook's Ode to Sl
    1. Re:Nmap by 0racle · · Score: 4, Funny

      Thats just nasty. I don't want to even think of the number of virus's that would be following her around.

      --
      "I use a Mac because I'm just better than you are."
    2. Re:Nmap by Anonymous Coward · · Score: 1, Informative

      I know quite a few people in the scene and I hate to break it to you but haxxxor porn has a few girls who were under 18 at the time of filming. Not the kind of thing you want to have laying around the house.

      Posting AC for a reason

    3. Re:Nmap by yerfatma · · Score: 3, Funny

      Eh, you were young. You needed the money. No one's going to hold it against you.

    4. Re:Nmap by Kn0w1 · · Score: 1

      I guess at the same you learn how to hack with one hand . .... tied behind your back.. yeah.

    5. Re:Nmap by Mateito · · Score: 1
      Not the kind of thing you want to have laying around the house.

      I don't care how old she is, she's just nasty. I wouldn't have her around the house anyway.

      --
      Norman Cook's Ode to Sl
  5. Proof. by Anonymous Coward · · Score: 3, Interesting

    Could someone explain why, technically, nothing is ever hacker-proof over a network connection? Computers are deterministic. Why is it impossible to keep something secure?

    1. Re:Proof. by SpaceCadetTrav · · Score: 0

      It's just one of those trendy sayings that's been getting hyped up these days. It's kind of like saying nothing could ever be water-proof.

      --
      Life in Orange County
    2. Re:Proof. by gantzm · · Score: 2, Informative

      Social Engineering

      Very non-deterministic.

      --


      Excessive forking causes un-wanted children.
    3. Re:Proof. by pixelpusher220 · · Score: 2, Insightful

      Computers are deterministic. Why is it impossible to keep something secure?

      Because we Human's are *not*. If it was written by a human, it will have 'undocumented features' whether purposely or not. Moreover though, if something is completely and utterly secure, it's also not likely to be very useful. A computer totally disconnected from the network can't be hacked from the network...but it defeats the purpose of having a network in the first place.

      --
      People in cars cause accidents....accidents in cars cause people :-D
    4. Re:Proof. by Carnildo · · Score: 2, Informative

      Look up the "halting problem" sometime. It's impossible to algorithmically prove that a computer program is correct (bug-free, etc.).

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    5. Re:Proof. by Jane_Dozey · · Score: 1

      Try proving that a computer is 100% secure (and thus hack-proof). It's an impossible task since the attacker might think of something entirely new and break into your system.
      Computers and software are complex (and getting more complex all the time). With complexity comes insecurity.

      --
      Silly rabbit
    6. Re:Proof. by rokzy · · Score: 1

      not having proof that something is correct does not mean it is not correct.

      there is no reason why something should not be totally secure.

      the only problem is making something secure AND easy AND cheap AND quick.

    7. Re:Proof. by kfg · · Score: 1

      It's kinda like vampires. They have no power unless you invite them in, but once you do invite them in keeping them out of your bedroom might prove problematic.

      And a network connection is inherently a form of invite.

      Vampires are rather crafty as well and are very adept at tricking you into inviting them in without your even knowing they're vampires. . .until you're trapped in your bedroom, waiting, in fear, as the mist seeps under the door crack, suddenly realizing that that expensive deadbolt lock and 4x6 bar were installed in vain against the creatures of the night.

      KFG

    8. Re:Proof. by Pantero+Blanco · · Score: 2, Insightful

      Theoretically, something could be "hacker-proof". Things start to break down when reality and practicality enter the picture. People leave security holes unintentionally, new cracking tools are developed, admins use "God" as their password, et cetera. There are so many spots where things can break down that it's best to have the mindset that no network can be hacker-proof.

    9. Re:Proof. by bgalehouse · · Score: 1
      Strictly speaking, there are formal methods for verifying properties of a computer system. In practice, there are several problems.

      One is that formal methods require a formal specification, and one can have a bug in a specification almost, but not quite, as easily as one can have a bug in code. And the day you security requirements change there is no reason anything you've done can be reused.

      Another is that it is expensive. To be safe you need to verify the hardware, the OS, and every program (unless you can prove that the OS fully isolates the programs from each other). I heard that some academics once built a computer and OS with this level of verification. By the time it was done, it was out of date, and the cost was extravagent back when computers were expensive.

