Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Security Assessment

Posted by timothy on from the no-such-anything dept.

Ben Rothke writes "There is a very simple albeit unscientific two-step test to see if a book about security assessments is for the serious security practitioner or for the script kiddie. Step one: Does the book use the term bulletproof or hacker-proof? Such nebulous terms are utterly meaningless. Especially since bulletproof deals with physical objects, and nothing, not anything, can ever be made hacker-proof. The second step is to see the books discussion and placement of the nmap tool within the book. While nmap is a invaluable and important security tool; it is nonetheless but one tool in a large security toolbox. Books that place the bulk of their discussion of nmap at the beginning of a book are generally focused on the blind running of tools without insight or analysis. Those that place nmap towards the latter parts of the book generally focus on the big picture." Rothke reviews below Chris McNab's book Network Security Assessment; read on to see how it handles his assessment. Network Security Assessment author Chris McNab pages 396 publisher O'Reilly rating 8 reviewer Ben Rothke ISBN 059600611X summary To-the-point and practical book for testing your own network, an important tool in the fight to keep out malicious electronic visitors.

With those two tests in mind, Network Security Assessment (NSA) passes with honors. The terms bulletproof or hacker-proof are not found at all. And at 355 pages in length, the book's discussion of nmap starts on page 324; a good sign indeed. NSA is written for a person who needs a thorough introduction to performing network assessments, but does not need the elaborate background that the Hacking Exposed series offers. The book's technical requirements are not that extensive; a basic understanding of security, IP networks, and generic networking is enough to understand the core concepts of the book.

The book's preface starts out with a simple fact, one that is not always obvious to many: It is never impossible for a hacker to break into a computer system, only improbable. When designing and security a network, it is the job of the security architect to maximize that level of improbability as much as possible. Anyone who makes their network even a little bit more security resilient will quickly find a drop in the number of security breaches.

The publication of Hacking Exposed a few years ago started a new era in books about network scanning. Hacking Exposed was the first popular book that detailed how to go about performing a penetration test. In a similar vein, NSA is comparable to Hacking Exposed in that it provides a framework for doing security assessments. The big difference is that NSA provides a much more structured approach to performing the assessment, whereas Hacking Exposed lacked that formal approach. Hacking Exposed also goes into more details in many areas, and its initial title has morphed into many other different titles.

This more formal approach is manifest in the books 14 chapters. The first two chapters of NSA start out with the fundamental need and requirements for performing a network security assessment, and then details the tools and methodologies required to bring that assessment to fruition.

Chapter 3 details the ins and outs of network enumeration and also shows how to use standard utilities such as whois and nmap for network enumeration. Perhaps one of the most beneficial features of the book is the selection of countermeasures that are found at the end of each chapter. These countermeasures are very useful in ensuring that any vulnerabilities are appropriately fixed.

Besides listing methods which an intruder might use to elude common security applications, the book also goes into numerous hacking tools. While some may see this as providing fuel to the fire, it is clear that the tools are readily available (and have been for years). Listing of such tools won't make hacking easier for miscreants and script kiddies; rather it provides a level playing field for systems administrators who need to defend against such hackers.

After network and host enumeration, NSA steps forward into topics such as dealing with web servers and CGI, remote access issues, and ftp and database security issues. Chapter 9 does a good job of focusing on Microsoft Windows security issues. While entire books have been written about weak Windows security protocols such as NetBIOS, SMB and CIFS, NSA does a good job encapsulating ways to keep vulnerabilities here in check. Readers are highly advised to put the Windows networks services countermeasures listed at the end of the chapter into use.

Chapters 10-12 deal with the myriad security issues with email, VPN and RPC issues. While most of the information in these chapters (and the book as a whole) has been elucidated elsewhere, there is nonetheless a lot of valuable information contained in the chapters.

Chapter 13, "Application-Level Risks," is important in that many organizations put far too much emphasis on security the perimeter and forgetting about the application. The need for more emphasis on application-level security is eloquently put by Marcus Ranum when he notes that "these days, with the kind of plug-ins that come in your typical browser, combined with all the bizarre undocumented protocols used by new Internet applications, make it highly unlikely that a firewall is doing anything more complex than a thin layer of policy atop routing. As such, the applications behind the firewall are now more critical to security than the firewall itself. Which should scare the holey moley out of you."

Chapter 14 closes the book with a methodology for running a network security assessment. The author notes that running an assessment requires more thought than simply running security tools in a haphazard manner.

