Profile for Richard Bejtlich > Reviews


Richard Bejtlich's Profile

Customer Reviews: 357
Top Reviewer Ranking: 43,423
Helpful Votes: 6235

Community Features
Review Discussion Boards
Top Reviewers

Guidelines: Learn more about the ins and outs of Your Profile.

Reviews Written by
Richard Bejtlich "TaoSecurity" RSS Feed (Metro Washington, DC)

Page: 1-10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21-30
Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
by Michael Rash
Edition: Paperback
Price: $42.45
94 used & new from $18.72

17 of 17 people found the following review helpful
5.0 out of 5 stars One of the best technical books published in 2007, December 20, 2007
Disclaimer: I wrote the foreword for this book, so obviously I am biased. However, I am not financially compensated for this book's success.

In the foreword I note that Linux Firewalls is a "great book." As a FreeBSD user, Linux Firewalls is good enough to make me consider using Linux in certain circumstances! Mike's book is exceptionally clear, organized, concise, and actionable. You should be able to read it and implement everything you find by following his examples. You will not only learn tools and techniques, but you will be able to appreciate Mike's keen defensive insights.

The majority of the world's digital security professionals focus on defense, because offense is left to the bad guys, police, and military. I welcome books like Linux Firewalls that bring real defensive tools and techniques to the masses in a form that can be digested and deployed for minimum cost and effort.

One of the main reasons Linux Firewalls is a great book is that Mike Rash is an excellent writer. I've read (or tried to read) plenty of books that seemed to offer helpful content, but the author had no clue how to deliver that content in a readable manner. Linux Firewalls makes learning network security an enjoyable experience. Mike is exceptionally detail-oriented (see the RST vs RST ACK issue on p 63 and elsewhere) and he often cites sources and additional references. Linux Firewalls very nicely integrates sample network traffic to make numerous points; Ch 11 has several great examples. The sections on Fwsnort even improved my understanding of Snort itself.

The bottom line is that if you are a user of non-Microsoft operating systems (Linux, BSD, etc.) and you want to know how Linux can help defend your network, you will enjoy reading Linux Firewalls.

LAN Switch Security: What Hackers Know About Your Switches
LAN Switch Security: What Hackers Know About Your Switches
by Eric Vyncke
Edition: Paperback
Price: $59.40
38 used & new from $38.67

10 of 12 people found the following review helpful
3.0 out of 5 stars Great idea, but not executed as well as the subject deserves, October 17, 2007
I really looked forward to reading LAN Switch Security (LSS), simply because it covered layer 2 issues. These days application security, rootkits, and similar topics get all the press, but the foundation of the network is still critical. Unfortunately, LSS disappointed me enough to warrant this three star review. I'm afraid those before me who wrote five star reviews 1) don't read enough other books or 2) don't set their expectations high enough.

Let me first say I am not anti-Cisco, nor anti-Cisco-book. For an earlier Cisco Press book I wrote "I really enjoyed reading Cisco Router Firewall Security (CRFS) by Richard Deal. This book delivers just what a technical Cisco book should: discussion of concepts, explanation of command syntax, and practical examples." LSS, however, is not what I like to see in a Cisco book. It suffers the major flaw found in almost all technical books featuring large numbers of writers (LSS has 2 authors, 4 contributors, 2 tech editors): incoherence and overlapping discussions. Furthermore, many of these contributors do not write clearly. I found large sections to be disjointed and inconsistent. It is clear that no one stepped up to the plate to see if the finished product made any sense from the reader's perspective.

The second major problem with this book is that older books easily overpower LSS. For example, in March 2006 I gave Hacking Exposed: Cisco Networks (HECN) four stars. HECN covers many of the same topics as LSS, more clearly, with more syntax, and better explanations. Anyone who wants to buy a book about layer 2 security should start with HECN. If you don't want to buy a book, just download the free 86-page Cisco IOS Switch Security Configuration Guide published by NSA.

If you read HECN or the NSA guide, you'll be struck by the amount of configuration syntax in those resources. If you glance through LSS you'll see syntax, but (and this bothered me greatly) not for all the features discussed. For example, LSS ch 16 (Wire Speed Access Control Lists) features sections titled "Working with RACL", "Working with VACL", and "Working with PACL". That's great -- six pages (pp 263-268), with no command syntax! Sure, you can read about using VACLs for traffic capture, but where are the examples? If you tell me they are the same as other examples, I want to see the proof. This is the sort of glaring omission that really frustrated me.

