Securing your computer's future
October 9, 1998
by Peter Galvin
(IDG) -- What's that groaning sound? No, it's not coming from viewers of the president's testimony. It's from my bookshelves. They're straining under the weight of more than 20 computer security books. Generally, given the choice between reading them or using them to heat my house during the New England winter, I choose the former. This year, perhaps I'll use some of them for the latter. My rating system may help you to decide what to do with these books when you come across them yourself.
I've divided my review into five subject categories:
And my rating system is simple:
That said, let's get on with it.
Computer Related Risks, by Peter G. Neumann. Neumann has been moderator for the RISKS newsgroup since it started in 1985. This book, based on the knowledge he gained there and elsewhere, includes examples of computer-related failures and risks, and analysis of their causes. It's well written and thought provoking. It can be read as a cautionary tale of what can go wrong when computers are involved, as a guide to avoiding the causes of computer risks, or as an extraordinary chronicle of computers and society. At any rate, it should be read, and it's more addictive than Tomb Raider, although the graphics aren't as good. Rating: C
Practical Unix & Internet Security, Second Edition, by Garfinkel and Spafford. Simply the best guide to Unix security currently available. It's the book I reach for first when I have a Unix security question. It covers all of the major, and some of the minor, security issues that face Unix administrators and facilities architects. It excels in its discussions of physical security, auditing and logging, programmed threats, and WWW security. It could, however, probably spend less time on UUCP, as very few sites use that facility anymore. Furthermore, there is only the slightest mention of VPNs and little on biometrics. My only other complaint is that the book has too many pages for a stay-flat binding, so it is only "perfect" bound. Rating: C
Computer Security Basics, by Russell and Gangemi Sr. Even though this book was published in 1991, it still has some useful information. The information on the legal and government aspects of security in particular are useful. These include Orange Book summaries and security legislation. Most of that information is updated in Computer Crime: A Crimefighter's Handbook(see below). For the most part, however, its content is subsumed by the classics reviewed here, though an update could make this a more useful book. Rating: ?
Computer Crime: A Crimefighter's Handbook, by Icove, Seger, and VonStorch. If you've had a break-in, you've probably learned the hard way how to respond to it. If you'd prefer to be prepared, this book gathers together the techniques and information on the tools you'll need in order to successfully battle computer crime. It has chapters on preventing computer crime, handling a crime, and the applicable computer crime laws (which take up half of the book). Especially interesting is the section on detection of common attacks, as is the chart of countermeasures and their vulnerabilities. Rating: W
Secrets of a Super Hacker, by The Knightmare (previously reviewed in this column -- see Resources below). One of the best books by a hacker about hacking. Discusses the hacker mentality and hacker methods. Most remarkable are the chapters on researching the hack and social engineering. It's a relief that there is only one 16-page chapter on what to do once a system has been hacked. For hackers like The Knightmare, the goal is to hack into a system, not to cause mayhem once there. Rating: W
Maximum Security: A Hacker's Guide to Protecting your Internet Site and Network, by Anonymous. This volume is full of interesting information. It contains information on operating systems and facilities, their bugs, tools to exploit those bugs, and tools to protect the systems. Platforms include Windows 95 and Windows NT, Unix, Novell, VAX/VMS, Macintosh, and even Bell Lab's Plan 9. There's not much new here for Unix security hounds, but those defending systems are well served by knowing what tools are available to hackers to attack their systems. Rating: W
Firewalls and Internet Security, by Cheswick and Bellovin. A groundbreaking book that is still useful today. It contains less technology and is more methodology oriented than Building Internet Firewalls. Rating: C
Building Internet Firewalls, by Chapman and Zwicky. It's all here: the tools, the methods, the right and wrong ways to implement firewalls, the protocol and their abuses. In short, everything you need to know to implement firewalls as part of a complete security solution. Rating: C
Internet Firewalls and Network Security, by Siyan and Hare. Unfortunately, this book doesn't measure up to the competition. It spends much time on packet filters but lacks so much as one chapter on proxy gateways. It does have some redeeming features, including solid chapters on network policy design and setting up Firewall-1, ANS Interlock, and TIS firewalls. If those topics are what you need, this book might help. Otherwise, you may want to skip it. Rating: ?
Note that there is a second edition of this book that I did not have available for review.