Overall, Network Security Assessment provides a good framework for anyone who is serious about running network security scans to security his perimeter and interior networks. The book is written in a style that is readable and understandable style; while more of an introductory text, it does not treat the reader as a dummy.

When it comes to running a network security assessment, the methodology is often more important than the running of the tools. While there is nothing radically new detailed in NSA, it does provide an effective and comprehensive overview of the issues involved in only 355 pages. If you are looking for a to-the-point book that does not get bogged down with screen prints and meaningless hacker stories and myths, Network Security Assessment is a good place to start.

You can purchase Network Security Assessment from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

7 of 92 comments (clear)

  1. The Utility of Firewalls by airConditionedGypsy · · Score: 5, Insightful
    "..these days, with the kind of plug-ins that come in your typical browser, combined with all the bizarre undocumented protocols used by new Internet applications, make it highly unlikely that a firewall is doing anything more complex than a thin layer of policy atop routing. This pronoucement is right on the money. Firewalls are but one tool in our arsenal. <Insert relevant prose about defense in depth, yadda yadda.>

    As such, the applications behind the firewall are now more critical to security than the firewall itself. Which should scare the holey moley out of you."

    Firewalls were invented to essentially protect us from bad software engineering. Bad software engineering remains a problem. A good question is whether or not firewalls should be made more complex, or left as simple packet filters... there is simply no way for a firewall at the edge of a network to make intelligent decisions about application data flying past it.

    We need fundamental advances in creating robust, secure, and self-recovering software.

    --
    I bootleg Fizzy Lifting Drinks.
    1. Re:The Utility of Firewalls by airConditionedGypsy · · Score: 4, Insightful
      Which these sorts of tools, you need a signature to match against. Doesn't really do any good to catch Code Red sigs after patches have been applied, and only slows down traffic processing. The firewall has to stop and reassemble the packets, and then make a decision based on a-priori knowledge of that particular application-level protocol.

      Sure, firewalls can catch this sort of low-hanging fruit, but how can a firewall make a useful decision about an otherwise syntactically legal piece of data that goes past it? All sorts of stuff gets tunneled over HTTP. If the firewall knows about authorization decisions and correct behavior of all the applications behind it, that's a pretty meaty firewall, and probably very prone to subversion itself.

      --
      I bootleg Fizzy Lifting Drinks.
    2. Re:The Utility of Firewalls by Beryllium+Sphere(tm) · · Score: 4, Insightful

      You described firewalls that are making useful decisions about incoming application data, but I question whether they are intelligent decisions.

      After all, why do we have the problem that application-aware firewalls are trying to solve? Because we can't trust the applications to figure out whether their own incoming data is safe to eat. Can we make firewalls smarter about application data integrity than the applications are? If we can, do we want to put all that logic in a high-traffic area?

      The niche where I'd recommend a layer 7 firewall is when it's unsafe to update production systems to fix a vulnerability.

  2. Re:Proof. by pixelpusher220 · · Score: 2, Insightful

    Computers are deterministic. Why is it impossible to keep something secure?

    Because we Human's are *not*. If it was written by a human, it will have 'undocumented features' whether purposely or not. Moreover though, if something is completely and utterly secure, it's also not likely to be very useful. A computer totally disconnected from the network can't be hacked from the network...but it defeats the purpose of having a network in the first place.

    --
    People in cars cause accidents....accidents in cars cause people :-D
  3. Re:Proof. by Pantero+Blanco · · Score: 2, Insightful

    Theoretically, something could be "hacker-proof". Things start to break down when reality and practicality enter the picture. People leave security holes unintentionally, new cracking tools are developed, admins use "God" as their password, et cetera. There are so many spots where things can break down that it's best to have the mindset that no network can be hacker-proof.

  4. Full Text Online by Wanker · · Score: 2, Insightful

    The full text of this book is available online via O'Reilly's Safari subscription service:

    http://safari.oreilly.com/059600611X

    This is a great service for serious readers. (I have no connection with them other than as a subscriber.)

  5. If the Book does indeed mention ISECOMM by Anonymous Coward · · Score: 1, Insightful

    and the OSSTMM (Open Source Security Testing and Methodolgy Manual) then indeed it is worth its salt.

    Otherwise, more thought and more experience has been put in the OSSTMM than any book published to date.

    Security Testing, Penetration Testing, and Vulnerability Assessments should be done according to a complete plan covering more than just open ports found by nmap, but you have to have the methodology to go about it, or you are as bad as the proverbial "Script Kiddie".