I did like some of LSS. I thought attacks against link aggregation protocols, discussions of control plane policy, and spanning tree protocol were interesting. Adding discussions of ARP spoofing a remote gateway using Yersinia would have been helpful. There's a decent number of typos (POP != "point of presence", replace "Ethernet" with "IP" on p 235), but technically the book seemed sound. (One of the authors was kind enough to confirm the p 235 typo; I wanted to be sure I hadn't missed something important.)

I notice Cisco is publishing a book titled Router Security Strategies: Securing IP Network Traffic Planes in December. Presumably that will be a counterpart to this title, except at layer 3. I hope that new book avoids the mistakes made by LSS.

Security Data Visualization: Graphical Techniques for Network Analysis
Security Data Visualization: Graphical Techniques for Network Analysis
by Greg Conti
Edition: Paperback
20 used & new from $112.81

18 of 18 people found the following review helpful
5.0 out of 5 stars Innovative and timely security book, October 7, 2007
Security Data Visualization (SDV) is a great book. It's perfect for readers familiar with security who are looking to add new weapons to their defensive arsenals. Even offensive players will find something to like in SDV. The book is essentially an introduction to the field, but it is well-written, organized, and clear. I recommend all security analysts read SDV.

I give five star reviews to books that meet certain criteria. First, the book should change the way I look at a problem, or properly introduce me to thinking about a problem for which I have little or no frame of reference. Although I have been a security analyst for ten years, I have little visualization experience. Author Greg Conti spent just the right amount of time explaining the field, describing key terms (preattentive processing, occlusion, brushing) and displays (star plots, small multiples, TreeMaps). I loved the author's mention of Ben Shneiderman's visualization mantra: "overview first, zoom and filter, details on demand" (p 14).

Second, a five star book should have few or no technical errors. SDV was as sound as they come, at least as far as the security and networking information goes. I can't comment on the author's synthesis of the visualization community. I also liked the case studies in Chs 3, 4, and 5. I liked reading the visualization methodology introduced in the chapter on analyzing firewall logs (Ch 7).

Third, a five star book will make the material actionable. I finished SDV thinking I could try at least some of what I read on my own network. Ch 10 talked about how to build your own visualization tool. I would have liked additional detail on using some of the tools in the book, so perhaps a future edition will expand on that point.

A fourth feature of great books is including current research and referencing outside sources. SDV cited many foundational papers and presentations on visualization in general and security visualization specifically. Chs 6 and 12 addressed these subjects in detail. Ch 11 presented readers with ideas for future projects.

Overall, it should be obvious I really enjoyed reading SDV. My only real complaint seems inherent to the field: how to analyze large data sets. The case study in Ch 5 ("One Night on My ISP") only looks at 303 packets. It is easy to dismiss it since there's hardly any data to analyze. However, I feel that the author's techniques can be creatively scaled if one maintains realistic expectations. SDV is an excellent introduction to the security visualization field and I hope to see other works from the author and others on this important topic.

Snort IDS and IPS Toolkit (Jay Beale's Open Source Security)
Snort IDS and IPS Toolkit (Jay Beale's Open Source Security)
by Jay Beale
Edition: Paperback
Price: $37.62
71 used & new from $2.04

37 of 40 people found the following review helpful
3.0 out of 5 stars Too bad this is the only semi-modern Snort book, September 22, 2007
Syngress published "Snort 2.0" in Mar 03, and I gave it a four star review in Jul 03. Syngress followed with "Snort 2.1" in May 04, and I gave it a four star review in Jul 04. I recommend reading those reviews, since the latest edition -- "Snort IDS and IPS Toolkit" (SIAIT) -- makes many of the same mistakes as its predecessors. Worse, it includes material that was already outdated in BOTH previous editions. If you absolutely must buy a book on Snort, this edition is your only real choice. Otherwise, I would stick with the manual and online articles.

SIAIT looks impressive page-wise, but it suffers from the multiple-author, no-editing, rush-to-production problems unfortunately inherent in many Syngress titles. One would think that including many contributing authors (11, apparently) would make for a strong book. In reality, the book contributes very little beyond what appears in "Snort 2.1," despite the fact that "only" chapters 8, 10, 11, and 13 appear to be repeats or largely rehashes of older material. Comparing to "Snort 2.1," these compare to old chapters 7, 10, 12, and 11, respectively.

