BKCOMPSC.RVW 990430 "Computer Security", Dieter Gollmann, 1999, 0-471-97844-2 %A Dieter Gollmann %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 1999 %G 0-471-97844-2 %I John Wiley & Sons, Inc. %O 416-236-4433 fax: 416-236-4448 rlangloi@wiley.com %P 320 p. %T "Computer Security" Gollmann is fairly explicit in stating the intention and audience for the book. It is to be a text for a course, rather than a handbook, encyclopedia, or history. It is about computer security, rather than information security in general, although there are sections on computer network security and database security. The objective of the course for which it was prepared is to give students a sufficient background to evaluate security products, rather than to address issues of policy or risk analysis. Thus the emphasis is on technical, rather than managerial, aspects. Part one lays the basic foundation for computer security. Chapter one outlines the fundamental vocabulary and concepts. Authentication is reviewed in chapter two. Examples from both UNIX and NT are used, in chapter three, to explain access control. Chapter four's discussion of security models requires a significant background in set theory, but for a course this can be assumed as a prerequisite. Considerations for hardware or operating system level security are looked at in chapter five. Part two examines security in the real world. Chapter six provides a good review of the UNIX security functions. Security aspects of NT are described in chapter seven, but the effective interaction of rights and permissions is not clear (a failing shared by most NT security texts). A variety of ways in which security has failed are detailed in chapter eight. This concludes with a section on computer viruses in quite different format and level of detail. The reason for this is not made clear, but I am willing to grant that most security texts do not treat the subject as well. Chapter nine talks about the evaluation of security products, but concentrates on the formal criteria laid down by governmental agencies. Part three looks at distributed systems. Chapter ten reviews specific systems, such as Kerberos and CORBA (Common Object Request Broker Architecture) security. Specific known Web vulnerabilities are effectively used to illustrate classes of threats in chapter eleven. The explanation of cryptography in chapter twelve is nicely balanced for mechanics; a full description without a morass of detail; but is somewhat weaker on key management and cryptographic strength. Network security, in chapter thirteen, deals with implementation level topics such as the IPSec (Internet Prototcol Security) protocols and firewalls. Part four deals with other aspects of security theory, primarily related to databases. Chapter fourteen and fifteen, respectively, discuss basic and advanced database security concepts. Problems of concurrent access, with applications in transaction processing, are examined in chapter sixteen. Security concerns of the object-oriented paradigm are raised in chapter seventeen. In terms of readability, Gollmann's writing is not always fluid, but it is always clear. While intended as a class text, the book is, in most parts, accessible to any intelligent reader. The exercises provided at the end of each chapter are not mere buzzword tests, although most are more suitable for discussion starters than checks for understanding. The bibliography is not annotated, but the "Further Reading" section at the end of each chapter helps make up for this shortcoming. Having to flip between two sections to find the referenced work is a bit awkward, but not unduly so. This is a very welcome addition to the general computer security bookshelf. copyright Robert M. Slade, 1999 BKCOMPSC.RVW 990430