The Practice of Network Security: Deployment Strategies for Production Environments

This book covers a lot of ground; communication protocols, authentication, authorization, and accounting, network topologies, logical network structures, IDS, IPS, security at the network and host levels, and security policy creation and enforcement. It doesn't get very technical, but does cover alot of theory and security implications. Liska covers all the security basics we should all know: don't transmit passwords in clear text, patch software, shutdown unused network services, use strong passwords and change them often, change default passwords on your routers, switches, and other network hardware, run network daemons in chroot when possible, restrict physical access to servers, centralize your logs, etc. The book is very relevant as of May 2007, although the wireless section may be slightly dated. In the wireless LANs chapter, 802.11i was ratified after the book was printed. It refers to the standard as Temporal Key integrity Protocol (TKIP). It is actually named WPA2. TKIP is only a subset of WPA2, as is CCMP, which wasn't a standard at the time of printing. Some useless advice is given regarding securing wireless connections. Namely, disabling broadcasting of SSID, MAC filtering, and enabling WEP. Today this strategy can be simply circumvented by anyone that knows how to download and run a cracking/sniffing program. Bridging firewalls were mentioned briefly with some advantages. This is a great security strategy as it creates what I like to call a stealth firewall. Liska states the fact that they are difficult to attack or detect because they do not exist at the IP layer. He also mentions that firewalls are no place for Intrusion Detection Systems (IDS), alerting an admin of intrusions. This is very good advice as firewalls should only be a part of your Intrusion "Prevention" System (IPS). In the DMZ chapter, discussions of network designs are accompanied with a liberal amount of diagrams. This is a great help in understanding how network elements are situated and analyzing security holes. I have yet to find an Internet resource that has the number of graphical representations of different secure network designs, including multiple DMZs, that this book contains. Liska does advise security by obscurity. For example, changing BIND's version so as not to disclose the version, for which there could be specific exploits. A second example is changing the name of the Window's administrator account to something, and I quote, "non-obvious." The "DNS Security" section is fairly thorough, mentioning transaction signatures (TSIG) and ACLs. However, split namespace is not mentioned. This is a great security strategy because it protects your "private namespace," not allowing it to leak on to the Internet. A separate namespace should be deployed in the DMZ, resolving names of hosts in the that particular DMZ. The last few chapters cover security policy enforcement, such as logging relevant data, strategically monitoring the network, and isolating

I was pleasantly surprised with ` The Practice of Network Security: Deployment Strategies for Production Environments'. The book is a very good technical overview of the details of network security. While it is technical in nature, it is not so technical as to turn off the average reader. This is a good resource for a manager that needs to understand a security technology, but who does not want to get bogged down in the technical minutia.The book brings together all of the top-level security technologies and products needed to secure a corporate infrastructure. The book covers a lot of ground in its 375 pages and is an excellent starting point for anyone needing a quick and effective introduction to network security.

This book is an excellent reference for anyone involved in the practice of network security. It's comprehensive coverage of a wide array of topics will present any network administrator, architect, or engineer with the information and tools necessary to build a secure, stable environment.In my capacity as a sales engineer for a major hosting provider, I find myself turning to The Practice of Network Security frequently to validate design assumptions. It is written in terms even a beginner can comprehend, yet its information is invaluable to even the most experienced professional. I highly recommend this book to anyone with an interest, professional or otherwise, in building robust, secure networks.

I've read many tomes on the subject of security but they never really get into the details of what really matters, they only touch on the very basic ideas, or they are too detailed about one specific topic and fail to present what is in the real world. Finally Mr. Liska has written the text that brings it all together with an excellent marriage of theory and real world practice.To start, Allan realizes that most network admins are faced with cost-cutting issues and are stuck dealing with management. Allan's dicussions on risk management, cost analysis, and how to "sell" the value of solid network security to the powers that be can be a real eye opener. Make your managers read this stuff. Read it to them yourself.For the more techincal side, there are very solid in depth discussions on the important stuff like routing, switching, general (and spcific) firewall configuration, comparisons of user authentication approaches, VPN techniques from dial-in access to broadband, an excellent chapter dedicated to Wireless protocols and security, and so much more. Nothing is left out.This book is a must have for any serious network or system administrator.

I work at a Wireless ISP, and have recently taken over a position that requires me to be familar with how to secure our ISP's wired network. I bought this book as a guide to help me understand all the different devices and software packages that I needed to focus on.The biggest strength of this book, in my opinion, is the real world networking information and the clear manner in which Liska describes what security risks there are for most network environments and how to make those environments more secure.For example, a lot of network books talk about RIP (Routing Information Protocol - basically a protocol that allows your router to choose the best path to tramsit data) and most of them recommend enabling it in order to have a redundant network. In my experience, none of the books that I've read, except this one, have mentioned that there are fairly big security risks associated with using RIP. This book describes the nature of the security risks as well as the most likely way someone might exploit them, and then offers suggestions on how to either duplicate RIP's functionality in a more secure way or how to make sure RIP is as secure as it can get.Another part of the book that was quite helpful to me was the section on VPN's, something I have no experience with. Liska runs through the different types of VPN's, what the effects are of using VPN's, how to make sure your VPN stays secure, and as he does throughout the book, impresses upon you the importance of good passwords.This is just a small example of two of the many things I learned even on a quick flip through the book. I like this book a great deal because it's crammed full of interesting information that actually applies to my production network that I did not know or even know I had to know. Liska even covers Wireless Networks! As a WISP employee, I can attest to the accuracy of this information, and I would love to see him write more on the subject!In short, I would recommend this book to anyone looking for an informative and clearly written book covering the most pertinent information on all parts of the network, from Human Beings to Switches to Firewalls. I look forward to Allan Liska's next book.