Customer Reviews

Network Security Assessment: Know Your Network

5 star:		(11)
4 star:		(8)
3 star:		(2)
2 star:		(1)
1 star:		(0)

 

 

"Network Security Assessment" (NSA) is the latest in a long line of vulnerability assessment / penetration testing books, stretching back to "Maximum Security" in 1997 and "Hacking Exposed" shortly thereafter. NSA is also the second major security title from O'Reilly this year, soon to be followed by "Network Security Hacks." NSA is a good book with some new material to offer, but don't expect to find deep security insight in this or similar assessment books.

NSA begins with the almost obligatory reference to the king of assessment books, "Hacking Exposed" (HE), saying "I leave listings of obscure techniques to behemoth 800-page 'hacking' books." I don't think some of the techniques covered in HE but not NSA are "obscure." Noticably lacking in NSA is coverage of dial-up techniques, wireless insecurities, Novell vulnerabilities, and attacking clients rather than servers. Should NSA receive a second edition, I expect to see the book expand closer to the "behemoth" it seems to deride.

The best chapter by far was ch. 11, where the author with assistance from Michael Thumann takes the reader on a tour of exploiting vulnerable code. The stack diagrams and code snippets were especially helpful and the explanations were clear enough. This sort of material is a solid introduction to some of the techniques found in "Security Warrior." I also liked ch. 14, where the author explains a sample assessment using the tools already introduced. Kudos as well for maintaining an errata page and tool archive on the publisher's Web site.

The advantage NSA has over HE is the variety of tools on hand. I learned of at least a dozen tools not mentioned elsewhere. The author seems to be thorough while listing various exploitable flaws from the last several years. While the prose is well-written, I believe the HE series does a better job communicating fundamentals of the underlying technology. In other words, HE gives better explanations of 'what' we are compromising, while "NSA" prefers to concentrate more on the compromising itself. This technology education aspect of the HE series has always been its strong point. For example, there's no need to read a 500 page book on Microsoft FrontPage to understand the problems with it when a quick look in a HE book explains the technology's basics as well as its security flaws.

It's been over a year since the 4th edition of HE was published, so I recommend buying NSA to freshen your assessment skills. For the scenarios it does cover, which include most UNIX and Windows Internet-based attacks, it is thorough and accurate. Combined with O'Reilly's "Security Warrior," NSA presents an updated picture of the assessment scene.

[A review of the 2nd EDITION. This review was written on 3 December 2007.]

Over 3 years has elapsed since McNab wrote his first edition. Much of that edition is still valid. Sadly, in a way, because it means that despite the best efforts of that book and others of its ilk, we remain plagued with network attackers and insecure systems.

One of the constants between the editions is the focus on IPv4. Still! IPv6 only gets a glancing mention in the second edition. While everyone recognises that IPv4 will get exhausted of addresses, the transition to v6 still gets postponed. McNab ruminates that this very transition will of its own accord generate compromises. I wish he'd expand on this remark. But maybe there is yet little market reason to do so.

Another thing that does not get mentioned is phishing. In early 2004, it was still a minor threat. It has since blossomed into a chronic problem. But McNab is correct to ignore it, up to a point. He believes, as apparently does most of the IT security field, that phishing is largely a social engineering problem. That it is not a technical problem of patching bugs, per se. Yet viewed properly, phishing is a network attack that uses social engineering, and it is amenable to technical countermeasures that involve, in part, network actions.

I especially favour this edition, for the reasons in the preceding paragraph. In 2004, I and a co-inventor, Marvin Shannon, devised a US Patent Pending against phishing. The second edition of McNab's book came out in November 2007, and by not discussing phishing, it buttresses our claims of non-obviousness, 3 years after our filing.

==============================================================================
[A review of the 1st Edition. This review was written on 3 April 2004.]

A logically very systematic delineation of ways that your system could be attacked over the Internet. There are standard ways to access your computer like rlogin, telnet, ssh and ftp. But each implementation of these faces the risk that an error was made in its coding, which might then be found and exploited by a cracker. Plus, since the advent of the Web, there are Web services that have not checked for the stereotypical but very real case of buffer overflow in submitted input over the network.

McNab describes all these, and more. But perhaps more usefully, his book is not a simple recital of implementation versions and associated known bugs and available patches. He tries instead to guide the reader into understanding the broad ideas in network access, and using a viewpoint of logically analysing for any weaknesses. Because any static listing of versions and bugs runs the risk of being obsoleted in a few years.

He presents web sites that are good resources for patches or latest versions of key programs. If you are concerned about a specific program, try going straight to it in the book and seeing what advice he offers.

For all the programs he mentions, some prior knowledge of their use would be handy. He gives a succinct description of each, but really he assumes you have already used it.