The absolute worst part of this book is the re-introduction of all the outdated information in chapters 8 and 10. It is 2007 and we are STILL reading on p 353 that XML output is "our favorite and relatively new logging format" and on p 367 that "Unified logs are the future of Snort reporting." (I cited both of these as being old news in Jul 04!) I should note that these chapters are not entirely duplicates; if you compare output such as that on page 335 of "Snort 2.1" with page 365 in SIAIT you'll see the author replaced the original 2003 timestamps with 2006! This is the height of lazy publishing. Chapter 10 features similar tricks, where traffic is the same except for global replacements of IP addresses and timestamps; notice the ACK numbers are still the same and the test uses Snort 1.8.

There's plenty more in this book to make you cringe. Mentions of Netbus, SubSeven, BO2k, ExploreZip, QAZ, and the like in ch 1 will make you think it's 1999 all over again. In ch 2 you can be mislead into thinking that "there will be rule upgrades released with each major version of Snort for those who do not care to register." In reality the last rule set for unregistered users arrived with Snort 2.4 in Jul 05. Ch 3 wastes time rambling about SMP, threads, operating systems, and other topics I can better learn in a non-Snort book. I also liked reading how to install Snort 2.4.3 on OpenBSD in a book about Snort 2.6.x. Ch 3 also featured such pearls of wisdom as recommendations to not run Metasploit but instead use worthless stateless tools like Snot and Sneeze (p 123).

A few more choice words could be said about these disasters. Check out the "three way handshake" diagram on p 238 that shows FIN ACK / FIN ACK / FIN, and the "graceful close" diagram on p 239 that shows FIN / FIN ACK / ACK / ACK. These sorts of train wrecks are evidence that someone is asleep at the publishing house. Returning to the old material theme for ch 9, be prepared for screenshots or output from BASE 1.0.2 from Jul 04, Sguil 0.3.1 from Apr 04, and SnortSnarf from Jan 03. Finally, ch 12: why bother?

I have a few positive comments. The best chapter in SIAIT is ch 5 (Inner Workings). I liked seeing Afterglow, Tenshi, and SEC in ch 9. I enjoyed hearing something about performance profiling in ch 6. I thought the rules chapter was ok, but (to repeat a plea from my earlier reviews) would someone please consider writing a real rule writing reference that exceeds the introductory material found in this book and elsewhere? We also need coverage of shared object rules and other advanced Snort features.

It should be clear by now that the Syngress Snort book procession needs to end. Another publisher should consider writing a real Snort book for version 3.0 once it is available.
Comment Comments (2) | Permalink | Most recent comment: May 30, 2012 3:58 PM PDT

Security Metrics: Replacing Fear, Uncertainty, and Doubt
Security Metrics: Replacing Fear, Uncertainty, and Doubt
by Andrew Jaquith
Edition: Paperback
Price: $36.16
47 used & new from $24.50

40 of 41 people found the following review helpful
5.0 out of 5 stars A ground-breaking book that all security managers should read, August 9, 2007
I read Security Metrics right after finishing Managing Cybersecurity Resources, a book by economists arguing that security decisions should be made using cost-benefit analysis. On the face of it, cost-benefit analysis makes perfect sense, especially given the authors' analysis. However, Security Metrics author Andy Jaquith quickly demolishes that approach (confirming the problem I had with the MCR plan). While attacking the implementation (but not the idea) of Annual Loss Expectancy for security events, Jaquith writes on p 33 "[P]ractitioners of ALE suffer from a near-complete inability to reliably estimate probabilities [of occurrence] or losses." Bingo, game over for ALE and cost-benefit analysis. It turns out the reason security managers "herd" (as mentioned in MCR) is that they have no clue what else to do; they seek safety in numbers by emulating peers and then claim that as a defense when they are breached.

Fortunately, Security Metrics offers another solution. The book gives readers three sets of information: theory, metrics, and tools (concepts, not programs). The theory chapters (1 and 2) were so concise yet insightful I was tempted to underline every sentence. (I am not kidding.) Even the Preface made me glad to be reading the book when it associated "security ROI" with "the Macarena" and called it a "needless distraction." I laughed in agreement when I saw Andy call "security enablement" the "Abominable Snowman: it is rarely spotted, but legions of people swear it exists. After all, as my friend Dan geer puts it, 'You don't usually see airlines advertising how their planes fall out of the sky less often than their competitors.'" Why is that? My answer is simple: security is assumed and expected. Advertising anything else has no effect or makes people suspicious. I knew this book would be good.

The metrics chapters probably list hundreds of metrics you can extract verbatim and apply to your own environment. To the reviewer who wanted to reprint them in an appendix: they're called chapters 3 and 4. My main concern with the metrics was the focus on input-centric measurements instead of results. I would have liked to read more metrics on measuring whether security programs are working, rather than what techniques and tools are applied up front.

The tools chapters were helpful to anyone needing a statistics refresher. The visualization sections were especially helpful. (Feel free to dismiss yet another ignorant review from WB, who thinks a "review" means writing a few paragraphs after flipping through the pages of five books a day.) Andy's examples of turning lousy graphs and charts into information visualization vehicles should be followed by all managers.

Security Metrics is strengthened by the many stories from the author's consulting experience. I sensed that his techniques work and are not the product of the thought laboratory alone. I found his "Balanced Scorecard" approach to be interesting, especially to the degree it ties real metrics to business operations.

I had a few issues with terminology, such as using the term "threats" on p 231 when "attacks" is more accurate. (The football analogy is correct, however.) I semi-agreed with the author's suggestion to abandon "risk management" in favor of metrics-based approaches, but I didn't think two pages (4-5) were really enough to make the case. On p 264, threats are not risks, but they help instantiate risks. On pp 78-7, "risk of exploit" should be "ease of exploitation."

These are minor concerns, given the overwhelming concentration of practical and implementation-worthy pieces of information in Security Metrics. You must read this book if you care to measure security progress. Now we need Dan Geer to extend beyond writing wise forewords and articles into the world of his own book!

Managing Cybersecurity Resources: A Cost-Benefit Analysis (The Mcgraw-Hill Homeland Security Series)
Managing Cybersecurity Resources: A Cost-Benefit Analysis (The Mcgraw-Hill Homeland Security Series)
by Lawrence A. Gordon
Edition: Hardcover
45 used & new from $26.23

8 of 9 people found the following review helpful
4.0 out of 5 stars An excellent book with only one major flaw, August 9, 2007
Managing Cybersecurity Resources (MCR) is an excellent book. I devoured it in one sitting on a weather-extended flight from Washington-Dulles to Boston. MCR teaches security professionals how to think properly about making security resource allocation decisions by properly defining terms, concepts, and models. The only problem I have with MCR is the reason I subtracted one star: its recommended strategy, cost-benefit analysis, relies upon estimated probabilities of loss and cost savings that are unavailable to practically every security manager. Without these figures, constructing cost-benefit equations as recommended by MCR is impossible in practice. Nevertheless, I still strongly recommend reading this unique and powerful book.

My favorite aspect of MCR is its explanation of economics and finance terms to the security audience. I felt like applauding when I read on p 47 "[M]any managers... are merely calling the IRR an ROI or ROSI (return on security investment). Given that the concepts of "return on investment" and "internal rate of return" are well established in the accounting, finance, and economics literature, as well as among nearly all senior financial managers (e.g., CFOs), security managers should be careful how they use these terms. Indeed, misusing these terms can only lead to problems for the security manager." (See p 45 for a comparison of ROI, IRR, and NPV.)

In a similar fashion, MCR explains what a "return" is for security on p 21: "The benefits associated with cybersecurity activities are derived from the cost savings (often called cost avoidance) that result from preventing cybersecurity breaches. These benefits are difficult, and often impossible, to predict with any degree of accuracy. Moreover, since the actual benefits are conceptually the cost savings associated with potential security breaches that did not occur, it is not possible to measure these benefits precisely after the security investments are made."

What of "investment"? Pp 28-30 say: "[O]rganizations tend to treat the bulk of their cybersecurity expenditures as operating costs and charge them to the period in which they are incurred," unlike capital investments, which "represent assets of an organization that should appear on the organization's balance sheet." The authors recommend us to "view all costs related to cybersecurity activities... as capital investments with varying time horizons."

So what is a cost? P 5 says "The cost of information security is essentially a negative network externality associated with the Internet... [It] arises when malevolent individuals and organizations [which the authors properly label "threats" on p 12] join the network, thereby imposing costs on all well-intentioned users. These costs take the form of losses caused by actual security breaches plus the cost of actions... designed to prevent such breaches."

P 30 wisely states "[N]o amount of security can guarantee that breaches will not occur... The goal of the organization should be to implement security procedures up to the point where the benefits minus the costs are at a maximum." The footnote on p 31 continues with "An alternative way to view this discussion is to think of the goal as one of trying to minimize the sum of the costs associated with cybersecurity activities and the costs associated with breaches... the optimal level of cybersecurity for an organization would be the same under the cost minimization goal as it would be if the organization were to maximize the net benefits." I think most managers prefer to think in terms of cost minimization, which is a prevalent throughout IT.