      A limited form of this sort of technology is used in the Java VM. The VM verifies that the code is safe by creating a proof of safety before executing the code. There was once a bug in the verifier (in princicple one could prove correctness of the verifier, or at least create a proven correct verifier, but in practice...) also, there was at least once of case of a bug in a library which gave too much access to an applet. More discussion of this sort of technology can be found by look up, say, Proof Carrying Code (PCC) on google.

    10. Re:Proof. by Anonymous Coward · · Score: 0
      Look up the "halting problem" sometime.
      Turing machines don't have predictable halting because their memory is infinite.
      It's impossible to algorithmically prove that a computer program is correct (bug-free, etc.).
      Sure it is. Real computers have finite memory and operate deterministically. You "merely" have to evaluate all possible transitions and check if they're all allowed.

      The trouble is that writing down what is allowed is as difficult and error-prone as implementing the computer system. It doesn't necessarily buy you anything.

      Computers also interact with non-deterministic people, which is generally the largest security risk in the system.

    11. Re:Proof. by Dread_ed · · Score: 1

      DAMN that was spooky!

      Now I am scared to death of my internet connection.

      --
      When the only tool you have is a claw hammer every problem starts to look like the back of someone's skull.
    12. Re:Proof. by ponds · · Score: 1

      The problem is that of the complexity which information systems require to be of use to the general populus.

      There is a direct relationship between the complexity of software, and bugs in said software.

      It is not possible to make something totally secure and complex.

      If I were to write a server who's whole purpose would be to, upon a TCP connection, print the date to the client, there wouldn't be much chance for a bug, and much less chance for an exploitable bug.

      Now if I were to expand features on to my little daytime server above, each added feature is added complexity, is added potential bugs and vulnerabilities.

      NTP servers have had a few vulnerabilities in them, daytime has had none (I am not 100% sure on this, but it's less than NTP).

      We need complex systems for IT to do any good for us. The key to security is making those systems as modular, as separated, and as little kludgy and crufty as possible.

    13. Re:Proof. by jesser · · Score: 1

      Look up the "halting problem" sometime. It's impossible to algorithmically prove that a computer program is correct (bug-free, etc.).

      It is entirely possible to write proofs that programs are correct. In the Advanced Algorithms class I took, many of the homework problems were proving that short pseudocode programs were correct. (Proofs can be verified algorithmically, but that's not important the debate over whether it possible for software to not have security holes.)

      You misunderstand the halting problem. What is impossible taking an arbitrary program as input and always being able to say either "This program halts" or "This program does not halt". But if you're also allowed to say "I don't know" for some input programs, it is no longer impossible.

      Here's a dumb example:

      if (program == "")
      return HALTS;
      else if (program == "while(1);")
      return DOES_NOT_HALT;
      else
      return DONT_KNOW;

      Btw, there's something called "proof-carrying code", but I don't know much about it.

      --
      The shareholder is always right.
    14. Re:Proof. by chgros · · Score: 1

      Sure it is. Real computers have finite memory and operate deterministically. You "merely" have to evaluate all possible transitions and check if they're all allowed.
      Right. But just for the memory, if you have say 512MiB (2^29B), that's 2^(2^37) possibilities (not counting processor state). For all practical purposes, it can be considered impossible to analyze all possibilities.

    15. Re:Proof. by chgros · · Score: 2, Informative

      It is indeed possible to prove some programs correct (cf the famous Knuth quote, Beware of bugs in the above code; I have only proved it correct, not tried it.). However it is usually difficult, requiring annotations or other manual intervention to specify invariants. Other, more automatic kinds of checking are possible, but they're always incomplete; first of all, because it's impossible to check any kind of program property in general, and second, to achieve any kind of reasonable performance.
      I actually work for a company that sells such a checker (sorry, not FOSS, got to eat). Found hundreds of bugs in the linux kernel alone.
      As for proof-carrying code, it's code that carries around a proof of what it computes; the proof can be checked at the end of the program. Problem is that there is no guarantee that the proof will actually be correct, nor that the program will terminate. I almost published a paper on some sort of language where you could only carry around correct proof, so if you could get to the end of your program, you did the right thing (partial correctness). However the type of proofs you could have was very limited.

