End-to-End Network Security

Ben Rothke writes "One of the mistakes many organizations make when it comes to information security is thinking that the firewall will do it all. Management often replies incredulously to a hacking incident with the thought "but don't we have a firewall". Organizations need to realize a single appliance alone won't protect their enterprise, irrespective of what the makers of such appliances suggest and promise. A true strategy of security defense in depth is required to ensure a comprehensive level of security is implemented. Defense in depth uses multiple computer security technologies to keep organizations risks in check. One example of defense in depth is having an anti-virus and anti-spyware solution both at the user's desktop, and also at the gateway." Read on for the rest of Ben's review.

End-to-End Network Security: Defense-in-Depth
author	Omar Santos
pages	480
publisher	Cisco Press
rating	9
reviewer	Ben Rothke
ISBN	1587053322
summary	Excellent and comprehensive look at how to secure a Cisco infrastructure

End-to-End Network Security: Defense-in-Depth provides an in-depth look at the various issues around defense in depth. Rather than taking a very narrow approach to security, the book focuses on the comprehensive elements of designing a secure information security infrastructure that can really work to ensure an organization is protected against the many different types of threats it will face on a daily basis.

The books 12 chapters provide a broad look at the various ways in which to secure a network. Aside from a minor mistake in chapter 1 where the author confuses encryptions standards and encryption algorithms (but then again, many people make the same mistake), the book provides a clear and to the point approach to the topic at hand. After reading the book, one will have a large amount of the information needed to secure their Cisco-based network.

While it is not in the title, the book is completely centered on Cisco hardware, software, and Cisco IOS. It is a Cisco Press title written by a Cisco employee, as you would expect, it has a heavy Cisco slant. For those that do not work in a Cisco environment, the information in the book will likely be far too Cisco centric for their needs. A review of the index shows that the book provides a near A-Z overview of information security. One of the only missing letters is 'J', but then again, that would require writing about Juniper.

Chapter 1 starts off with a detailed overview of the fundamentals of network security technologies. Chapter 2 details the various security frameworks and methodologies around securing network devices. The six-step methodology that the author writes of is comprised of preparation, identification, classification, traceback, reaction and postmortem.

The author mistakenly writes that manual analysis of complex firewall policies is almost impossible because it is very time-consuming. The truth is that the time-consuming aspect does not make it impossible. It can be done, but the author is correct that the use of automated tools makes such analysis much quicker and easier.

Chapters 5 and 6 provide an excellent overview of reacting to information security incidents. The chapters cover all of the necessary details, from laws, log finals, postmortem and more.

Chapter 9 provides and extensive overview of the various elements of IPT security. It includes various ways to protect the many parts of a Cisco IPT infrastructure. In this chapter and the others, the author does a very good job of detailing the various configurations steps necessary to secure a Cisco device, both at the graphical level and also at the ISO command line level.

Chapter 12 concludes the book with 3 case studies of using defense in depth a small, medium and large enterprise networks. Different size networks have different requirements and constraints and are not secured in the same manner.

Overall, End-to-End Network Security: Defense-in-Depth is an excellent and comprehensive book on how to secure a Cisco infrastructure. It details the many threats such an environment will face, and lists countermeasures to mitigate each of those threats. Anyone involved in securing Cisco-based networks will find this book to be quite helpful in their effort to secure their network.

Ben Rothke is a security consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase End-to-End Network Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Let me be one of the first to say

[Nursie]

"Duh!"

C'mon, an incoming firewall is a good start, but it's just that. You still need AV, Anti-malware is good. Spam filtering, individual machine firewalls, server security, access limits for users, restrictions on what can be attached to the network, a secure area with limited access for those whose laptops travel a lot...

This is, is it not, pretty elementary stuff?

Re:

[Jansingal]

No way man.... use a Mac!!!!

Re:

[jotok]

Network security starts with defining the requirements for the network and then determining user policies, and then eventually determining what hardware and software you need. Good policy will make a secure environment regardless of what operating systems you use.

