The Process of Network Security: Designing and Managing a Safe Network [Paperback]

Thomas A. Wadlow (Author)

Book Description

ISBN-10: 0201433176 | ISBN-13: 978-0201433173 | Publication Date: March 12, 2000 | Edition: 1

This wide-ranging, up-to-date, conversational guide to network security focuses on the most important success factors: process and mindset. Security expert Thomas Wadlow shows exactly what it means to "be" a successful network security manager within a large business organization. Learn how to define what an organization's security goals ought to be -- and how to implement an effective security policy quickly, without endless committee meetings or company politics. Understand who may be attacking you, and how to "think pathologically" about your network, putting yourself in the shoes of your attacker. Evaluate which information resources are most worth protecting; learn how to build an effective security team; and discover how to build security systems that protect the enterprise as a whole, not just individual devices. Learn how to fortify your network components and design; monitor and audit your network; even quantify the value of security. The book also presents five exceptionally detailed chapters on how to respond effectively to an attack -- from forensics and log analysis to damage control. For every manager and executive concerned with network security, including sysadmins, netadmins, security managers, CIOs, CFOs, and CEOs.

Editorial Reviews

From the Inside Flap

A friend of mine said to me the other day that he wanted his old Internet back again. Things worked as well as they needed to. Everyone was nice. You could send mail to people you'd never met, and you'd typically get a nice reply. People gained access to different machines all around the world, which was given more or less freely, so you could log into those machines and see what they'd accomplished this month or just chat with friends. If something needed to be done, a bunch of smart people got together and did it, without too much fuss or bother. It was a nice place, for the most part.

He really wasn't serious, this friend of mine. He makes his living using the Internet we have today and by speaking about the Internet we'll have tomorrow. He gets most of his news from CNN's Web site, and the computer industry-specific sites such as Slashdot and Freshmeat. I can't remember the last time he traveled without a laptop; you can send him e-mail anywhere he travels, and (if you get past his filtering software) he'll answer it from Tokyo or Singapore or Paris. The Internet is probably the most complicated thing created by the human race, and yet it is (relatively speaking, of course) easy to use and just about everywhere you'd want it to be.

But I understand his point. The Internet isn't the friendly place it used to be. What was once a small town, where neighbors were friendly and you could leave your door unlocked, is now the largest (virtual) community in the world, and it's growing bigger every day. There are bad parts of town, and there are muggers and thieves and con men, just as in every other city on Earth. You can't get beaten up, but you can be robbed of your time and in some cases of your money.

For all that, the Internet is probably the safest community of its size ever in existence. But that isn't something to take much comfort in. The reason I say this is that I and other members of my profession are called on to look at the security of sites on the Internet from time to time. I know the Internet is mostly safe, because the doors to most places are still unlocked and yet major catastrophes have not happened. Reasoning from that, it appears that most of the people on the Internet are not Bad Guys. Not yet, anyway.

Of course, this can change at any time. And it has begun to. The 1990s saw an ever-growing number of people systematically trolling for computer weaknesses. These people are not trying to attack a specific site; rather, they are just fishing to see what they can catch. The late 1990s saw the beginning of Internet attacks for political reasons. As this book was written, the news media referred to the conflict in Kosovo as the "First Internet War" because of several hostile incidents that occurred and also because much of the unofficial communication between sides was taking place over the Internet.

The Internet is becoming a dangerous place. But it is important to see this in perspective. Any large community has its bad neighborhoods, robberies, muggings and trouble spots, but that doesn't mean it is impossible to live and work there safely. The trick is to keep your eyes open, take reasonable precautions, and not act foolishly. The same rules apply to the Internet.

But computer security means far more these days than the ability of one person to protect himself or herself from the dangers that can arise on the Internet. It's one thing to protect yourself. It's a very different thing indeed to protect a hundred computers, or a thousand, or ten thousand.

This book is intended for the people facing that formidable challenge and the people who will assist in such an endeavour. It is not a tutorial on how to become a hacker. Nor is it a technical manual on how to run a large computer network. Many other sources cover those subjects, for better or worse. My goal here is to give a person charged with the responsibility of running the network security for a large organization a tool for understanding the language and practices of network and computer security, and to provide some hints along the way to save some time and some scraped knuckles. As with any large project, there are many ways to approach these issues. I don't claim that this book is an exhaustive survey of all possible ways. It is, however, a collection of good methodology and tips and tricks, with some warning signs at the rough spots, that have worked for me.