    16. Re:Proof. by Anonymous Coward · · Score: 0

      There's another side to this that is somewhat obvious when it comes to computer security. Any useful implementation of security means that you can legitimately access the secured material, while no one else can.

      Therefore, since there is *a* key to your system, there is no way to make sure no one can duplicate that key.

      It *may* be technically feasible to make a system secure by designing it such that no one can access the material... which would include those that would legitimately want to access the protected material. Figuring out how such a system would be designed is left as an exercise to the reader.

      Keeping everyone (this means you, too) out is easy. Allowing everyone in is easy. Selective admittance/exclusion... that's the tricky part. As well as being the hacker-proof problem.

    17. Re:Proof. by Anonymous Coward · · Score: 0

      The human problem has been mentioned, and is probably the biggest security hold in any system. We should also no forget the possibilty of attacks based on EM leakage such as TEMPEST, or even perhaps EM injection by who knows what means...Sure a computer may be "unhackable" if you place it in a lead/concrete bunker a couple of kilometres below ground, unconnected to other computers, designed with custom chips using trinary or other non-binary syste, guarded by a battalion of tanks. Probably useless unless it is calculating the answer to Life, the Universe and Everything, but even then it is still theoretically hackable with enough manpower (personpower?), ingenuity, and luck... The point being that the author is correct in arguing that it is not impossible for a hacker (or two, or more) to break into a system, only improbable. And it is only improbable if it is designed that way. It is the job of any good sysadmin to make sure that it is improbable as possible for anyone to break into the system, and hopefully any hackers will divert their attention elsewhere (although any hacker worth his/her spit probably loves a challenge).

      There are plenty of parables that echo this idea - If you and a buddy are confornted by a bear, you don't have to be faster than a bear to get away, you just have to be faster than your buddy...

      Just my 2 cents!

    18. Re:Proof. by makomk · · Score: 1
      It is entirely possible to write proofs that programs are correct. In the Advanced Algorithms class I took, many of the homework problems were proving that short pseudocode programs were correct. (Proofs can be verified algorithmically, but that's not important the debate over whether it possible for software to not have security holes.)

      Yes, if by 'correct' you mean 'meets some definition of how it should behave'. There's no guarantee that your definition of 'correct' is actually correct.

  6. All I got to say is... by jayhawk88 · · Score: 5, Funny

    ...if nmap is good enough for Trinity, it's good enough for me.

    1. Re:All I got to say is... by srvivn21 · · Score: 0

      I know no one cares, but I have to reiterate:

      TRINITY DIDN'T USE NMAP IN THE MATRIX!

      The crew whose responsibility it was to shut down the power station actually breached the system. Prior to completing their mission, their ship and bodies in the "real world" were destroyed by squiddies. Trinity walked up to a breached system and ran the shut-down command.

      *sigh*

    2. Re:All I got to say is... by makomk · · Score: 1
      TRINITY DIDN'T USE NMAP IN THE MATRIX!

      Jeez, I must have been hallucinating...

      (PS. If I was using my home PC, I'd take a screenshot and prove it one way or the other)

  7. Whole series by MikeMacK · · Score: 5, Funny
    The book is written in a style that is readable and understandable style; while more of an introductory text, it does not treat the reader as a dummy.

    No, we have a whole series of books for that.

  8. The Utility of Firewalls by airConditionedGypsy · · Score: 5, Insightful
    "..these days, with the kind of plug-ins that come in your typical browser, combined with all the bizarre undocumented protocols used by new Internet applications, make it highly unlikely that a firewall is doing anything more complex than a thin layer of policy atop routing. This pronoucement is right on the money. Firewalls are but one tool in our arsenal. <Insert relevant prose about defense in depth, yadda yadda.>

    As such, the applications behind the firewall are now more critical to security than the firewall itself. Which should scare the holey moley out of you."

    Firewalls were invented to essentially protect us from bad software engineering. Bad software engineering remains a problem. A good question is whether or not firewalls should be made more complex, or left as simple packet filters... there is simply no way for a firewall at the edge of a network to make intelligent decisions about application data flying past it.

    We need fundamental advances in creating robust, secure, and self-recovering software.