This book is a great resource for any administrator with IP networks to protect. As Wes Boudville says, it certainly is systematic with some great guidelines and useful checklists. The high level concepts laid out by the author make it much easier to understand the underlying issues with security nowadays. Instead of listing bugs and patches, McNab explains the different bug types, and I learnt a lot about stack and heap overflows in the application security chapter.

I'd recommend this book over Hacking Exposed and other books with the word 'hacking' in the title. The assessment material is comprehensive from both Unix and Windows standpoints, and I certainly picked up a bunch of new tricks that I wasn't aware of before. The book has great coverage of all the latest tools and techniques, but written in a timeless way. At just under 400 pages you'll find that it's not too long either!

The author has managed to pack a serious amount of low-level technical information into this book. In the other penetration testing and hacking books I've read, I haven't yet found one to be as comprehensive as Network Security Assessment--to give you an example this book covers IPsec, Citrix and Oracle issues that I have not seen covered elsewhere in print, let alone in the same book. A downside is that the book is hard to read from cover-to-cover, and should be used more as a reference, and the author does assume a level of reader knowledge. I've just finished reading Shellcoder's Handbook too, and found chapter 13 of this book to be a great technical primer for application level issues (such as heap, stack, integer overflows and format string bugs)--the diagrams are excellent and easy for anyone to understand.

All in all this is a very useful book for both the professional security analyst and systems admin with large networks to protect. The Oreilly site has some good info that you should check out, such as the TOC, index and sample chapter on network scanning (http://www.oreilly.com/catalog/networksa/).

"Network Security Assessment" is a fun little book that covers vanilla network security assessment approach from planning to scanning to exploitation (but for whatever reason no reporting and remediation in the end). I liked that the author outlined the methodology first before diving into techniques. Such methodology presents (as it is common in the security arena) a double-edged sword, since it is used by security consultants as well as amateur blackhats.

The book is mostly fun to read (especially when the author is picking on the CIA in his remote information gathering activities). Sometimes though it boils down to listings of known vulnerabilities, some dated, going back to the times of RedHat 5.x and public exploit references. The coverage is pretty comprehensive, includes UNIX and Windows platforms and applications as well as VPN (but not network devices and wireless). I also liked his description of information gathering activities. The book covers most of the commonly used tools such as "nmap" (covering some of the relatively lesser known details of this scanner) as well as touches upon some of the less common such as "scanrand"). Every chapter ends with a brief summary of possible countermeasures to the activities in the chapter.

The book is definitely recommended to people new to the whole security assessment area. I suspect that those involved in the field will pick up some new things as well. For example, I liked that the author emphasizes various brute-forcing tools that can be as handy as the actual exploits when attacking a networked service. Also, I learned a new approach for picking up an internal IP address from behind the NAT by watching for certain ICMP packets.

Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major security information management company. He is the author of the book "Security Warrior" (O'Reilly, 2004) and a contributor to "Know Your Enemy II' (AWL, 2004). His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal info-secure.org

The book's preface starts out with a simple fact, one that is not always obvious to many: It is never impossible for a hacker to break into a computer system, only improbable. When designing and security a network, it is the job of the security architect to maximize that level of improbability as much as possible. Anyone who makes their network even a little bit more security resilient will quickly find a drop in the number of security breaches.


The publication of Hacking Exposed a few years ago started a new era in books about network scanning. Hacking Exposed was the first popular book that detailed how to go about performing a penetration test. In a similar vein, NSA is comparable to Hacking Exposed in that it provides a framework for doing security assessments. The big difference is that NSA provides a much more structured approach to performing the assessment, whereas Hacking Exposed lacked that formal approach. Hacking Exposed also goes into more details in many areas, and its initial title has morphed into many other different titles.


This more formal approach is manifest in the books 14 chapters. The first two chapters of NSA start out with the fundamental need and requirements for performing a network security assessment, and then details the tools and methodologies required to bring that assessment to fruition.


Chapter 3 details the ins and outs of network enumeration and also shows how to use standard utilities such as whois and nmap for network enumeration. Perhaps one of the most beneficial features of the book is the selection of countermeasures that are found at the end of each chapter. These countermeasures are very useful in ensuring that any vulnerabilities are appropriately fixed.


Besides listing methods which an intruder might use to elude common security applications, the book also goes into numerous hacking tools. While some may see this as providing fuel to the fire, it is clear that the tools are readily available (and have been for years). Listing of such tools won't make hacking easier for miscreants and script kiddies; rather it provides a level playing field for systems administrators who need to defend against such hackers.


After network and host enumeration, NSA steps forward into topics such as dealing with web servers and CGI, remote access issues, and ftp and database security issues. Chapter 9 does a good job of focusing on Microsoft Windows security issues. While entire books have been written about weak Windows security protocols such as NetBIOS, SMB and CIFS, NSA does a good job encapsulating ways to keep vulnerabilities here in check. Readers are highly advised to put the Windows networks services countermeasures listed at the end of the chapter into use.