You gave some good examples of this principle. If you provide the users with network shares or a collaboration solution, then they don't need to use thumb drives. If you sandbox Outlook and IE, you don't have to worry about the malware du jour.

Re:

[hesiod]

> Good policy will make a secure environment regardless of what operating systems you use.

Sure, assuming you don't have any employees... Employees break policy routinely and don't give a crap if plugging in a USB drive is "against policy." They'll do it because they feel entitled to do whatever then damn well please. So if you don't lock down your systems to enforce an existing policy, you might as well throw all your PCs, with all their confidential information, out into the street.

Re:

[jotok]

I thought enacting policy was implied in that statement: e.g., shut off the USB ports to all your user's workstations.

Re:

[hesiod]

Ah, you were unclear. "Policy" is a very different thing than "Windows Group Policy Objects."

Re:

[jotok]

Yah, I tend to use them conceptually as the same thing.
Where I work, "Stuff we don't want the users to do" and "Stuff we don't allow the users to do" are one and the same.
I also work with an "allow by exception" network with is basically a security guy's wet dream :P

Or, just get a Mac/Linux?

[Blahbooboo3]

Mac for the desktop and Linux for the server room.

I remember reading on slashdot several years ago about a network security idea to scrap all this firewall gateway etc stuff and just implement a secure desktop (i.e. with almost no open ports other than 80 and 443).

In many ways, it makes sense to me.

Re:

[nine-times]

I remember reading on slashdot several years ago about a network security idea to scrap all this firewall gateway etc stuff and just implement a secure desktop

That's all well and good so long as you can really trust each individual machine. Also, you'll probably want to wait after the move to IPv6, or else you'll probably want to have some kind of gateway w/NAT. Even if you had all that, I wouldn't mind having a firewall anyway, just as an added layer of security.

Re:

[Jansingal]

big initiative.... but it was quashed by msft :)

Re:

[Cajun Hell]

You still need AV

If and only if your policy is "run whatever people give you."

Re:

[fuzzix]

If and only if your policy is "run whatever people give you."

Because we all know how stringently the average office worker sticks to IT policy...

Re:Let me be one of the first to say

[Bender0x7D1]

This is, is it not, pretty elementary stuff?

It really depends on who you are...

I suppose someone who has a Ph.D. in physics would say that quantum mechanics is pretty elementary stuff. The problem here is that you are assuming everyone who is in charge of a network has the knowledge, background and experience to understand security. Most don't. Many who think they do - don't. There is so much to keep track of that it's a full-time job just to keep up with the attackers. If you have a lot of other work to do, you probably aren't keeping current in every area you need to. That's why there are security experts who get paid a lot of money to help secure systems and networks.

Re:

[pclminion]

I suppose someone who has a Ph.D. in physics would say that quantum mechanics is pretty elementary stuff.

Depends. The mathematic behind quantum mechanics is not exactly "elementary" but the basic ideas are. Wave functions, uncertainty, and quantum collapse, although weird, are easily grasped by most people. Just don't ask them to do the math on it. Same with computer security -- even if you don't know every gory detail, you should at least know what the basic components of a secure system is. Seriously,

Re:

[dfgchgfxrjtdhgh.jjhv]

and if you're responsible for running a network, you should already know these basics, or you dont deserve to have the job.

looks like the book is aimed at trainees or students, any network admin should know this & those that dont are unlikely to read a book.

Re:

[dfgchgfxrjtdhgh.jjhv]

with the errors in it, its even a poor choice for students & trainees.

it seems to be slightly above the level of what users need to know, not many people run a corporate-style network at home & this kind of thing should be done for them at work.

Re:

[hesiod]

Hate to break it to you, but not every company can afford to hire a full team of network engineers. Sometimes, small companies have to choose their IT employees (assuming they can even hire more than one) carefully, based on their immediate needs. They can't afford to pay someone to do everyday stuff as well as someone with a CCNA, so they hire the first person and ask him to do his best with what he has.

Re:

[Jansingal]

>>and if you're responsible for running a network, you should already know these basics, or you dont deserve to have the job.

In a perfect world... yes.