So who am I? Well, I am an electrical engineer by training, but I was swept up into computer science in my high school and college years. My first experience with the Internet was in the late 1970s, when I discovered that I could connect from Carnegie-Mellon University, where I went to school, to a machine in London, England, over something called the ARPANET, which was just appearing on the scene at that time. Like many others at CMU, I worked in the university Computer Center. Unlike many of my colleagues there, I've kept much the same job ever since, running larger and larger collections of computers and their networks at Lawrence Livermore Laboratory, Schlumberger's Palo Alto Research Center, Xerox's Palo Alto Research Center, ParcPlace Systems, and Sun Microsystems Laboratories. Along the way, I've learned a few things about keeping large collections of machines happy and healthy and about keeping the Bad Guys out and the Good Guys working. Now I find myself as the Chief Technology Officer and Vice President of Security for Pilot Network Services, Inc., a company I helped to found and whose function is to handle Internet security for our customers, a diverse collection of some of the most dynamic and interesting (as well as the largest) companies on Earth. The principles we use to run our business safely can be found in this book. That may strike you as odd, creating a book that says how we do our business, because it enables people to compete against us, using our own principles. Well, read on. If you still think it's easy, give it a shot. We welcome the competition. Acknowledgments

A great many people helped me with the production of this book, directly or indirectly, but I'd like to thank several specifically:

Dr. Martine Droulers and Dr. Celine Broggio, wonderful friends who fed me delicious food and gave me the use of their French seaside attic to finish the book. Fromage! Eileen Keremitsis, who put up with my grumbling, made sure that I wasn't working too hard, and was ready with an invitation to dinner whenever I needed one. Dennis Allison, who tempted me back into the book-writing business after a long absence, and Karen Gettman and Mary Hart of Addison-Wesley, who made sure that I stayed the course. Steve Riley, Joseph Balsama, Steve Rader, John Stewart, and Clifford Neuman, who read the entire manuscript and whose numerous and insightful comments I found very helpful. And of course, the people at Pilot Network Services, who are the hardest working and nicest bunch of security folks I've ever met.

Tom Wadlow
San Francisco, California, USA
Le Crotoy, Picardie, France, 2000 0201433176P04062001

From the Back Cover

In The Process of Network Security, security specialist Thomas A. Wadlow reveals the approaches, techniques, and best practices that effectively secure the modern workplace. Written for network managers and administrators responsible for the security of large, enterprise-wide networks, this book focuses on security as a continuous process involving vigilant daily efforts in analysis, implementation, evaluation, and maintenance. It also emphasizes that in order to truly protect the enterprise, security professionals must consider not just individual machines, but the entire system--machines, people, and procedures.

The Process of Network Security discusses the many issues involved and walks you through the specific steps of setting up a secure system, focusing on standard operating procedures and day-to-day operations and maintenance. Providing a broad perspective on the challenge of enterprise security, this book covers a wide range of topics, including:

• Understanding the nature of attacks and attackers
• Setting security goals
• Creating a secure network design
• Building a team
• Fortifying network components
• Implementing physical and personnel security
• Monitoring and ordering a network
• Discovering and handling an actual attack
• Dealing with law enforcement authorities

You will find many experience-based observations, insights, and sound advice to point you in the right direction and to help you avoid potentially dangerous pitfalls and threats that face your network security. The book also addresses the "catch-22" that security specialists face: how to demonstrate the value of security when proof of its success cannot always be thoroughly tracked or measured.

Written in a conversational tone, The Process of Network Security conveys both the specific information and the general mindset that will enable you to anticipate, prevent, and respond to network threats.

0201433176B04062001

See all Editorial Reviews

Product Details

• Paperback: 304 pages
• Publisher: Addison-Wesley Professional; 1 edition (March 12, 2000)
• Language: English
• ISBN-10: 0201433176
• ISBN-13: 978-0201433173
• Product Dimensions: 9.3 x 7.2 x 0.7 inches
• Shipping Weight: 1.3 pounds (View shipping rates and policies)
• Average Customer Review: 4.2 out of 5 stars  See all reviews (8 customer reviews)
• Amazon Best Sellers Rank: #2,868,961 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

10 of 10 people found the following review helpful:

4.0 out of 5 stars A really good starting point for network security, October 30, 2000

By 

Ben Rothke "Author of 'Computer Security: 20 ... (USA) - See all my reviews
(REAL NAME)   

This review is from: The Process of Network Security: Designing and Managing a Safe Network (Paperback)

The problem with most introductory books is that they are written in an overly simplistic and long-winded style. The Process of Network Security is different in that respect, and it is indeed an effective introduction to the world of network security.