Chapters 10-12 deal with the myriad security issues with email, VPN and RPC issues. While most of the information in these chapters (and the book as a whole) has been elucidated elsewhere, there is nonetheless a lot of valuable information contained in the chapters.


Chapter 13, "Application-Level Risks," is important in that many organizations put far too much emphasis on security the perimeter and forgetting about the application. The need for more emphasis on application-level security is eloquently put by Marcus Ranum when he notes that "these days, with the kind of plug-ins that come in your typical browser, combined with all the bizarre undocumented protocols used by new Internet applications, make it highly unlikely that a firewall is doing anything more complex than a thin layer of policy atop routing. As such, the applications behind the firewall are now more critical to security than the firewall itself. Which should scare the holey moley out of you."


Chapter 14 closes the book with a methodology for running a network security assessment. The author notes that running an assessment requires more thought than simply running security tools in a haphazard manner.


Overall, Network Security Assessment provides a good framework for anyone who is serious about running network security scans to security his perimeter and interior networks. The book is written in a style that is readable and understandable style; while more of an introductory text, it does not treat the reader as a dummy.


When it comes to running a network security assessment, the methodology is often more important than the running of the tools. While there is nothing radically new detailed in NSA, it does provide an effective and comprehensive overview of the issues involved in only 355 pages. If you are looking for a to-the-point book that does not get bogged down with screen prints and meaningless hacker stories and myths, Network Security Assessment is a good place to start.

Awareness is a key component in a person's quest for mitigating the inherent risk of operating an IP network attached to the Internet. The book "Network Security Assessment" by Chris McNab, is recommended for anyone who is new to the profession of network perimeter assessment or anyone interested in learning more about how to defend their infrastructure.

The book focuses upon the enumeration and exploitation process of assessing a network perimeter. The author has a great section on manipulating whois, dns and nmap for network enumeration. These sections provide the reader an understanding of the techniques used to determine their networks external façade in a way that is clear and easy to follow yet reiterating the importance of understanding protocols such as ICMP and the advanced usage of information gathering tools like tcpdump.

A large portion of the book show tools, techniques and methodologies used to evaluate and exploit networks and host services. This information is useful and interesting to read; some of the exploits are quite old and could be useful for finding systems that were in dire need of patches. However, the book is about assessing the network not vulnerability re-mediation. The author does have a neat article "Top Ten Tips to Make Attackers' Lives Hell" on O'Reilly's web site. The assessment techniques cover Unix and Windows systems as well as many protocols such as LDAP, SNMP and applications such as IIS and Oracle.

The book ends with a great section on Application-Level risks. This includes useful information on buffer overflows, integer overflows, format string bugs and the like. This is well written and an explanation that is clear.

I feel like this book is a culmination of years of old notebooks, it is a handy resource. Overall, I would definitely recommend this book to anyone new to network security assessment. Even those who have experience in the field will find useful information and techniques in this book. It was a fun book to read and an excellent starting point when looking into the means by which one should assess their network.

This is an excellent written book that I would definitely recommend to anyone interested in Network Security. The author has a very professional approach to security assessment and every chapter covers in detail ways to find out information about systems and their vulnerabilities. The final chapter walks through the process of creating a detailed report about an attack. One of the best security related books I have ever read.

This is one of the few books that I have come across that focuses mainly on the innards of security assessments. The services based security and counter measures are helpful for threat modeling. This book is really great for people in the security risk and threat analysis for a quantitative and qualitative validation. Good book to help in setting up corporate security policy model.

Other people have already provided a good chapter wise run-down so I will skip that here...

Buy this book :)

Hello,

I've bought a lot of network security books, as keeping up to date is important in my industry (security analyst). My bookshelf is literally filled with books on this topic which I use both as reference material and/or as a total read from start to finish.

When I saw Network Security Assessment on Amazon, I was immediately attracted to the title, but felt it might be just another unwieldy book with a lot of techniques but little explanation. But I bought it anyway, and since it arrived before Security Warrior did, I started to read it first.

It just goes to show that even when you think you know alot, there's someone out there that has some worthy experience to share. This book shares a wealth of tools, and supplements it with not only examples of how to use those tools, but surrounds the whole use of those tools with a methodology without directly ramming a methodology down your throat.

From the introduction of what tools are required, through to network enumeration, scanning, remote information services (dns, ldap), and right through to specifics of assessing ftp, email, vpn and others...I felt this book was a worthy addition to anyones network security library. It even makes multiple references to materials outside the scope of this book, so if you want to read up more on something else - you've got a great start.

I like books to be simple in their approach, because as we all know network security can be very complex. I think this book achieves this goal, and I recommend it to beginners, intermediates and even some experts who are open to refreshers.