The real world... mgmt cares little about securtiy and pays little to those who are responsible for it.

the outcome = malware invested networks run by those behind the curve.

Re:

[Bender0x7D1]

If you don't know every gory detail then how can you make intelligent decisions on where to spend your budget? Sure, you can learn the basics of quantum mechanics, but that doesn't make you qualified to determine how money should be spent for experiments. The same holds true here. You might have an idea that you should have firewalls, IDSes, updated systems, anti-everything, physical security, an employee training program, etc. However, you can't have it all - it would be too expensive in terms of time

Re:

[pclminion]

If you don't know every gory detail then how can you make intelligent decisions on where to spend your budget?

Trusted, informed opinions. We can't know every gory detail on every subject in the world and yet we seem to all do okay, by relying on experts.

Re:

[Jansingal]

u think csco pays 4 placement on /. ????

NEVER!!!!

Re:

[BlueParrot]

We want freedom for the users to make their systems obey them, and allow them to study and modify it to suit their needs. That is rather different from lettin unauthorized peopel take their controll away. It's all about the user's freedom.

Re:

[tjstork]

We want freedom for the users to make their systems obey them, and allow them to study and modify it to suit their needs.

That's all very noble sounding but its not at all the truth.

No we don't. We want to impress our corporate masters with all of these shiny reports showing how much we know about everyone is on the system, trying to candy up our asses in the name of safety. We're no different from the people pushing camcorders in grocery stores. Security is a protection racket industry... "buy from us, be

Godwin says...

[kensan]

nothing for you to see, move along.

Re:

[doas777]

I don't think godwins law applies in this case. it's primarily for adversarial situations.

if someone said:
"you're a nazi" => bad; the law applies

"I'm/We're nazi(s)" !=> bad ; law is N/A.

Re:

[Jansingal]

this has as much to do with godwin as.... well nothing

Why not just dump Windows?

[webmaster404]

Why not just dump Windows and go for either emulating XP on a Virtual Machine or run OS-X, Linux or BSD? Seriously, if your worried about your employees downloading a "screensaver" for Windows and infecting the network, just run Linux and I bet you over 80% of the time thats what it is. As for "retraining" you would spend more money retraining and getting better hardware (and worse software) to get Vista, and Office 2007 while Ubuntu can be themed like XP/Vista/Amiga/OS-X or any other previous operating system. Open Office has a much lower learning curve then giving them Office 2007. So just switching to Linux takes out just about 100% of malware/virus problems which bring in back-doors and other ways of accessing, not to mention the code is open so you can be 100% sure that you won't get a "stealth update" or delayed patches or even currently unkown flaws in the kernel. As for a firewall, just running your connections through a router would help a bit, set up Firestarter or another iptables front-end for Linux, set secure root passwords and the only way that it can be cracked is if the IT department decided to crack it because they would be the ones that set it up. So moral to the book is, switch to Linux or just about any OS other then Windows, set up a firewall and secure passwords and you will be fine.

Re:

[El Lobo]

Here we go again... Why should I? In my department we use Windows and we have no need to replace it. if you have a good It team who secures the OS, there should be minimal risks. A well configured XP or 2003 can be as secure as any other OS.

OTOH a bad secured Linuzzz, can be as insecure and any other...

So why just begin from the beginning with a new OS, new applications, emulatiosn, etc if the well configured real thing does the job?

Re:

[El Lobo]

That was extremly OT. I am saying that we are extremely happy with Windows. Again, please, why should we migrate?

Re:

[Jansingal]

what the heck are you trying to imply :!

Re:

[turbidostato]

"Why should I?"

Maybe you shouldn't. The previous poster just argumented that costs for the migration might be less than others would want you to believe. After all, he showed an scenario where there was the chance of migrating from XP to Vista *or* Ubuntu; from Office whatever to last version *or* Open Office. But, then, "why should you" migrate to Vista or Office last version to begin with? Now, if you state your reasons clear you might find that there're better migration targets than Vista or Office.