Internet Cryptography, by Richard E. Smith. This work makes a fine practical companion to Applied Cryptography, Second Edition, also by Bruce Schneier. It's written for people who need to analyze and choose cryptography products for use in the real world (where most of us live). It has extensive coverage of IPSEC and SSL. Add in chapters on e-mail and digital certificates, and you have a book that deserves a read by anyone in the market for cryptography. Rating: C
Bandits on the Information Superhighway, by Daniel Barrett. Subtitled "what you need to know," this book actually does include what those new to the Internet and e-commerce need to know. It includes examples of folks who fall in love and get ripped off via chat rooms on the Internet, pyramid schemes and how to avoid them, and even a section on the infamous David Rhodes. Most of the book covers problems and how to avoid them, on a nontechnical level. There's even a chapter on legal and procedural methods to fight back if you have been ripped off. Most veterans of the Internet wars already know this stuff, but this book is still useful to them -- they can loan it to their friends as they start learning the highways and byways of the Internet. Rating: W
PGP: Pretty Good Privacy, by Simson Garfinkel. The best source of information on PGP, how it works, getting it to work, and what it's good for. Includes a convenient quick reference card for demangling the myriad command-line options. Rating: W
Web Security Sourcebook, by Rubin, Geer, and Ranum. This book, written by experts, covers a hot topic. It falls just short of being what I'd call a classic. It does a very good job in some areas, including securing Web commerce, transaction security, and browser client- and server-side security. However, in some ways it doesn't know what it wants to be. It says it's for system administrators et al., but it doesn't go into the same depth or breadth as Web Security and Commerce does -- and that's what sysadmins need. On the other hand, it does a good job with big-picture issues, like how to choose e-commerce protocols. With any luck, the authors will write a second edition that concentrates on the high-level aspects. As is, it makes a great companion to Web Security and Commerce. Rating: W
Web Security: A Matter of Trust. This O'Reilly offering isn't technically a book, but rather a journal. It's part of the World Wide Web Journal series, Summer 1997 V.2 N.3. It covers a smattering of topics, but what it does include is interesting and well done. Included are the following technical papers: "Weaving a Web of Trust," "Cryptography and the Web," "Trust Management for Web Applications," "Introducing SSL and Certificates using SSLeay," "Security for DNS," "Secure CGI/API Programming," and more. Rating: W
Internet Security: Risk Analysis, Strategies, and Firewalls, by Othmar Kyas. I was hoping this book would include detailed risk analysis models and methods, security-policy details, and solution scenarios. Instead, it's a lightweight text that details some risks to security (amounting to a 4-page chapter titled "Internet Security: Attack Points and Weaknesses" and a chapter on the usual Unix bugs and attack patterns) and weak policy help (a 12-page chapter titled "Internet Security: Design and Implementation"). The supplemental Web site is nonexistent. And to think I actually spent money on this one! Rating: ?
Network Security: Private Communication in a Public World, by Kaufman, Perlman and Speciner. I have a few complaints about this book. First, it's poorly named; it isn't about network security, it's about communicating securely over unsecure media. Second, if it's about communicating securely, then why only two pages about firewalls and less than one page about VPN tunnels? Perhaps the answer is that it was published in 1995 and therefore has little relation to the current world of security and the Internet. On the other hand, it does have good coverage of Kerberos, cryptography, and e-mail security. Rating: ?
Network and Internetwork Security: Principles and Practice, By William Stallings. Some decent coverage of cryptographic algorithms (again) and SNMP in an otherwise out-of-date book. Ahh...just freed up more room on my bookshelf. Rating: ?
Actually Useful Internet Security Techniques, by Larry Hughes. This book isn't actually that useful. Another book from 1995, that vintage year of computer security books; the details are too old to be accurate and the higher level coverage is sparse. Rating: ?
Applied Cryptography, Second Edition., by Bruce Schneier (previously reviewed in this column -- see Resources below). This book explains in fascinating, understandable detail how all the major cryptography protocols and algorithms work. Further, it offers a companion three-disk set of the algorithms with source code in C. What more could you want? Rating: C
Java Security, by Scott Oaks. This is a book for programmers who want or need to use Java to write secure applications. It covers the complex topics of message digests, digital signatures, and key management, and includes code fragments showing how to implement these features in Java 1.1 and 1.2. A great source of information on using Java's security features. Rating: W
Virtual Private Networks, by Scott, Wolfe, and Erwin. I wanted to like this book. It's about a hot topic that deserves a good book. Unfortunately, this book has several weaknesses. For instance, it's clear that the market is heading toward the IPSEC/ISAKMP framework, and while it's true that this is still an emerging technology and standard, the book was published in 1998 and should spend more time in this area. The book is also short on general information like where and when to use VPNs, how to architect the proper facility depending upon needs, and so on. It does go into detail on both PPTP and Cisco PIX, but doesn't even mention other firewall and VPN hardware and software such as Checkpoint Firewall-1, Axent (Raptor), Aventail, and Redcreek. The O'Reilly Web site includes two updated chapters, apparently part of a forthcoming second edition. The chapters provide some updated information on IPSEC et al., as well as secure shell (ssh). I hope the second edition will contain more updated and complete information. Rating: W
Intrusion Detection, by Terry Escamilla. This just came in. Dedicated to the worthy topic of intrusion detection (IDS), it has plenty of high-level information about intrusion detection and why it may be needed in your environment. It also contains details about the current tools and methods of IDS, including at least some information on all the common IDS tools. Most of the information is about Unix, but there is a chapter on Windows NT as well. Looks to be quite useful for those considering, evaluating, or implementing an IDS system. Rating: W
That's it, the bookshelf is clear. Or at least it now has a little breathing room. Well, off to the bookstore.
If there are valuable security books that you think should have made it into this review, please let me know.
Peter Galvin is chief technologist for Corporate Technologies Inc., a systems integrator and value-added reseller (VAR). He is also adjunct system planner for the Computer Science Department at Brown University, and has been program chair for the past four SUG/SunWorld conferences. As a consultant and trainer, he has given talks and tutorials worldwide on the topics of system administration and security. He has written articles for Byte and Advanced Systems(SunWorld) magazines, and the newsletter Superuser. Peter is co-author of the best-selling Operating Systems Concepts textbook. Reach Peter at email@example.com.
Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.