Network Security: A Beginner's Guide, Second Edition

Overview

There is no sorcery to implementing proper information security, and the concepts that are included in this fully updated second edition are not rocket science. Build a concrete foundation in network security by using this hands-on guide. Examine the threats and vulnerabilities of your organization and manage them appropriately. Includes new chapters on firewalls, wireless security, and desktop protection. Plus, plenty of up-to-date information on biometrics, Windows.NET Server, state laws, the U.S. Patriot Act, ...

See more details below
Paperback (Subsequent)
$30.51
BN.com price
(Save 38%)$49.99 List Price
Other sellers (Paperback)
  • All (10) from $1.99   
  • Used (10) from $1.99   
Sending request ...

Overview

There is no sorcery to implementing proper information security, and the concepts that are included in this fully updated second edition are not rocket science. Build a concrete foundation in network security by using this hands-on guide. Examine the threats and vulnerabilities of your organization and manage them appropriately. Includes new chapters on firewalls, wireless security, and desktop protection. Plus, plenty of up-to-date information on biometrics, Windows.NET Server, state laws, the U.S. Patriot Act, and more.

Read More Show Less

Editorial Reviews

From Barnes & Noble
The Barnes & Noble Review
OK, you know enough about network security to be terrified. But here’s what you don’t know: What to do first. What to do next. That’s where Network Security: A Beginner’s Guide, Second Edition comes in. This surprisingly simple, project-based book walks you through implementing very solid security in your company.

Leading security consultant Eric Maiwald first gives you the lay of the land. You’ll learn what to watch out for, what tools are available to help you, what laws you’d better know about, and what goals you need to accomplish: ensuring confidentiality, integrity, availability, and accountability. Next, you’ll lay the groundwork -- establishing intelligent policies and processes that reflect technical and administrative best practices.

He then moves on to the nuts-and-bolts: deploying firewalls and virtual private networks, using encryption and digital signatures, and even deploying intrusion detection. The effectiveness of IDSes has increasingly come under question lately: Maiwald does a nice job of flagging the issues so you can decide if they’re right for you. You’ll also find chapters on securing Windows servers (2000 and 2003) and Unix servers (including key tasks like finding SUID and SGID files).

While this is called a “beginner’s guide,” Maiwald gets into some reasonably advanced areas -- for instance, architecting your ISP connection for security. (What services should go in your “DMZ”? How do you design secure partner networks?) No security program is ever perfect, but if you follow the steps outlined here, you’ll have done enough to send most hackers after easier prey. Bill Camarda

Bill Camarda is a consultant, writer, and web/multimedia content developer. His 15 books include Special Edition Using Word 2000 and Upgrading & Fixing Networks for Dummies, Second Edition.

Read More Show Less

Product Details

  • ISBN-13: 9780072229578
  • Publisher: McGraw-Hill Companies, The
  • Publication date: 5/29/2003
  • Series: Beginner's Guide Series
  • Edition description: Subsequent
  • Edition number: 2
  • Pages: 496
  • Product dimensions: 7.40 (w) x 9.10 (h) x 0.94 (d)

Meet the Author

Eric Maiwald (Gaithersburg, MD) is the Director of Security Services for Fortrex Technologies. Mr. Maiwald is also the lead instructor for Fortrex Security Training including the ISS Certified Engineer (ICE) training class. He is a prominent speaker at several security conferences, is the author of Network Security: A Beginner’s Guide, co-author of Security Planning & Disaster Recovery and was a contributing author of Hacker’s Challenge all published by McGraw-Hill/Osborne. Additionally he has written several white papers on Intrusion Detection for conference proceedings.

Read More Show Less

Read an Excerpt

Excerpt from

Chapter 5: Policy

...The policy should also require updates of the signatures for such security programs on a periodic basis. For example, the policy might specify that the signatures be updated on a monthly basis.

Encryption

The security policy should define acceptable encryption algorithms for use within the organization and point back to the Information Policy to show the appropriate algorithms to protect sensitive information. There is no reason for the security policy to specify only one algorithm. The security policy should also specify the required procedures for key management.

Waivers

Despite the best intentions of security staff, management, and system administrators, there will be times when systems must be put into production that do not meet the security requirements defined in the security policy. The systems in question will be required to fulfill some business need, and the business need will be more important than making the systems comply with the security policy. When this happens, the security policy should provide a mechanism to assess the risk to the organization and to develop a contingency plan.

This is where the waiver process comes in. For each such situation, the system designer or project manager should fill out a waiver form where the following information is defined:

  • The system in question
  • The section of the security policy that will not be met
  • The ramifications to the organization (that is, the increased risk)
  • The steps being taken to reduce or manage the risk
  • The plan for bringing the system into compliance with the security policy
The security department should then review the waiver request and provide its assessment of the risk and recommendations to reduce and manage the risk. In practice, the project manager and the security staff should work together to address each of these areas so that when the waiver request is complete, both are in agreement.

Finally, the waiver should be signed by the organization's officer who is in charge of the project. This shows that the officer understands the risk to the organization and agrees that the business need overcomes the security requirements. In addition, the officer's signature agrees that the steps to manage the risk are appropriate and will be followed.

Appendices

Detailed security configurations for various operating systems should be placed in appendices or in separate configuration procedures. This allows these detailed documents to be modified as necessary without changing the organization's security policy.

Computer Use Policy

The computer use policy lays out the law when it comes to who may use computer systems and how they may be used. Much of the information in this policy seems like common sense but if the organization does not specifically define a policy of computer ownership and use, the organization leaves itself open to lawsuits from employees.

Ownership of Computers

The policy should clearly state that all computers are owned by the organization and that they are provided to employees for use in accordance with their jobs within the organization. The policy may also prohibit the use of non-organization computers for organization business. For example, if employees are expected to perform some work at home, the organization will provide a suitable computer. It may also be appropriate to state that only organization-provided computers can be used to connect to the organization's internal computer systems via a remote access system.

Ownership of Information

The policy should state that all information stored on or used by organization computers belongs to the organization. Some employees may use organization computers to store personal information. If this policy is not specifically stated and understood by employees, there may be an expectation that personal information will remain so if it is stored in private directories. This may lead to lawsuits if this information is disclosed.

Acceptable Use of Computers

Most organizations expect that employees will only use organization-provided computers for work-related purposes. This is not always a good assumption. Therefore, it must be stated in the policy. It may be appropriate to simply state "organization computers are to be used for business purposes only." Other organizations may define business purposes in detail.

Occasionally, organizations allow employees to use organization computers for other purposes. For example, an organization may allow employees to play games across the internal network at night. If this is to be allowed, it should be stated clearly in the policy.

The use of the computers provided by the organization will also impact what software is loaded on the systems. It may be appropriate for the organization to state that no unauthorized software may be loaded on the computer systems. The policy should then define who may load authorized software and how software becomes authorized.

No Expectation of Privacy

Perhaps the most important part of the computer use policy is the statement that the employee should have no expectation of privacy for any information stored, sent, or received on any organization computers. It is very important for the employee to understand that any information may be examined by administrators and that this includes electronic mail. Also, the employee should understand that administrators or security staff may monitor all computer-related activity to include the monitoring of Web sites.

Internet Use Policy

The Internet use policy is often included in the more general computer use policy. However, it is sometimes broken out as a separate policy due to the specific nature of Internet use. Connectivity to the Internet is provided by organizations so that employees may perform their jobs more efficiently and thus benefit the organization. Unfortunately, the Internet provides a mechanism for employees to misuse computer resources.

The Internet use policy defines appropriate uses (such as business-related research, purchasing, or communications using electronic mail) of the Internet. It may also define inappropriate uses (such as visiting non-business-related Web sites, downloading copyrighted software, trading music files, or sending chain letters).

