BKFNNTSC.RVW 20010512 "Fundamentals of Network Security", John E. Canavan, 2001, 1-58053-176-8, U$69.00 %A John E. Canavan canavan@well.com jcnv@chevron.com %C 685 Canton St., Norwood, MA 02062 %D 2001 %G 1-58053-176-8 %I Artech House/Horizon %O U$69.00 617-769-9750 fax: 617-769-6334 artech@artech-house.com %P 319 p. %T "Fundamentals of Network Security" This commonplace guide to security can provide the newcomer with some basic information. However, it also contains some rather large gaps, and not a little misinformation. Chapter one outlines the usual reasons why we need security, and it also provides some basic security terms and concepts. Most of the material is reasonable, but some is not quite standard. A number of different threats are outlined in chapter two. However, errors are rife in this material, although most are fairly minor. Of the fourteen mailing lists it is suggested readers might find useful, at least three have been dead for over a year; at least two of those for more than three. The overview of cryptology, in chapter three, is at a very high level, with limited discussion of key management, and almost none dealing with strength and key length. Chapter four starts out very badly, by stating that Kerberos uses both symmetric and asymmetric cryptography. (It doesn't: despite proposals for public key extensions, Kerberos itself uses a very elegant system of purely private key encryption to avoid sending passwords and keys in clear text at any time. Such a basic misunderstanding taints everything else in the chapter.) World Wide Web encryption is supposed to be the topic of chapter five. However, after a very terse outline of SSL (Secure Sockets Layer) and SHTTP (Secure HyperText Transfer Protocol), and a tiny bit of the missing discussion of key length, we get pages of screen shots of browser certificates, which are almost meaningless without the background review. There is also a tiny overview of Authenticode, with no mention of its flaws. Chapter six presents something of a grab bag of email related topics, mentioning encryption systems, spam, identity problems, privacy of employee email, and even auto-responders. With the addition of more screen shots a number of pages are taken up with little information imparted. Most of chapter seven concentrates on access control and passwords. The material is reasonable, if not deep, but could be better organized. So too with the suggested policies for network management in chapter eight, although the author does seem to think that one set of recommendations can fit all LANs. Chapter nine's look at network media does not really deal with security at all, unless you count the somewhat problematic opinions regarding the relative difficulty of tapping. There really isn't much discussion of routers and SNMP (Simple Network Management Protocol) in chapter ten: it concentrates on a few proprietary products. Chapter eleven mentions a number of VPN (Virtual Private Network) related protocols, but gives neither details for assessment nor conceptual discussions for determining relative usage. There is a decent overview of basic firewall terms, with some areas of confusion, in chapter twelve. Chapter thirteen has a basic outline of biometric concerns, but no details of the technologies. The review of security policy development in chapter fourteen is pedestrian. Chapter fifteen, entitled "Auditing, Monitoring, and Intrusion Detection," is oddly confused since the author makes no distinction between outside audits, and the ongoing auditing of materials that result from regular monitoring. There is unimaginative advice on disaster recovery in chapter sixteen. "Cookies, Cache, and AutoComplete" is a strange add- on: yes, there are security risks associated with these functions, but they are hardly fundamental to network security. In the introduction, while stating that this book is intended for beginners to computer security, the author disclaims the title of computer security expert, and, in fact, asserts that many who do profess ace status may not have as much right as they maintain. I can greatly sympathize with this sentiment. However, simply by writing a book, Canavan implicitly professes some mastery of the subject, and the mere abdication of the rank does not relieve him of the responsibility for his mistakes. There are a number of other texts with better coverage, greater readability, superior accuracy, and less wasted space. copyright Robert M. Slade, 2001 BKFNNTSC.RVW 20010512