BKINSECR.RVW 981115 "Internet Security", Tim Meyers/Tom Sheldon/Joel Snyder, 1997, 1-56205-760-X, U$65.00/C$91.95/UK#61.49 %A Tim Meyers %A Tom Sheldon %A Joel Snyder %C 201 W. 103rd Street, Indianapolis, IN 46290 %D 1997 %G 1-56205-760-X %I Macmillan Computer Publishing (MCP) %O U$65.00/C$91.95/UK#61.49 800-858-7674 317-581-3743 info@mcp.com %P 916 p. + CD-ROM %T "Internet Security: Professional Reference", 2nd ed. "Internet" and "security" are two items of great interest, so I guess someone had to write this book. However, I wish it had been someone willing to put some thought into it. Internet security is a complex and many-facetted field, and the narrow views presented here don't come close to doing it justice. Part one is supposed to be about managing Internet security, but it mostly contains a grab bag of background information on the net, with fairly large gaps in the coverage. Chapter one looks at IP addressing and domains, with a mixed lot of UNIX commands related to the net. Some daemon processes are listed in chapter two, along with some discussion of writing your own with shell scripts or Perl, and twenty pages of program listings. A number of UUCP programs are overviewed in chapter three. Some UNIX, NT, and DOS auditing programs and utilities are listed in chapter four. Part two looks at access security. Sniffing and spoofing are reviewed in chapter five, but the sections on protection may be less than helpful. Chapter six is supposed to tell you how to build a firewall. It does list a large number of UNIX utilities related to the function, but this might have been more useful if there had first been even the most token attempt to explain what a firewall was, and the different types and functions. There is a basic explanation in chapter seven, but aimed primarily at evaluation of commercial firewall products. Chapter eight is a very detailed exploration of SATAN (Security Administrator Tool for Analyzing Networks), covering the basic concept of looking for your own holes, a number of tools that look for specific holes, detection tools to note probing attempts, and the operation of SATAN itself. There is a detailed description of Kerberos exchange messages in chapter nine. Part three purports to be about the security of messaging, but seems to be limited to encryption of content. Chapter ten gives the usual, banal introduction to encryption, using examples of old, outmoded substitution ciphers, and never realistically discussing algorithm or key strength, nor key management. Chapter eleven is a rewrite of the documentation for PGP (Pretty Good Privacy) 2.6.2. Part four lumps together four topics under the heading of "modern concerns." Some Windows NT security features are discussed in chapter twelve, but not in much detail. (In fact, the chapter is entitled "Windows NT Internet Security" but doesn't have much to say about the Internet at all.) Chapter thirteen looks at Java, but the security content seems to relate strictly to the bytecode verifier and the applet "sandbox," and doesn't have much detail on those topics. CGI (Common Gateway Interface) security for Web forms gets a very terse review in chapter fourteen. After all of the foregoing, I was pleasantly astounded to find that the virus information, in chapter fifteen, is quite good. The explanation of how viruses work is extremely thorough, and the description of the different types of antiviral software is solid. The recommendations for recovery are not quite as good (FDISK can create more trouble than the virus you are trying to get rid of) and the review of Windows NT is rather optimistic. There are rather massive holes in the coverage presented in this book. The heavy UNIX concentration is only one example, but there are whole subjects not even mentioned. On the other hand, great chunks of the material contained in these pages have only the most tenuous connection to either the Internet or security. While there are some good bits that might justify the purchase of this book for experts, by no means can it be recommended as a sole source, or even an introduction. copyright Robert M. Slade, 1998 BKINSECR.RVW 981115