The Practice of Network Security by Allan Liska
Three years ago, the lead network technician on my campus network spent 95% of his time installing, configuring and tweaking network-attached devices. Today, he spends 95% of his time securing them. The field of network security is large, and security is a tough job. It also can be next to impossible to stay current with all the latest developments, let alone track all the vulnerabilities, patches, alerts, incidents and attacks. So, Allan Liska's book on current network security practice is welcome, indeed.
The central dogma of the book is the organization of a security policy on a series of fronts that when implemented in their totality provide “layers of protection” against attackers. This is excellent advice. Liska also drums home the message that network security has to be a priority for the entire organization, not only the IT department or network administrator. Without the involvement of the organization, the resulting security policy is sub-optimal at best and next to useless at worst.
After setting the scene in his opening chapter, Liska discusses organizing your network security practice around an established security model. RFC 2196, Cisco's SAFE and ISO 15048 are surveyed before Liska recommends CERT's OCTAVE as the model to get you started, citing that it offers the most flexibility.
Liska then devotes a chapter to the various classes of network technologies that need to be protected. There's specific material relating to routers, switches, authentication/authorization services, RAS/VPNs, wireless WAN/LANs, firewalls, intrusion detection systems and the use of a demilitarized zone (DMZ). The advice in the DMZ chapter is presented well and is some of the best material in the book. One of the longest chapters deals with server security, and it is followed by chapters relating to securing DNS and workstations. The later chapters of the book are concerned with the management of network security, including such topics as SNMP deployment, monitoring, logging and incident reporting.
Chapter 15 presents the author's Top 10 Security Mistakes. This is a great list and includes items such as “over reliance on a firewall” and “failure to follow through”. If you can work through the list and state that none of the mistakes apply to your organization, you are in great shape. If you cannot, you have some work to do.
It would be reasonable to think that a book on security strategy would ignore the details, but that is not the case with this book. Most of the time, Liska manages to strike the right balance between talking strategy and providing the all-important details. On occasion, though, too many or an inappropriate amount of details are provided. This is especially true of the IPSec packet format diagrams in Chapter 7.
The quality of the diagrams themselves is one of my biggest complaints, as some diagrams are referenced incorrectly in the text (pages 116–118), have typos on them (page 129) or are too dumbed-down to be of real use (page 125). Some are simply useless, with the diagram on page 132 being a particularly bad example. And I do have a problem with some specific advice. For instance, I don't agree that “all things being equal, a dynamic routing protocol used with proper security precautions will be more secure than a static routing protocol” (page 75).
By and large, though, this book is well put together and is a good overall survey of a fast-moving field. If you are new to the network security game or have inherited responsibility for your organization's network security and are wondering where to start, this book points you in the right direction. If you are a seasoned administrator, this book has less to offer.
As a final comment, I am pleased to report Liska's consistent use of the term attacker to refer to the bad guys, as opposed to the confusing cracker or the just plain wrong hacker, which has been hijacked by the popular press and consistently is used incorrectly when referring to the bad guys. Attacker avoids any confusion and is, in my opinion, the correct term to use when talking about IT security.
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- Google's SwiftShader Released
- Interview with Patrick Volkerding
- SUSE LLC's SUSE Manager
- My +1 Sword of Productivity
- Tech Tip: Really Simple HTTP Server with Python
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- Managing Linux Using Puppet
- Non-Linux FOSS: Caffeine!
- SuperTuxKart 0.9.2 Released
- Returning Values from Bash Functions
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide