Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Books Media Security Book Reviews

Assessing Network Security 89

Anton Chuvakin writes "I've read some pretty bad books on penetration testing; till now, nobody seemed to get this fun subject right! Good news - this time somebody did. Assessing Network Security comes to us direct from the bunkers of Redmond. Written by three Microsoft security researchers, the book provides a great overview as well as an in-depth coverage of assessing security via penetration testing ('pentesting'), scanning, IT audit and other means." Read on for the rest of Chuvakin's review of the book.
Assessing Network Security
author Ben Smith, David LeBlanc, Kevin Lam
pages 592
publisher Microsoft Press
rating 8/10
reviewer Anton Chuvakin
ISBN 0735620334
summary Great pentesting book

Assessing Network Security starts with a nice overview of key principles of security (definitely not news for industry practitioners, but nice anyway), and then goes on to defines vulnerability assessment, penetration testing and security audit. A critically important section on reporting the findings is also nicely written, and shows that the authors are knowledgeable, and interested in showing a complete security process rather than just the looking-for-leaks part.

The authors then go into developing and maintaining pentesting skills, including advice on choosing training and resources (nice for those starting in the field). The actual pentesting process is split into non-intrusive (combining the usual "intelligence gathering" with port scans, sweeps and various host queries) and intrusive tests (such as running a vulnerability scanner, brute-forcing passwords, DoS testing and others). Some entries seem to belong in both categories (such as sniffing) but are placed into the intrusive section, for whatever reason. Up-to-date content (wireless, Bluetooth and web assessment, for instance) is well represented.

The authors also include a fairly insightful social engineering testing section (touching on dumpster diving and other non-network assessment methods). My favorite chapter was the one presenting various case studies - examples of specific threats/tests against Web, email, VPN and domain controller systems.

Among other features that I liked in Assessing Network Security were 'notes from the field' sidebars with fun stories related by authors, and FAQs at the end of each section. On the down side, the book is somewhat Windows-focused (although it is amazingly vendor-neutral in most respects, considering the source). The book is also somewhat dry, although the sidebars provide some needed relief when the text gets too process-oriented at times.

Assessing Network Security is largely about methodology, but I'd have preferred to see a bit more technical content, since it is a 600-page volume. I think the checklists present in the Appendix are a great step in that direction.

Overall, I enjoyed the book and think it is both a great guide and a reference for most security professionals, especially for those starting to be involved with penetration testing.

Anton Chuvakin, Ph.D., GCIA, GCIH is a Security Strategist with a security information management company and maintains the security portal info-secure.org. He wrote Security Warrior and contributed to Know Your Enemy, 2nd Edition . You can purchase Assessing Network Security from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

This discussion has been archived. No new comments can be posted.

Assessing Network Security

Comments Filter:
  • by Anonymous Coward on Tuesday November 02, 2004 @04:42PM (#10704479)
    They work at MS?!?!? what's the world coming to????
  • by fembots ( 753724 ) on Tuesday November 02, 2004 @04:43PM (#10704497) Homepage
    I've read some pretty bad books on penetration testing; till now, nobody seemed to get this fun subject right!

    What about Kama Sutra?

    Seriously though, this book is written by three Microsoft security researchers, I guess that said enough.

    Is this a case of do as we say, not as we do.
    • by rastakid ( 648791 ) on Tuesday November 02, 2004 @04:54PM (#10704636) Homepage Journal
      Seriously though, this book is written by three Microsoft security researchers, I guess that said enough.

      Assumption is the mother of all fuck-ups. You consider the security researchers incompetent because they are (or were) part of the Microsoft team?
      So, because some Linux kernel coders make mistakes which lead to 'r00t3d' boxes, all Linux kernel coders are incompetent?
      I think you're thinking a little bit simplistic here.
      • by prisoner-of-enigma ( 535770 ) on Tuesday November 02, 2004 @05:12PM (#10704851) Homepage
        I think you're thinking a little bit simplistic here.

        No, I think he's being a lot simplistic here, but that's just part of the larger mindset of Slashdot. "Linux GOOD! Microsoft BAD!" It's become the sheep's favorite thing to say during intense meetings on this Animal Farm we call Slashdot. You can lead a zealot to the truth, but you cannot make him think.
      • No kidding. I like MS jokes/digs/etc. as much as the next guy, but one of the best programmers I know works for Microsoft R&D. The guy is truly insane. In college he single-handedly won like 3 categories in a regional ACM sponsored programming contest.
      • "Researchers" (Score:3, Interesting)

        You consider the security researchers incompetent because they are (or were) part of the Microsoft team?

        Giving credit where credit is due, Microsoft has put together an awesome team of researchers in many areas, including security. The list of people who work for MSR is a who's who of CS. The problem is that these guys ain't them. They might have a lot of practical knowledge about how to make Windows secure (and practical knowledge is often the best kind...) but I'm not sure I'd call them researchers

    • Re:What about... (Score:2, Informative)

      by devitto ( 230479 )
      Actually Microsoft have done some VERY GOOD security books. I guess the MS coders can't read :-)

      One of the first security books I read (1985 - 19.5 years ago) is Microsoft Press:
      "Out of the Inner Circle" by Bill Landreth
      ( http://www.amazon.com/exec/obidos/tg/detail/-/091 4 845365/qid=1099435817/sr=1-1/ref=sr_1_1/103-306444 7-0498204?v=glance&s=books )

      It's still definitive at cataloging the diffeent ""hacker"" personalities and motives.
    • Actually Microsoft have done some VERY GOOD security books. I guess the MS coders can't read :-)

      One of the first security books I read (1985 - 19.5 years ago) is Microsoft Press:
      "Out of the Inner Circle" by Bill Landreth

      http://www.amazon.com/exec/obidos/tg/detail/-/0914 845365/qid=1099435817/sr=1-1/ref=sr_1_1/103-306444 7-0498204?v=glance&s=books [amazon.com]

      It's still definitive at cataluging the diffeent ""hacker"" personalities and motives.
    • the answer is: stay completely disconnected
      from the Internet!