    --
    I bootleg Fizzy Lifting Drinks.
    1. Re:The Utility of Firewalls by D3 · · Score: 4, Informative

      ". there is simply no way for a firewall at the edge of a network to make intelligent decisions about application data flying past it."

      Really, so then PIX fixup does nothing for you? How about Checkpoint's AI? Funny how I have lots of logs for the drops on my firewalls that are exactly because of application data triggering something the firewall doesn't like.

      --
      Do really dense people warp space more than others?
    2. Re:The Utility of Firewalls by Anonymous Coward · · Score: 0

      We need fundamental advances in creating robust, secure, and self-recovering software.

      We also need cars that drive themselves, and self healing bodies for that matter. Get real. :-)

    3. Re:The Utility of Firewalls by airConditionedGypsy · · Score: 1
      Probably easier to create better software than to have cars that drive themselves. Your body already heals itself. If you want limb replacement, talk to genetic engineerings that want to insert whatever the heck crawfish have into us to regrow limbs.

      --
      I bootleg Fizzy Lifting Drinks.
    4. Re:The Utility of Firewalls by airConditionedGypsy · · Score: 4, Insightful
      Which these sorts of tools, you need a signature to match against. Doesn't really do any good to catch Code Red sigs after patches have been applied, and only slows down traffic processing. The firewall has to stop and reassemble the packets, and then make a decision based on a-priori knowledge of that particular application-level protocol.

      Sure, firewalls can catch this sort of low-hanging fruit, but how can a firewall make a useful decision about an otherwise syntactically legal piece of data that goes past it? All sorts of stuff gets tunneled over HTTP. If the firewall knows about authorization decisions and correct behavior of all the applications behind it, that's a pretty meaty firewall, and probably very prone to subversion itself.

      --
      I bootleg Fizzy Lifting Drinks.
    5. Re:The Utility of Firewalls by Homology · · Score: 1
      We need fundamental advances in creating robust, secure, and self-recovering software

      Perhaps the devolopment process of OpenBSD might give you a hint.

    6. Re:The Utility of Firewalls by Yobgod+Ababua · · Score: 3, Informative

      "there is simply no way for a firewall at the edge of a network to make intelligent decisions about application data flying past it."

      There are plenty of ways for a firewall to make intelligent decisions about the application data going past it.

      The first (and perhaps easiest) level is just to check that traffic conforms to known protocol specifications, as it's very often dealing with 'impossible' data that causes applications to have problems. As a simple example, simply blocking HTTP GET or POST requests with absurdly large fields can help prevent a whole range of webserver exploits.

      You can't always count on the application software to properly check every field and flag to verify that the packets it's receiving conform to the protocols standards and limitations. In these cases it's very useful (and, for large or complex installations possibly much easier) to perform those checks at the firewall.

      Beyond that, you really need to perform more in-depth characterization of your allowable traffic in order to intelligently characterize it, but there are numerous companies working on helping firewalls do just that.

      "We need fundamental advances in creating robust, secure, and self-recovering software."

      I'll agree with that, at least.
      Software needs to learn how to laugh. (When people are confronted by the impossible, contradictory, or unexpected, we generally laugh and move on without crashing...)

    7. Re:The Utility of Firewalls by D3 · · Score: 2, Informative

      Both of these firewalls and others do more than just simple signature matching and will continue to add more features to detect unwanted traffic at all layers of the OSI model. They can and do catch stuff tunnelled over HTTP. I would agree they aren't perfect solutions but they can do much more than the simple proxy stuff of days gone by.

      Also, with the speed of modern CPUs the performance hit is negligable. We have dual OC-3 pipes and our firewall doesn't break a sweat. Try a copy of Checkpoint's Secure Platform on a cheap but powerful Intel box and just try to get the CPU to be slammed.

      --
      Do really dense people warp space more than others?
    8. Re:The Utility of Firewalls by Beryllium+Sphere(tm) · · Score: 4, Insightful

      You described firewalls that are making useful decisions about incoming application data, but I question whether they are intelligent decisions.

      After all, why do we have the problem that application-aware firewalls are trying to solve? Because we can't trust the applications to figure out whether their own incoming data is safe to eat. Can we make firewalls smarter about application data integrity than the applications are? If we can, do we want to put all that logic in a high-traffic area?