Costs are dissected on pp 56-58: "The direct costs of cybersecurity breaches are those costs that can be clearly linked to specific breaches... the indirect costs of cybersecurity breaches cannot be linked... Explicit costs of cybersecurity breaches are those costs of breaches that can be measured in an unambiguous manner... implicit costs are opportunity costs (i.e., costs associated with lost opportunities), which cannot be measured without ambiguity... the benefits derived from spending funds on cybersecurity activities come largely from the cost savings derived by avoiding the implicit costs of breaches."

Page 63 explains why companies have "Chief Privacy Officers" and the like, even though preserving privacy is the confidentiality aspect of the CIA triad and could be a CISO responsibility: "The findings from our study show that, on average, information breaches that compromise confidentiality do have a significant negative impact on the stock market value of corporations experiencing breaches. Indeed, the average decline in the firm's stock market value... was approximately 5 percent."

So far so good, right? The major flaw with MCR arrives in ch 4, on p 68: "The variables affecting potential cost savings include (1) the potential losses associated with information security breaches, (2) the probability that a particular breach will occur, and (3) the productivity associated with specific investments, which translates into a reduction in the probability of potential losses." This is true -- but this is the key problem: devising even rough estimates of 1, 2, and 3 is nearly impossible in practice. The authors' examples (see figure 4-2 for one) assume these factors can be determined (like $10 mil total potential loss without countermeasures, 75% probability of loss with no countermeasures / 50% with $650,000 of countermeasures, and so on). When I saw these contrived examples I wondered "what is the origin of these figures?" The fact of the matter is that they are all guesswork, which means the calculator can say anything the analyst wishes to produce.

In some sense we are back to square one, although much better educated in economics. (Note that Andy Jaquith's book Security Metrics also observes how calculating these figures is nearly impossible in real life.)

Because MCR is so right in all of its other discussions, the book deserves 4 stars. A proper acceptance of the difficulty or impossibility of determining 1, 2, and 3 might have resulted in 5 stars. Perhaps a second edition will address these concerns?

PS: I would be remiss to not quote the authors' exceptional insights into the problems with security auditing. P 132 says "[T]he checklist approach tends to shift attention away from the cost-benefit aspects of such security. That is, the checklist approach usually assumes that conducting a particular procedure is inherently worth doing." P 137 hits the nail on the head: "[F]or some firms, it is quite possible that the costs of cybersecurity auditing will exceed the benefits. If this were to occur, then cybersecurity auditing would in effect decrease the firm's value." Amen.

XSS Attacks: Cross Site Scripting Exploits and Defense
XSS Attacks: Cross Site Scripting Exploits and Defense
by Seth Fogie
Edition: Paperback
Price: $56.23
57 used & new from $9.22

16 of 16 people found the following review helpful
4.0 out of 5 stars Originality and coverage earn four stars, but a better book is needed, July 20, 2007
XSS Attacks earns 4 stars for being the first book devoted to Cross Site Scripting and for rounding up multiple experts on the topic. The authors are synonymous with attacking Web applications and regularly share their vast expertise via their blogs and tools. However, XSS Attacks suffers the same problems found whenever Syngress rushes a book to print -- nonexistent editing and uneven content. I found XSS Attacks to be highly enlightening, but I expect a few other books on the topic arriving later this year could be better.

First, as Tadaka mentioned, ch 3 is the best written part of the book. In fact, the author of ch 3 should have written the entire book. There is a difference between an author of a tool, an author of a blog, and an author of a book. The author of ch 3 clearly knows how to make a clear argument over the course of a long stretch of pages (over 90) and carry the reader. Lucky for non-book-buyers, Syngress posted ch 3 for free on their Web site. You'll get a great foundation on XSS, and learn about CSRF and backdooring Flash and Quicktime.

In terms of readability, ch 2 wasn't bad. I liked trying out various Firefox extensions and the author's examples were good. I think ch 1 should be completely dropped. It mentions terms not defined until ch 2. The language is exceptionally rough, indicating zero editing was done. The DNS pinning examples in ch 5 were confusing; it doesn't help novice readers to discuss [...] and then use [...]. (I think that's an error.) I really didn't get as much from the book past ch 3 as I did from ch 3.