"

Re:

[MikeFM]

What's really bad is that a clever hacker can bypass much of your companies security just by getting someone running Windows to let themselves be infected with a program that gives the hacker terminal access to their computer and the ability to catch usernames, passwords, etc. Suddenly they have all the right authorization and access to your protected systems from inside the LAN. Worse, they can often infect other Windows systems giving the hacker access to the protected systems with many different user cre

Re:

[Vanessa MacDougal]

There is nothing magical about other operating systems. Denial-of-service (DOS) attacks and the reading of unencrypted data, for instance, know no OS. You need end-to-end security regardless of your platform.

Re:

[Burz]

But that is not to say that an environment where Windows is integral can actually achieve end-to-end security. Windows is the weakest link, and the difference isn't magic but a matter of design.

System design is why even an "obscure" platform like MacOS could go from having dozens of malwares to about one post BSD transition.

Re:

[hal9000(jr)]

Why not just dump Windows and go for either emulating XP on a Virtual Machine or run OS-X, Linux or BSD? Seriously, if your worried about your employees downloading a "screensaver" for Windows and infecting the network, just run Linux and I bet you over 80% of the time thats what it is.

Because that is not how the world works. Companies have a huge investment in Windows and all the apps that run on it. A rip and replace is simply not a viable option.

You know, there are ways that companies can lock dow

Re:

[webmaster404]

Yes I know that they can lock down Windows, I worked for a company for a short time that locked down Windows. The fact though was, between an over-aggressive content-blocking server that blocked non-inappropriate or time wasting sites, the fact that Firefox could never update itself because I didn't have Read, write and execute privileges to update Firefox (which by the way was already installed by the IT department) most IT departments I have found know very very little about computers, they either know ho

Re:

[dave562]

Free, Easy to use, (it can be customized to behave like XP/OS-X/Vista) Secure, and Functional, theres no reason not to use Linux

Can it be customized to do what this does? http://www.altec-inc.com/ [altec-inc.com]

How about a Linux accounting package for the SMB market that does the equivalent of what this does? http://www.sagesoftware.com/pfw/ [sagesoftware.com]

While you're at it, got any waste management software for Linux? Waste Management went with AS/400. http://www.eweek.com/article2/0,1895,1773666,00.asp [eweek.com]

Re:

[Fred_A]

While you're at it, got any waste management software for Linux?

Sure, both Gnome and KDE have this little trashcan icon nowadays.
It's all gotten very fancy.

Re:

[dave562]

The way you joke about application needs for Linux is very similar to the way a lot of people joke about switching to Linux in the first place. Sure, it's all great and fine to champion Linux as the cure for the problem of Microsoft dominance in the computerized world. Yet for a lot of real companies, the only "solution" to breaking their dependence on Microsoft on the desktop or the server is to "run your Windows apps in a VM on Linux." Ya, great solution there. Add another layer of complexity to the p

Re:

[Aehgts]

While I agree that linux seems to solve a lot of these problems I still believe that a part of the reason for this is that the average linux user is simply a more informed internet user.
'nix is great at protecting against passive attacks, but can still suffer from pebcak.
In my experience, those who run linux tend either to not know what an OS is (parents, grandparents etc) or are curious nerd/geek types who either know what they are doing, or are willing to break a test system finding out. This education

Re:

[JrOldPhart]

Yea, back to CP/M.

Re:

[jc42]

C'mon; asking businesses to dump Windows would be a lot like asking America to dump Christianity, or asking Egypt to dump Islam. All three might be very good ideas, but suggesting any of them in the appropriate crowds will just get you fired/crucified/beheaded/whatever.

When faced with religious beliefs like these, the best you can do is try to make the best of them, while trying to minimize their damage to people and property.

[A couple decades ago I'd have included asking the USSR to dump Communism, but th

Re:

[Burz]

A couple decades ago I'd have included asking the USSR to dump Communism, but that happened. But I suspect that IBM/Microsoft, Christianity and Islam are much more deeply entrenched than Communism ever was.

And I suspect the reason for that is because Soviet communism, however much brainwashing was associated with it, did not condition people to supernaturalism. It made false claims because they were falsifiable. Time passed, people saw the results, and stopped believing in the system.

With the supernatualist conditioning to faith for its own sake, credulity becomes much more insidious. Falsifiable claims are more of an embarrassing accident, and esp. when they turn out false the authorities will explicitly ma

Re:

[Jansingal]

Common suggestion: Dump windows and we are secure
Similar argument: Stop hating people and no one will get killed.

We call people who make such crazy arguments weird.

from the protect-ya-network dept.

[eikonoklastes]

I thought this would have come from the preaching-to-the-choir dept.

Re:

[Jansingal]

yeah... but that choir lost their voice :)

My security dream

[blhack]

Does anyone know of a system that works like this?

There is one master drive image that sits on a server somewhere on the Lan.... ..every night, when there is nobody using the workstation, it gets "re-imaged"

My Documents or $home or whatever is mapped onto a server. Similar to a netboot I guess...

keep like 3 copies of the image around and MD5sum them before they go out to make sure that the master hasn't been corrupted or infected or some BS.

Added bonus is any software changes would just get done at the mas

I've heard of it.

[khasim]

Back when I was consulting, one of the other consultants ran into a situation like that.

The problem was that SOMETHING would go wrong with one or more of the machines and they would not get the image. Which really sucked when the user came in in the morning. Those machines had to be manually imaged.

Re:

[morgan_greywolf]

Why not just use a diskless workstation, with the master image sitting on the SAN, locked down and mounted readonly?

Re:

[Jansingal]

diskless workstations are awesome. the network computer concpept of some years back did the similar.

great concept, really great.

but never took off. beats me why not.

Re:

[cbelt3]

Well, back in the 1960's and 70's we called it a mainframe computer. Lots of corporations use "Citrix" which empirically provides a virtual machine for a common, locked to the teeth desktop user. Or some sort of terminal server.

Re:

[dnormant]

In a mainframe environment ALL of the resources, except the terminal IO and user were in the mainframe. Here he is describing a multi user environment where only the disk and boot image are shared. Big difference.

Re:

[silas_moeckel]

I used something similar in school systems every time the machine booted it reverted to a fixed image, they could send that image from the network onto the PC's to upgrade them. Worked pretty well once you turned off USB/CDrom booting, locked the bios and locked the systems in place the kids couldn't defeat it easily. Teachers could just hit the reset button to boot to a clean OS.

Re:

[doas777]

it'll work as long as you have site licenses for everything and no one uses a special app.

the real problem are your artistic and tech staff. not everyone needs Adobe Creative Suite, SQL server, and visual studio. these licenses are pricey and the software is to "heavy" requirement wise to deploy to all PCs.

Re:

[everphilski]

Back where I used to work they had a diskless computer cluster similar to this. A master node held the disk image, and when each computer booted up it would request the disk image from the master node and put it on a RAM disk. No hard drive, floppy or CD-ROM drive on the cluster. Once they booted up they got their image with their tasks, started running the tasks, etc.

If any node was having problems, all they had to do was flip a switch. If it came back up, great, if not pull it offline and see what faile

Re:

[neurovish]

kindof a netboot + SAN i think...

kindof?
The computer labs where I went to college were setup this way. It's really the only sane desktop policy for 30,000 users who would love nothing more than to mess up every single computer they touched that they didn't own. Every reboot and you're back to a normal windows image.

Re:

[Sproggit]

http://www.preworx.com/ [preworx.com]

Re:

[CotterPin]

Where I work, we're deploying http://www.ardence.com/ [ardence.com], which essentially does what you want. You create locked-down master images tweaked the way you want them, and the clients essentially use your Ardence server as a hard disk. The difference between this and a solution such as Citrix is that other than disk I/O, the OS uses local hardware instead of server-side computing. It works very well, and each time the machine boots it gets a pristine fresh install of the OS; all changes the user made are discar

It's all useless

[fremean]

You can spend billions of dollars securing your network end to end, but so long as you still employ staff (or let them have communication with the outside world) nothing you buy can protect you from ID-10-T security breaches

Yes, yes it can.

[Nursie]

That's why you have restrictions on what users can do with their machines, especially non technical users.