      The niche where I'd recommend a layer 7 firewall is when it's unsafe to update production systems to fix a vulnerability.

    9. Re:The Utility of Firewalls by techno-vampire · · Score: 1

      In general, a firewall can only stop what it's been told to stop. This may include "all misformed packets," or "all ports except specific ones." However, just because a port has a standard usage doesn't mean it's only used for just that. An applet can send out a request over port 80 and download a trojan over (let's say) port 110 and your firewall will probably think the incoming packets are just email. Yes, having AI in your firewall may help to some extent, but that means analyzing every connection and slowing down throughput until the AI's satisfied. Even if you don't mind the lag, it's still not 100% certain because the malware can easily mimic the correct handshaking for that protocol. About the best you can get is to make it hard enough to get through that skript kiddies won't know how and those that do won't feel it's worth the effort.

      --
      Good, inexpensive web hosting
    10. Re:The Utility of Firewalls by Anonymous Coward · · Score: 0

      "A good question is whether or not firewalls should be made more complex, or left as simple packet filters... there is simply no way for a firewall at the edge of a network to make intelligent decisions about application data flying past it."

      One very useful situation for a firewall might be in the case of a complex web application that stores credit card numbers. You could store a dummy or known credit card number in your table and set your firewall to look for that number in its outbound traffic. Since that number should never be seen in normal operation you can assume that something has gone (quite seriously) wrong if it ever comes up.

    11. Re:The Utility of Firewalls by Florian+Weimer · · Score: 1

      Really, so then PIX fixup does nothing for you? How about Checkpoint's AI?

      PIX fixups often don't work (SMTP, H.323, even Cisco's proprietary Skinny protocol for VoIP signaling). Maybe Checkpoint is better, but I doubt it.

      My trouble with these "intelligent firewalls" is that they are extremely complex, sometimes even more complex than the systems that they are trying to protect. Complexity leads to configuration errors and software bugs, and ultimately to vulnerabilities.

      Therefore, it seems to be better to use very basic packet filters to separate critical systems from the remaining parts of the network, and secure the systems themselves. If this is impossible (for example, your very expensive new online banking application has countless SQL injection bugs), you might be forced to put an application layer gateway in front of it that verifies all HTTP requests (and handles the SSL encryption). But this should be an exception, not the norm.

    12. Re:The Utility of Firewalls by juliao · · Score: 1
      The niche where I'd recommend a layer 7 firewall is when it's unsafe to update production systems to fix a vulnerability

      I wouldn't just say "unsafe", but also when it is unfeasible. Production systems are sometimes commercial products, sometimes they are custom built but you don't have anyone who can read, understand or touch the code.
      Sometimes it is a lot easier to implement and maintain a simple app-level filter that screens traffic for known-good patterns and leaves out everything else than it is to even understand in which part of a production application to put that kind of filtering.

      --

      free the mallocs!

    13. Re:The Utility of Firewalls by makomk · · Score: 1

      Actually, it's worse than that. SHTTP connections for example are designed so that the contents are not visible to any systems except the two ends of the connection. So there's no way a firewall can validate the contents.

  9. Security Book? by Anonymous Coward · · Score: 4, Funny

    No thanks, I'm going to Grandma .

  10. Style? by Anonymous Coward · · Score: 5, Funny
    The book is written in a style that is readable and understandable style

    Is it written in a more grammatical style than your review?

  11. memory scrubbing by Anonymous Coward · · Score: 1, Interesting

    Is there a patch for Linux that implements scrubbing sensitive memory pages? At the kernel level I mean (hooked into malloc/free). Ideally I'd like to be able to mark some processes as "sensitive" (via a system call maybe) and when said process exits, Linux scrubs all their pages clean...

    1. Re:memory scrubbing by Anonymous Coward · · Score: 0

      Isn't this how it works already? Everything is 0'ed when allocated.

    2. Re:memory scrubbing by Anonymous Coward · · Score: 0

      If you're that worried about people finding your goat pr0n, you should write the patch yourself :-P

  12. mod up by Anonymous Coward · · Score: 0

    Computers are only deterministic when they're working properly, nothing is ever 100% going to work properly.

    I think you can make an un-compromisable computer (by running off ROM, for instance*), but any net connection can be DOSed.