The major take-away from XSS Attacks is that one should never trust clients. Furthermore, far too many vulnerable capabilities exist in applications most people would never dream of fearing, like those that render .pdf or .swf. I really liked the point that browsers constantly interpret and "fix" broken HTML, sometimes to the detriment of the security world. I also liked reading how users can be duped by attacks against the integrity of data, such as adding or removing details of Web sites.

Right now, if you want to learn more about recent XSS attacks in printed form, this book is your main option. Last year I favorably reviewed Lance James' book, Phishing Exposed, which includes some of these techniques. Later this year one of the other book reviewers, Dafydd Stuttard, should be publishing The Web Application Hackers Handbook: Discovering and Exploiting Security Flaws. Syngress claims to be publishing Web Application Vulnerabilities: Detect, Exploit, Prevent by Steven Palmer in the fall. Hacking Exposed Web 2.0 by Himanshu Dwivedi is another option, but I find his security books to be poorly written. I highly recommend visiting the authors' blogs, since they cover a lot of the information in XSS Attacks.

Endpoint Security
Endpoint Security
by Mark Kadrich
Edition: Paperback
32 used & new from $0.36

9 of 9 people found the following review helpful
3.0 out of 5 stars A confusing book with sound observations but an unworkable premise and prescription, July 18, 2007
This review is from: Endpoint Security (Paperback)
I really looked forward to reading Endpoint Security. I am involved in a NAC deployment, and I hoped this book could help. While the text does contain several statements that make sense (despite being blunt and confrontational), the underlying premise will not work. Furthermore, simply identifying and understanding the book's central argument is an exercise in frustration. Although Endpoint Security tends not to suffer any technical flaws, from conceptual and implementation points of view this book is disappointing.

This is a tough review to write, because the non-product-specific chapters (1-7) are conceptually all over the map. Let me start with the items I found true and useful in Endpoint Security. I appreciated this perception on p 15: "I don't agree with the notion that the perimeter has disappeared. It's just moving too fast to see." This is true on p 20: "[B]asic engineering processes aren't at work in the security industry... We continue to suffer failures, and we have no way of knowing when our security solutions are successful." And this, on p 33: "[W]e've failed the first test because we can't describe secure... because we don't understand the problem well enough, we don't have a way to predict success; the converse is that we can't predict failure." And this, on p 34: "[W]e, the security industry, are not using sound engineering or the scientific method to figure out what is wrong. Worse yet, we continue to make the same mistakes year after year. We rely on the vendors to tell us what the solution should be instead of turning the formulation of a solution into a science." I loved this, on p 39: "[M]any people honestly believe that the network is too complex to understand and that 'security' is the purview of hackers and vendors. I've actually had security people tell me in meetings that their network is too large, too distributed, and too complex to identify all the endpoints on it!" By now I was excited; I thought we had a winner.

In reality, on page 1 I knew Endpoint Security was going to have problems. The author starts by using an HVAC system as a process model. He completely ignores that an HVAC system is not being attacked by intelligent adversaries. If your model does not account for the creativity, persistence, and rule-breaking of an intelligent adversary, then your model will fail in the real world. For example, on p 39 the author says "This is not how engineers do things, and for all practical purposes, no matter how we got here, we are engineers." This is not true; if we are engineers at all, we are combat engineers -- and our systems are being assaulted. Building on the HVAC idea, the author tries to introduce control theory and closed-loop process control (CLPC) (without really saying what an "open" loop looks like). I say "tries" because his "explanation" makes no sense, despite the use of examples. I found the coverage on Wikipedia to get to the heart of the issue quicker and clearer. For example, the author mentions "PID" on p 55 and 64, but only expands the acronym on p 73 to show PID means proportional-integral-derivative. On p 46 he mentions "proportional process control methodology" as if the reader should know what this means. I found myself wondering if several sections were written out of order, and I only pieced together the argument by flipping around.

To save you the same trouble, the author's premise is that networks need a "basic proportional control," meaning "protocols, hardware, and software ... [that] automatically reconfigure themselves based on our dictated policy" (p 79). NAC is a means to "close the loop" by having a "basic proportional control" that ensures "each time the endpoint connects to the network... it represents a minimum level of compliance with corporate security policy" (p 175).

The huge conceptual holes in Endpoint Security are 1) the assumption that "feedback" for CLPC is reliable and trustworthy; and 2) compliance = integrity = trustworthiness. Regarding 1, the author is in one place bashing vendors, and in another relying on vendors to produce anti-virus, IDS, and other mechanisms to be reliable -- or else his model fails! For example, p 62 states "we can make some basic assumptions about our network: A) We have a system for probing our network for vulnerabilities; B) We have some way of identifying intrusion attempts." While A is possible to some degree, it is impossible to simply "assume away" the problems of B. An IDS isn't a thermometer that accurately reports temperature.

Regarding 2, Endpoint Security states on p 78 that answering the following questions "yes" means a "minimum level of trust." In brief, they are patched? firewalled? anti-virus? authorized applications? and authorized user? Unfortunately, answering "yes" to these questions does very little to presume the endpoint is trustworthy. Sadly, the author mocks Microsoft's (correct) stance on this issue. On p 172 Microsoft says "Network Access Quarantine Control is not a security solution. It is designed to help prevent computers with unsafe configurations from connecting to a private network, not to protect a private network form malicious users who have obtained a valid set of credentials."

Conceptual issues aside (and there are more, like calling embedded devices or handhelds "threats" instead of "assets" with "vulnerabilities" and "exposures"), Endpoint Security has practical problems. Each chapter on specific technologies features sections called "initial health check." The idea is to run these "tests" to validate integrity in case you don't start with a clean build. That is a recipe for disaster, and some of the book's recommendations are laughable. If your rootkit detection methodology relies on comparing netstat and Nmap output, you're going to lose. The Windows chapter is decent, but looking at a handful of registry keys is no way to assess security. (Check out Harlan Carvey's recent book instead.) The Linux chapter is sad; who uses Xandros as a commercial Linux distro? Why not use Red Hat Enterprise Linux (emphasis on Enterprise). Who remotely administers a Linux box with VNC? Mac OS X is not a FreeBSD variant; kernel mode rootkits written for FreeBSD will not work on Mac OS X. Worse, the author cannot recommend any host integrity tools (p 119); if this is true, how can the integrity of a host be assessed? Using those five criteria mentioned earlier? Forget it.

Worst of all, the author builds his entire model on implementing CLPC via NAC, relying on "closing the loop" as "the missing link" to security nirvana. Yet, when we read the product specific chapters (Windows, Linux, Mac OS X, PDAs/Smartphones, and Embedded) only Windows can "close the loop." Is this for real? Build a model and then say it can't be done right now? I appreciate the desire to look ahead, but why did I just read this book?

I didn't give this book 2 stars, because I reserve that rating for books with glaring technical errors. Endpoint Security gets 3 stars for its sound observations of the security space (listed above), but I found the rest of the book not worth reading (although I read the whole thing). I cannot fathom how the reviewers and editors of this book allowed such a confusing argument and unworkable premise and prescription to be published.

PS: The story about the "Patent Office" on p 13 is an urban myth; Google "Charles Duell".

Network Warrior: Everything you need to know that wasn't on the CCNA exam
Network Warrior: Everything you need to know that wasn't on the CCNA exam
by Gary A. Donahue
Edition: Paperback
42 used & new from $2.12

102 of 104 people found the following review helpful
5.0 out of 5 stars Maybe the best book I will read in 2007, July 16, 2007
Network Warrior is the best network administration book I've ever read. I spend most of my reading time on security books, but because I lean towards network security I like reading complementary sources on protocols and infrastructure. Gary Donahue has written a wonderful book that I highly recommend for anyone who administers, supports, or interacts with networks. Network Warrior may be the best book I will read in 2007.

Why is Network Warrior so great? I think the key is the author's willingness to share personal recommendations. There are plenty of books about technology and syntax. I've read and reviewed many, most of which I liked for what they offered. However, it's rare to read a network book that says "here's how you should implement this," rather than just list options. I'm at the point in my career where I know what I might do; now I want to know what a real expert would do. Donahue provides that wisdom in many sections, but especially in Part VIII on network design.

A second reason I really enjoyed Network Warrior was its coverage of a variety of Cisco features. Sure, I had read of many of these elsewhere, but I thought Donahue made many of them clear, especially in comparison to each other. There are better references for ACLs, like Cisco Router Firewall Security by Richard Deal, but when ACLs are described next to route maps or VLAN maps, Ciscoland becomes a little easier to understand. Donahue's explanations of EtherChannel, switching algorithms, and autonegotiation are other good examples. I even admit that the author corrected my misunderstanding of QoS, as he says "QoS does not limit bandwidth, it guarantees it, which is not the same thing" (p 429). Elsewhere he says "When there is no congestion, any protocol can use any amount of available bandwidth it needs" (p 428) and "while scheduling of packets always takes places, the limits set are really only enforced during congestion" (p 427).