If the policy is separate from the computer use policy, it should state that the organization may monitor employee use of the Internet and that employees should have no expectation of privacy when using the Internet.

Mail Policy

Some organizations may choose to develop a specific policy for the use of electronic mail (this policy may also be included in the computer use policy). Electronic mail is being used by more and more organizations to conduct business. Electronic mail is another way for organizations to leek sensitive information as well. If an organization chooses to define a specific mail policy it should take into account internal issues as well as external issues.

Internal Mail Issues

The electronic mail policy should not be in conflict with other human resources policies. For example, the mail policy should point to any organization policies on sexual harassment. If the organization wants to make a point that off-color jokes should not be sent to coworkers using electronic mail, the existing definitions of off-color or inappropriate comments should be reproduced or identified within the policy. If the organization will be monitoring electronic mail for certain key words or for file attachments, the policy should state that this type of monitoring may occur. It should also state that the employee has no expectation of privacy in electronic mail.

External Mail Issues

Electronic mail leaving an organization may contain sensitive information. The mail policy should state under what conditions this is acceptable and point back to the information policy for how this information should be protected. It may also be appropriate for the organization to place a disclaimer or signature at the bottoms of outgoing electronic mail to indicate that proprietary information must be protected.

The mail policy should also identify issues around inbound electronic mail. For example, many organizations are testing inbound file attachments for viruses. The policy should point back to the organization's security policy for the appropriate virus configuration issues.

User Management Procedures

User management procedures are the security procedures that are most overlooked by organizations and yet provide the potential for the greatest risk. Security mechanisms to protect systems from unauthorized individuals are wonderful things but can be rendered completely useless if the users of computer systems are not properly managed.

New Employee Procedure

A procedure should be developed to provide new employees with the proper access to computer resources. Security should work with the Human Resources Department and with system administrators on this procedure. Ideally, the request for computer resources will be generated by the new employee's supervisor and signed off by this person as well. Based on the department the new employee is in and the access request made by the supervisor, the system administrators will provide the proper access to files and systems. This procedure should also be used for new consultants and temporary employees with the addition of an expiration date set on these accounts to correspond with the expected last day of employment.

Transferred Employee Procedure

Every organization should develop a procedure for reviewing employees' computer access when they transfer within the organization. This procedure should be developed with the assistance of Human Resources and System Administration. Ideally, both the employee's new and old supervisors will identify the fact that the employee is moving to a new position and the access that is no longer needed or the new access that is needed. The appropriate systems administrator will then make the change.

Employee Termination Procedure

Perhaps the most important user management procedure is the removal of users who no longer work for the organization. This procedure should be developed with the assistance of Human Resources and System Administration. When Human Resources identifies an employee who is leaving, the appropriate system administrator should be notified ahead of time so that the employee's accounts can be disabled on the last day of employment.

In some cases, it may be necessary for the employee's accounts to be disabled prior to the employee being notified that he is being terminated. This situation should also be covered in the termination procedure.

The termination procedure should also cover temporary employees and consultants who have accounts on the systems. These users may not be known to the Human Resources department. The organization should identify who will know about such employees and make them a part of the procedure as well...

Read More Show Less

Table of Contents

Acknowledgments
Introduction
Pt. I Information Security Basics
1 What Is Information Security? 3
2 Types of Attacks 19
3 Hacker Techniques 35
4 Information Security Services 77
Pt. II Groundwork
5 Legal Issues in Information Security 93
6 Policy 115
7 Managing Risk 143
8 Information Security Process 161
9 Information Security Best Practices 187
Pt. III Security Technologies
10 Firewalls 213
11 Virtual Private Networks 227
12 Encryption 247
13 Intrusion Detection 277
Pt. IV Practical Applications and Platform-Specific Implementations
14 Unix Security Issues 311
15 Windows 2000/Windows 2003 Server Security Issues 335
16 Internet Architecture 375
17 E-Commerce Security Needs 403
18 Wireless Security 431
A Answers to Mastery Checks 445
Index 459
Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)