    *well, maybe what I'm suggesting means the box in question ceases being a general purpose computing device, i.e. is not a computer.... semantics and tech both over my head here.

  13. Handling Assessments by Anonymous Coward · · Score: 0
    read on to see how it handles his assessment.

    Books do not handle assessments at all. The reviewer assesses the book.

  14. To make something "hackerproof".... by ARRRLovin · · Score: 2, Interesting

    ....is to know the unknown. So unless you wrote every program you use on a daily basis operate in a vacuum with *zero* connection to the outside world, it is impossible to be "hackerproof".

    --
    -Randy
    1. Re:To make something "hackerproof".... by Ziviyr · · Score: 1

      I think you're being a little extreme.

      I think there is such thing as being realistically hacker-proof.

      Hacks are typically caused by programs taking malicious input and doing something awe-inspiringly stupid with it. People can write secure code if they want to.

      I call bullshit on hack-proofness being impossible.

      --

      Someone set us up the bomb, so shine we are!
  15. Lame Criteria by fv · · Score: 5, Informative
    And at 355 pages in length, the book's discussion of nmap starts on page 324; a good sign indeed.

    WTF? By this heuristic, my upcoming O'Reilly book on the Nmap Security Scanner will be a miserable failure. No single security tool, be it Nmap, Nessus, Snort, or any of the other most popular security tools, is a holy grail, but don't judge a book based on what page numbers they appear on. That is almost as bad as making the title words a huge consideration. I do tend to look askance at books with "hacking" or "cyber" in the title, but give them a chance anway. It is often the publisher's marketing department, and not the authors, that have the most influence in the cover. I flipped through NSA, and found it good enough to ask O'Reilly for a copy (I haven't read it yet though).

    In any case, NSA does not start its Nmap coverage on page 324. Nmap has its own subsection on page 11, and a peak at the index shows that Nmap is also discussed on pages 39, 47, 58, 69, 192, 322-324, 325-326, and 354. If the location of Nmap coverage is one of your two primary considerations in buying security books, at least check the index!

    -Fyodor
    PS: Nmap 3.70 was just released last week, with dozens of improvements.

    1. Re:Lame Criteria by Anonymous Coward · · Score: 0
      Good point, but I think the author revealed himself as a jackass a little earlier : Especially since bulletproof deals with physical objects, and nothing, not anything, can ever be made hacker-proof.

      "bulletproof" in the context of computer security is obviously a metaphor. It may or may not be a scarlet letter on a computer security text, but the author's quibble with the phrase is infantile and willfully blind pedantry. I suppose he thinks it's a keen insight or something.

    2. Re:Lame Criteria by anticypher · · Score: 1

      Maybe its because the book review itself is lame. The reviewer was stretching hard to come up with some points on how this book differs from the shallow make-a-fast-buck books which are little more than a rehash of the man pages for nessus and nmap.

      I've seen the aftermath of cowboy security professionals, who come into a company, run nessus for a day or two, print out the report in its entirety, grab their money and run. At the other end of the spectrum I've seen CESG CHECK certified teams spend months carefully working through a structured procedure to secure an organisation's entire IT infrastructure. When I look at books I tend to categorise them into manpage reprints or full structured methodologies.

      However, I'm certain that an O'Reilly book on nmap, written by the Fyodor himself, will be a worthy addition to my library. Here's hoping the book sells well enough you can earn some good money off of it.

      the AC
      I had to set my clock back last week just to verify one of the cool new features in 3.70

      --
      Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
    3. Re:Lame Criteria by bruthasj · · Score: 1

      WTF? By this heuristic ...

      Don't worry, he just invented it for this book review. Sounds a bit like my computer science alogrithm proofs.

      Thanks for the great tool Fyodor!

  16. a slight discrepency? by monoi · · Score: 2, Interesting

    the book's discussion of nmap starts on page 324

    ...and then later...

    Chapter 3 [...] shows how to use [...] nmap for network enumeration.

    Are chapters one and two gargantuan, or is it just too late at night for me?

  17. What about by oneishy · · Score: 1

    unplugging?

    Last I checked that was still hacker proof!

    1. Re:What about by genner · · Score: 1

      Nah, a hacker can still break into the room and plug it back in.

