End-to-End Network Security 99
Ben Rothke writes "One of the mistakes many organizations make when it comes
to information security is thinking that the firewall will do it all. Management often replies incredulously to a
hacking incident with the thought "but don't we have a firewall". Organizations need to realize a single appliance alone
won't protect their enterprise, irrespective of what the makers of such
appliances suggest and promise. A true strategy
of security defense in depth is required to ensure a comprehensive level of
security is implemented. Defense in
depth uses multiple computer security technologies to keep organizations risks
in check. One example of defense in
depth is having an anti-virus and anti-spyware solution both at the user's
desktop, and also at the gateway." Read on for the rest of Ben's review.
End-to-End Network Security: Defense-in-Depth provides an in-depth look at the
various issues around defense in depth.
Rather than taking a very narrow approach to security, the book focuses
on the comprehensive elements of designing a secure information security
infrastructure that can really work to ensure an organization is protected
against the many different types of threats it will face on a daily basis.
| End-to-End Network Security: Defense-in-Depth | |
| author | Omar Santos |
| pages | 480 |
| publisher | Cisco Press |
| rating | 9 |
| reviewer | Ben Rothke |
| ISBN | 1587053322 |
| summary | Excellent and comprehensive look at how to secure a Cisco infrastructure |
The books 12 chapters provide a broad look at the various ways in which to secure a network. Aside from a minor mistake in chapter 1 where the author confuses encryptions standards and encryption algorithms (but then again, many people make the same mistake), the book provides a clear and to the point approach to the topic at hand. After reading the book, one will have a large amount of the information needed to secure their Cisco-based network.
While it is not in the title, the book is completely centered on Cisco hardware, software, and Cisco IOS. It is a Cisco Press title written by a Cisco employee, as you would expect, it has a heavy Cisco slant. For those that do not work in a Cisco environment, the information in the book will likely be far too Cisco centric for their needs. A review of the index shows that the book provides a near A-Z overview of information security. One of the only missing letters is 'J', but then again, that would require writing about Juniper.
Chapter 1 starts off with a detailed overview of the fundamentals of network security technologies. Chapter 2 details the various security frameworks and methodologies around securing network devices. The six-step methodology that the author writes of is comprised of preparation, identification, classification, traceback, reaction and postmortem.
The author mistakenly writes that manual analysis of complex firewall policies is almost impossible because it is very time-consuming. The truth is that the time-consuming aspect does not make it impossible. It can be done, but the author is correct that the use of automated tools makes such analysis much quicker and easier.
Chapters 5 and 6 provide an excellent overview of reacting to information security incidents. The chapters cover all of the necessary details, from laws, log finals, postmortem and more.
Chapter 9 provides and extensive overview of the various elements of IPT security. It includes various ways to protect the many parts of a Cisco IPT infrastructure. In this chapter and the others, the author does a very good job of detailing the various configurations steps necessary to secure a Cisco device, both at the graphical level and also at the ISO command line level.
Chapter 12 concludes the book with 3 case studies of using defense in depth a small, medium and large enterprise networks. Different size networks have different requirements and constraints and are not secured in the same manner.
Overall, End-to-End Network Security: Defense-in-Depth is an excellent and comprehensive book on how to secure a Cisco infrastructure. It details the many threats such an environment will face, and lists countermeasures to mitigate each of those threats. Anyone involved in securing Cisco-based networks will find this book to be quite helpful in their effort to secure their network.
Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase End-to-End Network Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Let me be one of the first to say (Score:5, Insightful)
C'mon, an incoming firewall is a good start, but it's just that. You still need AV, Anti-malware is good. Spam filtering, individual machine firewalls, server security, access limits for users, restrictions on what can be attached to the network, a secure area with limited access for those whose laptops travel a lot...
This is, is it not, pretty elementary stuff?
Why not just dump Windows? (Score:3, Insightful)
It's all useless (Score:3, Insightful)
Defense in depth (Score:5, Insightful)
Considering that the book is cxclusively concerned with configuring proprietary network gear, that's perhaps understandable. But when the same book presumes, by its title, to offer a general treatment of end-to-end security will have badly misled its readers. This is not end-to-end security, but instead the much smaller subset which concerns how to manage network traffic.
If we genuinely want to talk about end-to-end security, we'll have to look closely at the endpoints. We have to look at them in terms of their own architectural security, as well as how they function as communicating agents. And where communication is concerned, all the stuff in the middle, generally speaking, is not trustworthy.
That's a more principled approach to what "defense in depth" means in the context of these endpoints. Sure there might be a few firewalls or encrypted tunnels along the way, but the endpoints have no means of assuring that this infrastructure is in fact secure. Should those layers fail to operate as expected, the security of the communication falls to other layers. Ultimately, the responsibility falls to the endpoints themselves.
Dealing with security in several fragmented pieces is not so great. That's because security is an emergent property of the entire system, not something which can be directly composed from elements of the system. A text which provides a treatment of security princples comprehensively would be most welcome. Let's save the "end-to-end" terminology for when we're really looking at end-to-end architectures.
Re:Why not just dump Windows? (Score:2, Insightful)
Re:Choice quote from CSI (Score:2, Insightful)
GET THE FIREWALL UP...
Re:Why not just dump Windows? (Score:3, Insightful)
As for the applications, very few businesses that I have seen, have any "must-need" software on most of their computers, sure there are a few that would need to have a VM running to run a few or have Windows dual-booting but for the average worker, Linux is sufficient. And I am not proposing a total abrupt change, but when the next licensing fee has to be sent in, or when it is time for an upgrade, Linux works 85% of the time for a solution and the other times, just dual-booting Windows or keeping a VM with it installed works.
As for the social aspect, Linux would allow them to download what they choose and surf the internet without IT locking down computers to being unusable. There is very very very little Linux malware, and those that do exist are either not in the wild, or as long as you use a halfway recent distro (like Fedora Core 1) you will be safe from them if you keep up on your patches. Also, most Windows Malware/Adware/Spyware/Viruses are caused by a program that looks legit but isn't, Linux reduces this threat by the package management system, when you type in sudo apt-get install firefox, you can be assured that someone has looked that over and that it matches checksums to make 100% sure its Firefox and not some malware. If you don't trust that, you can compile it completly from source, there is little way unless you are randomly installing binary files, then you won't get any malware on a Linux machine. Also, if there is a problem, a sysadmin can simply SSH into the system and fix the problem.
Free, Easy to use, (it can be customized to behave like XP/OS-X/Vista) Secure, and Functional, theres no reason not to use Linux
Networks, military bases, banks, whatever ... (Score:5, Insightful)
Re:Human Factors (Score:2, Insightful)
A critical question is what are you attacking against? if it's Joe Random Cracker out on the interweb then the password being taped to the keyboard is BETTER than having a weak password that's memorised (and easilly bruteforced).
If the threat is unauthorised access internally then it's a problem that it's taped to the keyboard written on a card in your wallet would still be better imho than a weak password.
In short it's bad.. but when the threat isn't in the building (which is secure) it's not SO bad.
--
Good, fast and cheap pick two.
Re:Why not just dump Windows? (Score:3, Insightful)
When faced with religious beliefs like these, the best you can do is try to make the best of them, while trying to minimize their damage to people and property.
[A couple decades ago I'd have included asking the USSR to dump Communism, but that happened. But I suspect that IBM/Microsoft, Christianity and Islam are much more deeply entrenched than Communism ever was. Anyway, my metaphor generator is redlined as it is.