"Internet security" is darned near an oxymoron, like "jumbo shrimp": a phrase with its own contradictions built in. Openness was built into the Internet's very DNA; insecurity exudes through its every marrow and pore. (And that's even before you install Internet Information Server!) But giving up is not an option: Companies have learned the hard way that they simply must make Internet security a top priority. If you don't realize it yet, you will. And that's not a threat. It's a promise.
Fortunately, says Tim Crothers, while implementing Internet security isn't easy, "doing so is possible and doesn't have to cost you an arm and a leg." In fact, as Crothers points out at the beginning of his excellent Internet Lockdown, many of the best techniques available to you are about reconfiguring your existing systems -- not buying anything new.
For too many system administrators, the words "Internet security" evoke bewildering commands, obscure devices, and the risk that too much messing around will make your systems completely inaccessible to the folks who do need them. That's what this book is intended to change. While the specifics are here -- and explained exceptionally well -- Crothers works hard to place security in context. As he puts it, "Understanding the technologies is not enough. You must also understand the framework in which those technologies can show their best strength."
What's more, unlike some writers on the subject, Crothers is aware that you've inherited certain, umm, realities. As Chief Security Engineer at one of the world's leading e-security providers, he's seen it all -- and he outlines a practical process for getting from where you are to where you need to be.
You'll find one of the best descriptions of how crackers work, written from the perspective of the defender -- including a pretty thorough laundry list of the techniques available for gathering information about your systems (address and port scanning, banner retrieval, slow scanning, stealth scanning, DNS zone transfers, finger, LDAP, SNMP, Internet DB queries, OS fingerprinting, Windows registry mining...) The same chapter includes a list of today's nine most serious threats. After all this time, weak passwords still makes the list -- but so does UNIX RPC, badly written CGI code, and Microsoft's Remote Data Services (a vulnerability first recognized two years ago but still unfixed on many systems -- and highly exploitable).
In a detailed chapter on setting up realistic policies, Crother emphasizes balance, never forgetting that security is a means to an end -- not an end in itself. Then, it's on to the controls available to you -- system-level, network-level, application-level, and Internet-based. You'll walk through removing services and components you really don't need; making sure appropriate validation mechanisms are in place; protecting specific applications such as POP and IMAP email; and much more.
Internet Lockdown doesn't lack for cautionary tales. For instance: In an evening of scanning, Crothers was able to identify more than 700 SQL Server databases, based on the IP ports they typically leave open. As a security consultant, he happens to know that many of these databases have never had their system administrator passwords changed (changing the administrator password can have ripple effects elsewhere, and many administrators would rather not deal with that.) If only 1 percent of these databases are at risk, the bad guys could walk away with the contents of seven enterprise databases per evening! Crothers doesn't tell you this to scare you, but rather to help you think about your priorities. Fix the stuff that affects your entire enterprise before you fix the stuff that only affects one transaction.
The book concludes with a "practical exam" that walks you through implementing web security for a typical firm -- on a budget and in a hurry. You'll walk through securing hubs, implementing DNS safely on legacy systems, choosing a firewall, then securing Cisco internetworking equipment, firewalls, an Oracle server, a web server, a Lotus Notes server, and more. And you'll come away with the confidence you need to secure your own digital assets. (Bill Camarda)
Bill Camarda is a consultant, writer, and web/multimedia content developer with nearly 20 years' experience in helping technology companies deploy and market advanced software, computing, and networking products and services. He served for nearly ten years as vice president of a New Jerseybased marketing company, where he supervised a wide range of graphics and web design projects. His 15 books include Special Edition Using Word 2000 and Upgrading & Fixing Networks For Dummies®, Second Edition.