      Now smashing it with a sledge hammer would make it completely hacker proof.

  18. Hacker-proof.... by thewiz · · Score: 1

    Especially since bulletproof deals with physical objects, and nothing, not anything, can ever be made hacker-proof.

    Really? Many black-hat hackers in prison for commiting crimes have found their cells hacker-proof. At the very least, extremely hacker-resistant.

    --
    If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
  19. Full Text Online by Wanker · · Score: 2, Insightful

    The full text of this book is available online via O'Reilly's Safari subscription service:

    http://safari.oreilly.com/059600611X

    This is a great service for serious readers. (I have no connection with them other than as a subscriber.)

  20. If the Book does indeed mention ISECOMM by Anonymous Coward · · Score: 1, Insightful

    and the OSSTMM (Open Source Security Testing and Methodolgy Manual) then indeed it is worth its salt.

    Otherwise, more thought and more experience has been put in the OSSTMM than any book published to date.

    Security Testing, Penetration Testing, and Vulnerability Assessments should be done according to a complete plan covering more than just open ports found by nmap, but you have to have the methodology to go about it, or you are as bad as the proverbial "Script Kiddie".

  21. my calculator is pretty hacker proof by dj42 · · Score: 2, Funny

    the article says nothing can be hacker proof? seriously? nothing?

    --
    We are one consciousness experiencing itself subjectively. Back to you with the weather, Bob!
  22. protect us from bad software engineering by dpilot · · Score: 1

    I would argue that bad software engineering has little do to with it.

    I belive we need much more to be protected from bad software purchasing decisions. The best-engineered software in the world can be out there, but if that's not what you buy, all of that engineering does you no good.

    I have faith in the Linux kernel because I keep tabs on the lkml, and I know that these guys are concerned about doing a good job, and that there are some well-qualified people amoung them. I have faith on other Open Source projects for similar reasons - that even though I'm not qualified to evaluate their security, others who are, do. It is a good idea some time to skim mailing list archives for the software you use, from time to time, just to see the attitudes of developers and contributers.

    For proprietary software, you have to have faith in the company that produced it. The issue then becomes how do you achieve reasoned faith in a company's software development process.

    And then of course we have the just plain naughty-ware that NOBODY should install. But people do install the stuff, and sometimes they even BUY it.

    --
    The living have better things to do than to continue hating the dead.
    1. Re:protect us from bad software engineering by evilpenguin · · Score: 1
      I have faith in the Linux kernel because I keep tabs on the lkml, and I know that these guys are concerned about doing a good job, and that there are some well-qualified people amoung them. I have faith on other Open Source projects for similar reasons - that even though I'm not qualified to evaluate their security, others who are, do. It is a good idea some time to skim mailing list archives for the software you use, from time to time, just to see the attitudes of developers and contributers.


      I agree that Open Source/Free Software is a model that allows for a higher degree of confidence than closed and proprietary, and I agree that heavily used and heavily developed software of that type is likely to be "better" (how to quantify? Difficult problem.) than closed software, I do not think you can assume because something is open that it is secure. I have seen some appalingly bad code in open source projects.
  23. Bug-free software is possible by Animats · · Score: 1
    and nothing, not anything, can ever be made hacker-proof.

    It's quite possible to build very high security systems. With enough effort, you can take proof of correctness all the way down to the hardware level.

    Nobody does this any more, because 1) the costs are very high, 2) you have to make the designs so brutally simple that you lose performance, and 3) everything becomes totally incompatible with Microsoft. . But go look at the list of systems approved under the old NSA Red Book criteria at the higher levels.

  24. Apostrophes? by JThundley · · Score: 1

    The second step is to see the books discussion and placement of the nmap tool within the book.

    Why not discuss the placement of apostrophes?

  25. Hacker-Proof by Virtex · · Score: 0, Flamebait

    and nothing, not anything, can ever be made hacker-proof

    Oh yeah? My computer is completely hacker-proof. There's nothing you can do to break it. In fact, I insist you try. My IP address is 127.0.0.1. Go ahead and launch your worst exploits, DoS attacks, worms, or viruses against it -- I won't even notice the attack.