Oh, sorry Mr Marketing guy, you can't install new software, you don't need it.

No, you're not authenticated for full office network access mr homeworker, not until your machine's been fully scanned. Until then you can access your mail account and the web from this sandbox area.

Uh, no, mr software developer, you can't have root access to the main source repository...

There are many things you can do to pro

Choice quote from CSI

[mcrbids]

As they were chasing the bad guy (girl?) through the 2nd Life game, the CSI lab was hacked. Choice quote:

"We're under attack! Get that firewall UP NOW!"

I mean, yes, it's CSI and nobody expects perfection, but that's representative of the way people often see things...

Re:

[dnormant]

My wife looked at me like I was nuts when I started to roll on the floor over that one...

GET THE FIREWALL UP...

Defense in depth

[starfishsystems]

Defense in depth is an important security principle, among several others which have apparently not received any treatment in the book reviewed here.

Considering that the book is cxclusively concerned with configuring proprietary network gear, that's perhaps understandable. But when the same book presumes, by its title, to offer a general treatment of end-to-end security will have badly misled its readers. This is not end-to-end security, but instead the much smaller subset which concerns how to manage network traffic.

If we genuinely want to talk about end-to-end security, we'll have to look closely at the endpoints. We have to look at them in terms of their own architectural security, as well as how they function as communicating agents. And where communication is concerned, all the stuff in the middle, generally speaking, is not trustworthy.

That's a more principled approach to what "defense in depth" means in the context of these endpoints. Sure there might be a few firewalls or encrypted tunnels along the way, but the endpoints have no means of assuring that this infrastructure is in fact secure. Should those layers fail to operate as expected, the security of the communication falls to other layers. Ultimately, the responsibility falls to the endpoints themselves.

Dealing with security in several fragmented pieces is not so great. That's because security is an emergent property of the entire system, not something which can be directly composed from elements of the system. A text which provides a treatment of security princples comprehensively would be most welcome. Let's save the "end-to-end" terminology for when we're really looking at end-to-end architectures.

Re:

[Jansingal]

i think it was made pretty clear that this is a by cisco, for cisco, there aint nothing in the world but cisco book.

Re:

[trolltalk.com]

"i think it was made pretty clear that this is a by cisco, for cisco, there aint nothing in the world but cisco book."

Yep. Those Crisco people are sure greasy!

Better to cut the fat and switch to leanux.

Re:

[Jansingal]

Waht does anne coulter have to do with it?

Re:

[monopole]

We use defense in depth. Two firewalls! One after another, each providing ROT13 encryption for our VPN. Bring it on hackers!!!

Well, yes...

[jd]

...but Cisco IOS supports more than firewalls - which seems to be the only focus of the book. IPSec in certificate-based router-to-router mode should be a fundamental consideration in business-to-business connections over the public Internet. Duplicating the endpoint would be essentially impossible.

Active NIDS is usually discouraged when placed in serial with the network, as it usually can't block the network when in parallel. But if the NIDS server can log onto the managed switch or router, it can disabl

Firewalls are your LAST line of defence...

[rHBa]

...for web servers or any DMZ server anyway.

I know many security guys (mostly on FreeBSD servers) who don't even bother with a firewall. You shouldn't have insecure services running in the first place.

Of course it's a whole other world when it comes to protecting a LAN where you can't effectively control the services running locally.

Re:Firewalls are your LAST line of defence...

[Martin Blank]

You don't always know if you have insecure services, though. You can limit the rights of the accounts under which services run, but there may still be ways of using vulnerabilities to get around that. This is one of the reasons that application-level firewalls are becoming so popular, as allowing only RFC-compliant (at least essentially so) traffic can prevent numerous exploits. Having dropped such a firewall into the middle of a network before, I've seen what suddenly gets blocked.

Re:

[guruevi]

Of course those "application firewalls" also run software that can be (if not more easily) exploited or run the same operating systems as your server boxes (BSD or Linux). I run a full Linux/BSD/Mac shop and every computer has it's own public IP (1 to 1 NAT). The firewall is basically a Cisco router that does filtering on ports/IP. I don't really trust the firewall because it's not owned by me rather, IT Services (I'm part of a larger institution) has full control from a few computers over all the firewalls

Human Factors

[handy_vandal]

Also consider the human factors angle.