What differentiates this book from other introductory texts is that author Thomas Wadlow treats information systems security not as a set of different technologies, but rather as an integrated process. By viewing security as an evolving process, a network manager can create a security methodology that can develop into a strong foundation for the company's information security program.

The book is written for network managers and systems administrators who have been give different security responsibilities within their organizations and provides them with a comprehensive overview of the critical aspects involved with information systems security. While it is, of course, impossible to build security systems that are absolutely secure, the book demonstrates that a thorough process incorporating good designs can isolate security so that problems in one specific area aren't catastrophic to the entire system.

Wadlow is an industry veteran, and his experience shines throughout the book. The work covers all the major aspects of information security, including security team building, network monitoring, intrusion detection, and damage control. For those wanting a taste of what information security is all about, in a book written in a real-world format for an intelligent reader, this book is an excellent choice.

This review of mine originally appears at http://www.securitymanagement.com/library/000905.html

9 of 9 people found the following review helpful:

5.0 out of 5 stars What you REALLY need to know about computer security!, January 8, 2001

By 

Peg Schafer (Harvard University, Cambridge, MA United States) - See all my reviews

This review is from: The Process of Network Security: Designing and Managing a Safe Network (Paperback)

I teach computer systems management to students here at Harvard University. Every day someone asks me a question that is answered in Mr. Wadlow's book. Here he explains the way to *_think_* about computer security - before you implement any solution. For anyone who has to design a secure computing infrastructure, Mr. Wadlow's book is the book for you! The art of Computing Security has been made clear by Mr. Wadlow's thoughtful discussions of the trade offs. Every manager of computing professionals should read this book. Mr. Wadlow's writing style is entertaining and informative. Spend a morning with this book and your afternoon will be very productive.

8 of 8 people found the following review helpful:

5.0 out of 5 stars An approach that goes to the essence of proactive security, April 9, 2001

By 

Mike Tarrani "www.tarrani.com" (Deltona, FL USA) - See all my reviews
(COMMUNITY FORUM 04)    (REAL NAME)   

This review is from: The Process of Network Security: Designing and Managing a Safe Network (Paperback)

Mr. Wadlow has written a truly useful book that sorts out the many facets of security and recasts them into a complete and straightforward approach to implementing an effective security organization. The only thing I found wrong with this book is the title because the approach is not confined to network security. This book serves as a model for all IT security, and can be applied to data centers, servers and the other components of a large, complex IT suite.

He starts out with the foundation, writing a security policy, and offers excellent advice on how to go about this important task. Policy writing is an art and a science, and it is apparent that Mr. Wadlow knows his stuff here. An ambiguously worded or unenforceable policy is next to worthless and he shows how to avoid both of those pitfalls.

I liked the chapter titled "Who is Attacking You?" because it forces you to carefully consider threats and exposures, which is the first step towards crafting a plan for dealing with them. I also liked the chapter on the security design process because it is methodical and repeatable. One of the difficulties in developing an encompassing security approach is driving the stake into the ground, and the process given shows just where to drive it and how to proceed from there. This is a good prelude to the chapter on building a security team, which proposes a sensible structure and completely addresses requirements.

The chapters on the technical aspects, such as fortifying network components, physical security, and network monitoring and auditing are true best practices and can be modified to fit other areas of IT (as mentioned at the beginning of this review).

As a consultant I particularly liked the chapter that addresses quantifying the value of security. However, this is not only for consultants - security is expensive and requires both dedication and resources, both of which are costly. This material goes a long way towards building a compelling business case for an effective security posture and for proving its ongoing value to management who might think of it as a necessary evil that sucks up more budget share than it is worth. When faced with the wild world of attackers and the internal bean counters it is sometimes difficult to determine who the real enemy is :-)

The book ends with excellent chapters on preparing for an attack, handling it and analyzing the aftermath for lessons learned and future preventive measures to incorporate. Overall, this section is the life cycle of an incident and should be carefully read.

I obviously like this book a lot. I think it provides a structure and method for designing and implementing a sound and effective security strategy. Moreover, the approach can easily be expanded to encompass off of IT, making this book all the more valuable. I strongly recommend and would give it more than 5 stars if I could.