    --
    For every post, there is an equal and opposite re-post.
  26. a good start by neoThoth · · Score: 1

    what I would want to see is a book on network penetration testing. Books like NSA seem more like a conglomeration of How To's and Man pages with a friendly narrator.

  27. Spend, spend, spend. by Anonymous Coward · · Score: 1, Interesting

    When designing and security a network, it is the job of the security architect to maximize that level of improbability as much as possible. No it's not it is to make sure that the level of security in the system is comensurate with the system risk.

  28. Nothing is flawless by msobkow · · Score: 2, Informative

    It's that simple. No matter how good the teams involved in hardware and software development, there is a virtual statistical guarantee that there is a mistake somewhere. If that mistake can be exploited over the network, you have a potentially serious vulnerability.

    The best you can do is isolate your penetration risk.

    Ideally you would want each network-enabled service on a distinct server. That way if there is a security risk with that service software on the platform, your penetration risk is the loss of that service. That can get expensive, so you either use chroot environments or VM's to reduce the physical infrastructure required, knowing that there is some tradeoff in the overall security because of it.

    Each layer of the data center environment should be firewalled from the next so that only the expected protocols from the expected hosts are allowed deeper into your data center. This all starts at the network head, typically something like a Cisco rack that port-forwards the network services to the appropriate hardware.

    In the case of a web-enabled service via Apache, plugins and hooks in Apache validate the client, handle the SSL overhead, and proxy the confirmed requests to the next layer -- web interface services (e.g. XForms, Struts, HTML/JavaScript, XML/XSD, ...). Those requests are again ideally passed through a firewall, but at very least the links between those front-end and web interface servers should be a physically seperate subnet.

    Tomcat, J2EE, etc. are common web interface service toolkits. This layer is responsible for user session management and minimal authorization feedback (e.g. enabling/disabling potential user actions for the business object interfaces being presented.)

    We're now through three layers of firewalling and validation, and finally hit the back-end application services. With J2EE or other gateways handling the web interface, the back-end application services could be interfaced via MQ, RPC, CORBA, J2EE, SOAP/XML, or any number of protocols.

    Those back-end business application services are where you can finally do the real authentication/authorization, XA transaction management, backbone message processing, etc.

    Depending on performance and security needs, there may be further layerings of business/security processing, object-relational mapping, and local or WAN database clusters.

    At the very core of it with as many firewalls and layers as possible between it and the outside world is your security center -- the primary Kerberos servers that are maintained from a physically secure location. Their information is replicated to the "runtime" servers in the data center, so even if someone were able to hack through 4-6 layers of firewalls, protocols, and potential SSL tunnels, they still wouldn't be able to alter the core identity information.

    There are thousands of products, packages, and libraries for working with that Kerberos identity core, including smart cards, biometric id's, etc.

    Tie it in with LDAP security and you can do a pretty effective job of initial application access checking without allowing a DOS on the core service. (If you can't find the core service, you can't very well flood it, can you? Not without attracting the attention of network monitoring.)

    Technically "bulletproof" is impossible, but I'd rather a few layers of Kevlar between my data and the outside world, particularly if each of those layers is provided by a different vendor using slightly different approaches to their products.

    I think having a seperate OS vendor and hardware platform for each service would be ideal, but currently that's only a theory. There are equally valid arguments that having a simple VM or microkernel with multiple operating systems could be as secure.

    In a sense, if you had all these systems and services on the big iron from IBM, Sun, Hitachi, HP, etc. the internal data bus can be thought of as a multi-gigabyte per second virtual netwo

    --
    I do not fail; I succeed at finding out what does not work.
  29. Bejtlich disciple by maximilln · · Score: 1

    While nmap is a invaluable and important security tool; it is nonetheless but one tool in a large security toolbox. Books that place the bulk of their discussion of nmap at the beginning of a book are generally focused on the blind running of tools without insight or analysis.

    I think the poster just finished reading the intro to "The Tao of Network Security Monitoring" by Richard Bejtlich.

    "This book strives to not repeat material found elsewhere. you will not read how to install Snort or run Nmap. I suggest you refer to the recommended reading list in the next section if you hunger for that knowledge. I introduce tools and techniques overlooked by most authors, like the material on protocol anomaly detection by Brian Hernacki, and explain how you can use them to your advantage."

    --
    +++ATHZ 99:5:80