Joined: 04 Mar 2003
|Posted: Wed Jan 19, 2005 11:51 pm Post subject: Book Review - Hardening Network Infrastructure
Hardening Network Infrastructure
Author(s): Wesley J. Nooan
Publisher: Osborne McGraw-Hill
Book Specifications: Soft-Cover, 552 Pages
User Level: Familiarity with routing and routed protocols plus associated h/w
Suggested Publisher Price: $39.99 USA/ $57.95 CAN/ £24.99
Amazon.co.uk: Hardening Network Infrastructure
Amazon.com: Hardening Network Infrastructure
Info from Back: "I first go to know Wesley Noonan through a common newsgroup. His insightful and technical comments stuck with me, and I finally met him at a conference several years later. Wes has the gift to present network security in a concise, well-reasoned way easy for everyone to understand regardless of their security or networking knowledge. His writing style reflects his congenial presentation manner and his knowledge, and his eagerness to share his expertise is exceptional. Wes’s guide to hardening your network infrastructure provides the step-by-step, how to approach that you need to build, deploy, and maintain a security defense. I’ve read every word; you will not be disappointed.”
Just what is network infrastructure exactly? Well typically people would refer to it as the routers, switches, firewalls, intrusion detection/prevention systems, and quite a few more pieces of hardware, or software. These various pieces of equipment are from easy to difficult to set up. Once you have done so though are you sure that you have it optimized for your networks security posture? There are many varied ways an attacker can get in, and a simple misconfiguration is one of them. Due to the ever increasing complexity of these infrastructure pieces comes the ability to overlook something during setup. Because of these well documented problems the author of this book decided to write something, which will help harden you these appliances. Both Windows and Linux environments are covered. The bulk of the book though is Windows centric, and major vendors such as Cisco get the lions share of the book.
Content & Overview
The book itself is organized into four sections that comprise seventeen chapters. and one index. In the first part the author details six things that you should do before anything else is done. Things like reviewing your network design, implementing a firewall, access control lists, turning off unnecessary ports and services, install virus protection, and secure your wireless connections if present. Following this checklist is very much a long list of chores if done properly. Thankfully what follows in the book will help you decide if you have done the afore-mentioned well, or not.
Once the above is done you begin part two of the book, which gives policy writing a good treatment. This is an important part believe it or not as it will help you get organized. Doing this can also save your bacon with management as they will largely be the ones reading it, and approving it. Doing up paperwork may be boring, but it can and will pay dividends for you. Following the policy writing portion is where you hit the meat of the book. It starts with hardening the actual network infrastructure that the title of the book alludes to. Some of the gear covered for hardening are; firewalls. Intrusion detection/prevention systems, vpn/dial in access systems, routers and switches, network features and services, designing content filters, wireless LAN connections, amongst quite a few others. It is a rather detailed, and comprehensive list that is covered by the books author.
Shown in the third part of the book is how to audit your network, and verify if all your hard work is paying off. A couple of the best open source tools around are used for this; nmap and nessus. From here you are shown how to manage any changes that your network may encounter such as upgrades and vendor fixes like patches.
In the last part of the book is where you try and tie all of the work you have done already and sell it to your management. Things like justifying the cost of having a security posture to begin with. You must also give management, and your end users a realistic expectation of what it will get them. Not to be forgotten is the cost of keeping security staff trained, and having an incident response team in place if at all possible. These key topics are also given face time in this book.
Style and Detail
Covered in this book is a lot of information which is done at the console or keyboard. Befitting this approach there is a lot of well drawn diagrams, screenshots, and other visual aids to help you understand what is going on. The physical properties of the book are nice as well for you can bend it relatively easy, and the pages are of a good thickness. These are two pet peeves of mine when not in place. With all that said there is one key area I found the book lacking in though. I feel the book would have been much better had all of the contents been written around a network that the author would of sketched out at the beginning. This would have made the information flow better, and would have been easier to visualize. That is a personal observation though, and not all readers may share this opinion.
There is no doubting the authors mastery of his subject material in this book. I have also seen many of his helpful posts in various mailing lists. That being said I feel the book had a disjointed feel for the reason that as stated there was no mythical network that all of this could have been applied to. Having done so would of made an enormous difference I think. With that quibble out of the way I still recommend the book itself.
Security Forums Discount
The publishers Mcgraw Hill have kindly setup a discount section for Security Forums' users. Discounts can be up to 30% off the RRP and postage is free on all orders over £20 in the UK & Central Europe.
Keywords for this post: Hardening Network Infrastructure
This review is copyright 2005 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.