Principles of Network and System Administration: A Book Review
Textbooks are not always just for the classroom. Sometimes, they're for holding up bookcases, large pots with plants in them and for keeping doors/windows open. Occasionally, they are the treasure chests of information a soul requires to do something for the betterment of self, system and/or network.
This little book will improve all three. Principles of Network and System Administration is neither big nor flashy, but it is probably one of the best works in the genre. It builds on an extensive body of work by others in the field and pulls the information together in such a way that the material is easily comprehended and absorbed. Burgess' writing is clear and engaging, something few textbooks achieve.
Burgess approaches both network and system administration from the perspective of "those principles and ideas of system administration which do not change on a day-to-day basis..." (from the Preface). The first principle Burgess sets out has to do with permissions:
Restriction of unnecessary privilege protects a system from accidental and malicious damage, and infection by viruses, and prevents users from concealing their actions with false identities. It is desirable to restrict users' privileges for the greater good of everyone on the network.
Burgess pays particular attention to the effects of given actions on the networked community, whether that network is a LAN or the Internet. We live in an age of networks, where what one user does most certainly and directly affects others on-line. This theme runs throughout the book, particularly in discussions of security, access to resources, data separation and permissions. The balance between individual users' rights and the needs of the community must be carefully weighed and balanced by the system/network administrator.
Security is thoroughly discussed in two consecutive chapters. "Chapter 9: Principles of Security" covers a gamut of topics ranging from the physical security of a system to an overview of some common network attacks. Burgess nicely sums up the four basic elements of security (privacy, authentication, trust and integrity) and binds them to the underlying principle of security: "The fundamental requirement for security is the ability to restrict access and privilege to data."
By access, the author means those events that can corrupt/remove data, i.e., electrical storms, accidents and the like. If these events don't have access to data (because the data and/or backups are stored separately from where the effects of these events are likely to be felt) the data is partially secure; if users' privileges are guarded and enforced, the data is more secure still.
Burgess pays perhaps more attention than many of his author colleagues to the human factor in system and network administration, the sociology of computer users. He raises the question of security vs. user convenience, pointing out that inconvenient security measures will be more likely to be circumvented by users than be effective.
The same principle applies to overly conspicuous security measures in the face of an accomplished cracker. Security measures must be taken, but to make them obvious frequently serves as a temptation for the malicious user to get around a barrier to what (being so well-protected) may just be very valuable information. Then again, the pay-off for such a user may merely be bragging rights. The system's administrator is advised to verify such claims first, deal with the situation methodically and avoid panic altogether.
Chapter 10 deals thoroughly with security implementation, from analysis of network security, to WWW security, to intrusion detection and forensics. Again, the specifics of methodology are not the issue, but the reasoning used in setting up protected systems appropriately is.
If you don't come to systems administration from a scientific/mathematical background, you'll want to have a good math reference or two while going through "Chapter 11: Analytical System Administration". There are several references to statistical and calculus formulae that are better understood, and even implemented, if the reader has a faint idea of what Burgess is doing with the numbers. This is not to disparage the chapter at all. Evidence collection is a requirement of systems administrators if policies are to have any relationship to (or bearing on) user behavior or that of hardware and software performance over a period of time.
In addition to his focus on Linux/FreeBSD, Burgess also shows a strong appreciation for, and understanding of, the value of cfengine as the system administrator's "best friend". While its entries in the index are inaccurate, cfengine is well-delineated on pages 144-145, and again on pages 158-159. Especially nice is his description of how cfengine can be used simply by setting up its time classes to work as a user interface for cron, as a sort of front end with a variety of scripts as required. Pages 385-392 cover the use of cfengine in programming/automating tasks.
As an educator at Oslo College, Norway, Burgess demonstrates an alternate application of Principle 50, which states: "Every change or effect happens in response to a cause, which provokes it." Exercises at the end of each chapter are geared to grounding the reader in both theory and practice of network/system administration.
Appendix C contains introductions to, and brief code snippets of, several common scripting languages (PHP, HTML, Perl and CGI), as well as make. Useful if you're system administrator for a server!
Burgess has presented a work that pays great attention to the heuristics of system and network administration; technical and sociological issues are taken into account equally and are presented thoughtfully with an eye to teaching not what to do as a system or network administrator, but how to think about problems that arise in the practice. As a result, the author keeps the reader looking forward to what comes next and to actually implementing what he or she has learned.
Stephanie Black is a writer--of words and code. When not writing, she runs a Linux consultancy, Coastal Den Computing, in Vancouver, BC, Canada.