Hardening Network Security

As a security consultant I am sometimes asked for reference books for new security managers. These individuals need help bringing their enterprise under control. Hardening Network Security is a good book for this sort of problem, although it is important to recognize a few technical errors outlined below. My favorite part of the book is Ch 1 ("Do these seven things before you do anything else"). The seven are (1) change default account settings; (2) use administrator accounts for administrator tasks only; (3) identify unused or unnecessary ports; (4) disable/shut down/remove unused and unnecessary services and daemons; (5) remove rogue connections; (6) set up filters for malicious content; and (7) test backup and restore procedures. Ch 1 was the most helpful section, in my opinion. The author should have mentioned Windows tools from SysInternals, however, and warned that rootkits obscure processes, files, and other information reported by compromised operating systems. Part II gives hardening recommendations for the enterprise. Segmentation, identity management, authentication, Web services, mobile devices, stored data, databases, OS access control, encrypting transport, remote access, wireless, UNIX, IDS and incident response, malware, and "wetware" appear in Part II. Part III discusses operational issues like assessments, change management, patching, and security reviews. Part IV finishes with management politics and "security apathy." A great deal of the material is helpful. Most of the book takes a high-level approach to enterprise security. Some sections (like the Web services chapter) are far too complex for managers; their eyes will cross while reviewing SOAP headers. Some sections have a dated feel, like the mention of standard and extended Cisco ACLs (Ch 2) without discussion of reflexive or other modern ACLs. The same chapter says routers filter at layer 3, ignoring the fact that the extended ACLs just mentioned operate at layer 4 (where TCP and UDP ports appear). Page 54 in Ch 2 says "circuit-level firewalls work at Layer 6, the presentation layer...[and] verify the handshaking process of each connection (SYN,ACK,SYN-ACK)." Ouch, that is wrong on multiple levels. One note on a typo -- in Figure 11.3, Zone 1 and Zone 3 should be interchanged. Ch 6 mentions Bluetooth, but says Bluetooth attacks are "relatively close proximity" problems where "attacks on these types of devices [are] limited to 10 meters." We know this is not true. Ch 14 covers intrusion detection and response, which I reviewed closely. Page 369 makes the following odd statement: "Spanning and mirroring have inherent weaknesses, as they will not forward 100 percent of the traffic to the NIDS port. In addition, the mirrored switch can produce collisions, and the operation of the switch begins to approach the same functionality of a hub." That is a really bizarre claim, especially because the author's "solution" to this problem is worse than a SPAN port.

This book is a useful compilation of common sense, practical security recommendations and procedures for the everyday manager or administrator. It is written in a way that covers a variety of critical topics without getting overly technical or talking of the sake of talking. There are frequent references to additional resources you can use to drill down in any of the topic areas. The use of several authors to share their stronger areas makes this a better resource. The book does a good job of approaching timely security risks such as database and application security, as well as devoting several chapters to management issues of great use to technical staff and management. The recurring "HEADS UP!" type of reference boxes are overly annoying, but I assume this is a publisher issue and they really don't detract from the content.

This book has some really good coverage. A lot of it is kindof high level, but good information none the less. This would be an ideal book for a technical manager to gain a broad understanding of the covered topics.