I used to do tech support at a major US university. I'd show up at the user's desk, flip the keyboard upside down ... there's the password, taped to the underside of the keyboard. Hell, sometimes it was taped to the monitor. Not every time, of course -- a minority of users, really -- but often enough to make it a Bad Habit.

-kgj

Re:

[firstnevyn]

If Mallory is sitting at the console you've already lost.

A critical question is what are you attacking against? if it's Joe Random Cracker out on the interweb then the password being taped to the keyboard is BETTER than having a weak password that's memorised (and easilly bruteforced).

If the threat is unauthorised access internally then it's a problem that it's taped to the keyboard written on a card in your wallet would still be better imho than a weak password.

In short it's bad.. but when the threat isn't

Networks, military bases, banks, whatever ...

[ScrewMaster]

if you're depending entirely upon a perimeter defense you will get pwned.

Antivirus on the desktop?

[rastoboy29]

Am I the only one who's never found a single antivirus app to be worth a damn?

Re:

[Jansingal]

>>>Am I the only one who's never found a single antivirus app to be worth a damn? that is the stupidest thing i ever heard. if you run windows, you need av apps, plain and simple. av apps might not catch everthing, but they are worth a damn, no question about it. you MUST redo your comment. it makes no sense.

Re:

[rastoboy29]

No, I will not, and I despise Windows as much as the next slashdotter. With a simple firewall and a router, don't run IE, not running a server, and admittedly a little technical knowledge, I have been virus/malware free, well, forever. I don't ever "click here" randomly and stuff, you know?

You only need AV software if you're technically incompetent. I realize those people are out there, but I'm just saying it's not necessary if you understand a few things about how computers work.

Re:

[Jansingal]

>>>You only need AV software if you're technically incompetent.

And that is conservatively 90% of the end-user base in the world. so for you and the few thousand people who do security right, fine.

for the other few hundred million people, they DO NEED AV SOFTWARE.

Re:

[Jansingal]

>>>You only need AV software if you're technically incompetent.

And that is 90% of the end user base in the world.

yes, for you and your friends, your premise is correct.

for the other few hundred million end users, AV IS A MUST!!! That is undisputable!!!

Re:

[Jansingal]

After reading your comment 5 times, and sending it to 5 people, all of us agree that no matter how correct you are, this is a Windows and IE world.

Suggesting Not running windows, not using IE, is plain impossible.

And what you did describe is HIGHLY TECHNICAL!!!

Most people cant find control panel, let alone configure it.

It's about integrating security into design!

[netnull]

I'm constantly befuddled about the time and energy wasted on the concept of end-to-end security. The plain basic truth is this: Productivity does not require security! What this means is we end up in a cycle of building networks and applications without considering the potential risks and security requirements. Security, whether it's a firewall to an end-to-end implementation with so-called defense in depth, is a bolt-on patch to something can could have been designed securely to begin with. There's ne

Re:

[Jansingal]

>>>he plain basic truth is this: Productivity does not require security!

I have no idea what that means, please explain.

Re:

[netnull]

What I mean by "productivity does not require security" is that most organizations are guilty of deploying networking technologies without consideration of the security risks involved. Anyone can setup a productive Apache server, but properly locking it down, setting permissions and associated firewall and routing policies, etc., is something that should be considered, but is often devolved down to a set of so-called best practices, if followed at all. You can stand up a wireless AP, but setting one up se

Um...one big problem with this book

[pulse2600]

The use of one vendor for all security products is not a good idea. To truly have defense in depth, there needs to be variety in your security products across your system or infrastructure. If all your security products have a common base (Cisco IOS, in this case), then one security vulnerability in the IOS software can render most or all of your defense useless. As an example, I might have a network built on Cisco Catalyst switches, with a Cisco VPN concentrator, Cisco Secure IDS, and a PIX firewall. I mig