BKIMPVPN.RVW 20000112 "Implementing Virtual Private Networks", Steven Brown, 1999, 0-07-135185-X, U$55.00 %A Steven Brown ids@vnet.net,ids@pobox.com,ids@itdiffusions.com %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 1999 %G 0-07-135185-X %I McGraw-Hill Ryerson/Osborne %O U$55.00 905-430-5000 800-565-5758 905-430-5134 fax: 905-430-5020 %P 594 p. %T "Implementing Virtual Private Networks" I do not know why, but I was seriously rooting for this work from the moment I opened it. A completely unreasoned bias in favour of it. I am in sympathy with the author's aims, to provide an introduction to Virtual Private Networks (VPNs) that both techie and executive alike could understand and profit from. I very much liked the stated intent to explain not only VPNs themselves, but also basic security concepts, so that the implementor could tune the net architecture and configuration for maximum protection. But I cannot recommend the text. If you do not have a background in data and communications security, you will find this book confusing at best, and seriously misleading at worst. If you do know security, this book will make your brain hurt. At one point, Brown starts talking about "known unknowns" and "unknown unknowns." I was inescapably reminded of the comment from Dilbert's Pointy-Haired Boss: "What I need is a list of specific unknown problems we will encounter." The organization of the material needs a great deal of reworking. Many of the chapters don't really cover the concepts stated in their titles, and almost all chapters contain information that is significantly divergent from the topic at hand. The writing is confused, confusing, and contradictory in places. From the biographical information given, the author should know the technology, and yet what is presented in the book is a mass of trivia, with a great many mistakes, rather than a coherent explanation. Part one is supposed to look at the foundations of VPNs. Chapter one tries to introduce the concept of the Virtual Private Network, but it does so by making a VPN analogous to a party line, where the more realistic explanation would be that a VPN acts like a technology to make a party line act like a private line. An internal (intracompany) VPN is said to protect against insider attacks, without explaining why a VPN can do this if more traditional security methods can't. Availability, security, compatibility and other security terms are said to be components of a VPN rather than functions or features. A case for the business need for VPNs talks only about the fact that foreign markets are growing. Finally, the chapter equates VPNs with encryption, both limiting the scope of the use of and need for VPNs, and expanding the range of what a VPN actually does. In chapter two we are told that the Open Systems Interconnection (OSI) communications framework is a security model (and one that is implemented on every platform). A figure shows VPN functions implemented at the physical layer level. (Ironically, this would clearly illustrate a point he makes elsewhere about tradeoffs: it would be completely secure, but completely incompatible.) Key recovery programs, we are told, require a second, different key. (Some encryption algorithms would seem to preclude the possibility of any other compatible key.) In terms of hard disk encryption, it is pointed out that if you lose the key, you will have to take the disk to a repair shop to recover your data, and then the data can be copied, all of which leaves me wondering just exactly what the point was of including this section. We are also told that nonrepudiation and backup are necessary components of a VPN. There is supposed to be a discussion of the advantages and disadvantages of a VPN in chapter three, but it seems to talk about networks in general. In reviewing overseas links, the text assumes that some will have to be unprotected, but doesn't note that any unprotected link provides a point of entry to the whole VPN. Toll free 800 numbers are variously said to be a cost that can be eliminated by the use of a VPN, a cost that can't be eliminated by a VPN, and a new cost required by the installation of a VPN. And so it goes. In chapter four one security note says that antiviral software should not be run on a single computer because virus checking is processor intensive, while another section insists that antiviral software should be run on one specific machine because it is processor intensive. Since the component parts of a VPN have been so poorly defined in the prior material, the discussion of topologies, in chapter five, is unclear. It may seem odd to say that the discussion of US government restrictions on encryption is US-centric, but the view in chapter six provides an extremely limited understanding of the issues precisely because it does not accurately reflect the situation in the wider world. Ostensibly, part two looks at implementation. Chapter seven does not cover the basics; it presents some extremely generic project advice, and some detailed minutiae. The requirements list in chapter eight doesn't touch on such fundamental factors as required uses and the size of a VPN. (Most of it is a jumble of details in any case.) There is a confused grab bag of marketing information culled from sales pamphlets in chapter nine. After all of which, the fact that chapter ten does have some useful suggestions on troubleshooting comes as a surprise. Chapter eleven supposedly deals with maintenance, but mostly doesn't. Part three is intended to give the reader background theory in security. Chapter twelve starts with a serious mistake in defining the basic terms of cryptography and encryption, continues by misunderstanding that simple pattern searches are ineffective against block ciphers, and finally tails off into a mix of detailed trivia and depthless mentions of related technologies. There are a lot of relatively irrelevant particulars of encryption, plus many thinly related topics (like the IPsec protocols), in chapter thirteen. Various authentication schemes are touched on in chapter fourteen, but there is limited analysis. Chapter fifteen lists a number of operating system vulnerabilities, most of which have nothing to do with VPNs. The attacks mentioned in chapter sixteen do generally relate to VPNs, but few sections mention defence, and some of the assaults listed are extremely exotic and unlikely. A variety of security resources are touched on in chapter seventeen, without much of an indication of where to find them. (Appendix A covers some of this, but it would have been much handier to have the material integrated.) Chapter eighteen gives a brief introduction to intrusion detection. Most of the new technologies mentioned in chapter nineteen have only the most tangential relevance to VPNs, and some are obviously misunderstood. The simple fact is that not only are there better books available on the topic, this one adds almost nothing to the available literature. The shortcoming that the author notes in VPN writing definitely exists, but this work does not fill that need. copyright Robert M. Slade, 2000 BKIMPVPN.RVW 20000112