Network Security Assessment, 2nd Edition

[tripwire45]

Author: Chris McNab
Format: Paperback, 504 pages
Publisher: O'Reilly Media, Inc.; 2nd edition (November 1, 2007)
ISBN-10: 0596510306
ISBN-13: 978-0596510305

Review by James Pyles
December 21, 2007

The beginning of the text on the back cover of this book says, "How secure is your network? The best way to find out is to attack it." How many people test how secure their home or car is by trying to break into them? Would you try to break into your aunt's place to test her security and when (hopefully) caught, say you were just trying to make sure she was safe? Ok, it doesn't seem to make sense when considered at that level, but in terms of the security of your network environment, people pay good money to companies so they'll take their best shot at breaking in.

In that sense, it seems Chris McNab might be shooting himself in the foot by publishing this book. After all, he is the technical director for a London-based company that actually performs "penetration testing" for clients to ferret out any security vulnerabilities. Then again, since I have this book in my hands and live in the American northwest, I guess he won't be losing business he would never have gotten in the first place.

McNab wrote this book as a vendor-neutral resource which means (ideally) that he treats all vendors equally. If you run your web servers using Microsoft IIS or Apache, this book has something for both platforms. The same goes whether your database services are provided by Microsoft SQL Server, MySQL, or Oracle. If your goal is to "know your network", you've come to the right place.

Actually, the front matter seems to contradict what I just said since the book's audience is assumed to be "familiar with IP and administering Unix-based operating systems, such as Linux and Solaris". I checked and no mention was made of other operating systems, particularly Windows. What this part of the book goes on to say (in brief) is that you'd better know networking before learning network security testing.

It would seem that while the main thrust of the content addresses "Unix-based" operating systems, some things "Microsoft" are also addressed as I previously mentioned. All is not lost if you are responsible for network security in a Microsoft shop (on the other hand, supplementing this material with more Microsoft-centric resources would certainly help).

The reviews I found on the 1st edition were generally glowing but I wanted to find out the whys and wherefores of the 2nd edition. It seems to boil down to updating for the ever-changing landscape of technologies which makes sense. It would also seem to have to do with the fact that McNab's customers don't always take his good advice and perhaps need that advice expressed in a "no-holds-barred" manner. Actually, security standards and legal requirements also change over time, so there are plenty of reasons to be releasing a 2nd edition just now.

The good news is that the book is really authoritative and it should be. McNab's company Matta is responsibile for providing both penetration testing and security training to major corporate players, so he should have his hands on plenty of resources that will be useful to his target audience. Writing this book seems a way to extend the company's reach to those folks who might go to another vendor for similar services or who would prefer to break into their own houses rather than pay someone to do it for them.

The other piece of good news is that it's fun. Yes, it's fun to break into the cookie jar, especially when you know you won't go to jail for it, but actually, I meant that reading the book is fun. Even if you aren't going to run out there and try to hack your firewall from the outside the minute you get a copy of this book, it makes for a very fun and informative read. That said, if you already are a network security expert, you might not find all of the material as in-depth as you need it to be. While the book's audience breathes a somewhat rarified atmosphere, they don't all live in the highest peaks of the Himalayas. Otherwise, only a handful of people around the world would ever want to buy McNabs's book which wouldn't do him or O'Reilly much good.

Remember, earlier you were told that a primary prerequisite for being a target reader was experience on Unix-based operating systems. The book truly weighs in a tad light on Windows and Microsoft security issues so the principle of "truth in advertising" was upheld. I say that so you won't think I'm touting this text as the answer to all of your Windows Server 2003 security woes (unless you believe Microsoft and think that they either don't exist or that Windows Server 2008 will solve them all). The book spreads its net wide and not always deep (if it went that deep, a scant 504 pages wouldn't even begin to hold its contents). That said, it is an excellent book to get you going on the fundamentals (and then some) of assessing the weaknesses in your network security and how to build up your defenses. If this is your job or you want it to be, Network Security Assessment, 2nd Edition is a book I'd highly recommend. If you want to make sure your network is secure, it's past time to get started.

[rax]

Nice post trip, I think I'll buy this book and keep it for later reading - if he releases a new version, ah well

[tripwire45]

Quote:

Originally Posted by DaveMid

Nice post trip, I think I'll buy this book and keep it for later reading - if he releases a new version, ah well

The book just came out the beginning of November so I imagine it'll be a few years before a third edition will be written.