The third reason I like Network Warrior is the attention paid to understanding the fundamentals of certain technologies and products. The author ensures the reader gets a real grounding in telecom terms and technology, like T-1 lines. For products, I liked chapters on the 6500 series switch, content switches, and layer 3 switches.

Finally, the writing is exceptionally clear. The diagrams are excellent and make their point very well. The author's suggestions for being a better administrator apply to any technical operator. I liked Donahue's repeated suggestion to "never assume anything" and to start troubleshooting at layer 1.

Although I rated Network Warrior five stars, in a second edition I would like to see more on layer two fundamentals. I would also like to read about 802.1X and perhaps even Cisco NAC, since it seems to be becoming popular. Overall, however, you should buy and read Network Warrior right now. I loved it and will recommend it to anyone who wants to be a better network administrator.

Backup & Recovery: Inexpensive Backup Solutions for Open Systems
Backup & Recovery: Inexpensive Backup Solutions for Open Systems
by W. Curtis Preston
Edition: Paperback
Price: $35.48
61 used & new from $2.80

28 of 28 people found the following review helpful
4.0 out of 5 stars The best backup book available, but I have requests for the next edition, July 7, 2007
W. Curtis Preston is the king of backups, and his book Backup and Recovery (BAR) is easily the best book available on the subject. Preston makes many good decisions in this book, covering open source projects and considerations for commercial solutions. Tool discussions are accompanied by sound advice and plenty of short war stories. If the author addresses the few concerns I have in his next edition, that should be a five star book.

The best aspect of BAR is the author's obvious expertise in this subject. He does a good job sharing lots of his knowledge with the reader. Probably the most valuable conceptual framework I learned in BAR is the difference between backups and archives. Pages 696-7 summarize this nicely: "Backups are the secondary copy of primary data... Archives are the primary copy of secondary data." In this section and elsewhere, Preston describes how archives are the repository one should create when answering ediscovery requests and similar queries -- not backups. This is an extremely powerful idea and I plan to see how my employer deals with this issue.

The second best aspect of BAR involves multiple chapters on backing up various databases. One can usually find similar coverage in single books on specific databases, but having all information in one book is useful for purposes of comparison. Chapter 15 provides an overview of the entire problem by discussing terminology and features found in many databases. This chapter helps storage admins understand the database admin world. Of particular note was the coverage of Microsoft Exchange, which the book calls a specialized database. I had not thought of Exchange in this light, but it's true -- especially when Microsoft indicates future versions will have SQL Server replacing Extensible Storage Engine. I only read chapters on SQL Server, Exchange, and MySQL.

The third best aspect of BAR includes OS-specific chapters on bare-metal recovery. Although my OS of choice (FreeBSD) didn't merit its own chapter, I felt the material in the bare-metal section was robust enough to help me perform this work if necessary. I really only read the chapters on Windows/Linux and ignored Solaris, HP-UX, AIX, and Mac OS X.

BAR is a good book, so why not five stars? First, I thought the chapters on open source backup options (especially ch 7 on "Open-Source Near CDP") were weak. I wanted to learn a lot more about rdiff-backup, for example, but the tool merited about 5 pages and introduced only the simplest possible invocation. Rsnapshot was also undercovered. It seemed like too many pages were spent on utilities I would probably never use (given newer options) like dump and cpio. I was also not confident I could get very far with Amanda, BackupPC, or Bacula given the detail given to each open source product. (Regarding BackupPC -- I had to guess it was open source and then only found out the truth when its Web site at was mentioned late in the chapter!)

Second, some topics never really made sense. For example, I still do not understand how snapshots actually work. Calling it a "picture" means nothing to me. Snapshots are mentioned throughout the text, and the explanation that finally appears near the end of the book in a miscellanea chapter doesn't help.

Third, I would really have liked to hear more about services offering backup to the Internet, like Amazon's S3 and others. This MUST be covered in the next edition.

Finally, although the book has lots of advice, it would have been nice to have had a case study chapter where multiple example enterprises demonstrate their backup and recovery solutions. After finishing the book I have lots of ideas floating around, but seeing how a one-person, 100-person, 10,000-person, and 500,000-person environment implement BAR would be greatly appreciated.

Page: 1-10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21-30