      How can that sentence possibly be finessed
      into something as big as a book?
    • Microsoft Press traditionally has, in my experience, been very knowledgable and extremely clear in their writings.

      They're in the business of selling references...biased references are good for almost nothing.
  • by Sensible Clod ( 771142 ) on Tuesday November 02, 2004 @04:43PM (#10704501) Homepage
    put this kind of effort into securing their software.
  • by grub ( 11606 ) <slashdot@grub.net> on Tuesday November 02, 2004 @04:43PM (#10704503) Homepage Journal

    "I've read some pretty bad books on penetration testing [...] Assessing Network Security comes to us direct from the bunkers of Redmond."

    Nah, too easy.
  • by Anonymous Coward on Tuesday November 02, 2004 @04:44PM (#10704519)
    What is an oxymoron, Alex.
  • by LiquidMind ( 150126 ) on Tuesday November 02, 2004 @04:45PM (#10704531)
    "...via penetration testing..."

    remember guys, often times computers are like women.

    this is not one of them
  • @microsoft.com (Score:4, Informative)

    by anandpur ( 303114 ) on Tuesday November 02, 2004 @04:45PM (#10704536)
    Kevin Lam [msdn.com],
    Ben Smith [winnetmag.com],
    David LeBlanc [winnetmag.com]
  • "...On the down side, the book is somewhat Windows-focused..."

    Why am I not surprised? :)

    • Re:Windows (Score:1, Insightful)

      by Anonymous Coward
      "...On the down side, the book is somewhat Windows-focused..."

      Not to be an ass, but so are most computers.
  • by Anonymous Coward on Tuesday November 02, 2004 @04:48PM (#10704563)
    flamebait
    Wouldn't that be sort of like George Bush writing an english book?
    /flamebait
  • 'somewhat dry' (Score:5, Insightful)

    by Dr.Knackerator ( 755466 ) on Tuesday November 02, 2004 @04:49PM (#10704577) Journal
    is that a euphamism for 'the most boring book to hit the world since Inside OLE2?'

    I never got more than a quarter of the way through that, i fell asleep every time i tried to pick it up.

    i saw internal MS OLE training i saw Kraig Brockshmit did back in about 95 - jesus it was boring. we are talking boredom in an entirely new area of bordem till then undiscovered by man
    • Good Lord I thought I was the only person who purchased that book...

      I almost feel bad for whoever ended up with it when I traded it in at the used book store.

      • i got it dirt cheap as i used to work at MS. I met KB at what i think was the first MSJ conference in the UK (cambridge? there was a company doing demos of VR headsets there).

        Pretzel, sorry Petzold was there too and it was only then that i realised that those pics of a windows tatoo on him arm were true
  • by lNxUnDeRdOg ( 825794 ) on Tuesday November 02, 2004 @04:51PM (#10704601) Journal
    Maybe I'm missing something, but when did M$ OS become a network OS? I haven't seen any winblows routers or switches? The book should be Windows Penetration testing, and to fix that problem, just press the off button. I get sick and tired of hearing M@ included in the same sentence as network. It's a stinking OS, not a router. M@ couldn't compete with Cisco, Juniper, etc...
    • M@ couldn't compete with Cisco, Juniper, etc...

      You know, funny you should say that. I had a PII-450 with 3x 3Com NICs running RRAS (Routing and Remote Access) on Win2K that I was using for an internal router for 3 different subnets for over 2 and a half years. It was shuttling the data between the subnets with virtually no latency and I never had any down time. Literally just set it and forget it. One of the few times I was seriously impressed by MS
      • hmmm....that's fine for a little network, but when you have 1000 users it wouldn't work....Honestly we have had to reboot our NT systems once a month just so they don't get flakey. If Windows is not actually writting data to the harddrives then it's probably a good OS...
        • by jeffy210 ( 214759 ) on Tuesday November 02, 2004 @05:07PM (#10704804)
          And it wasn't. Apperantly the drive crapped out a long time ago, and everything was running from memory. Btw the time I had to reboot it, the system wouldn't come back up. Finally got the company to cough up the money to get a Catalyst 3550 to replace it.
          • How the fuck did my post get modded "Informative" ?!?!?
            • Informative, yes. (Best laugh I've had this month;)

              Informative anecdotal evidence to "If Windows is not actually writting data to the harddrives then it's probably a good OS..."

              If the OS does what you want it to do it is a good OS.
              If the OS does what it wants to do it is a bad OS.

              It is possible for Windows to behave like a good OS.

              In terms of writing to disk, standard instructions to our users is that if the system starts acting funny, do not log off, do not go through the normal shutdown sequence, do n
        • Honestly we have had to reboot our NT systems once a month just so they don't get flakey

          Then the people maintaining them are incompetent. They need to get some training, do some reasearch, and determine the root cause of the instability.

          If they have no time or budget because upper management is incompetent, then they have my sympathy.

          A properly configured and maintained NT system can be as stable as any other NOS. I have run NT systems with no unscheduled downtime for years.

          CAVEAT: If you're really

    • I migrated a Fortune500 division off OS/2 to NT4. At that same time, we connected to the 'net on a dedicated T1. I had submitted a request and proposal for a Raptor/NT4.0 based firewall on Compaq hardware (around $15,000). I didn't have time to wait as committees batted it back and forth not understanding the 'Internet' or what we were doing with it. I didn't have time to play corporate bureacracy. I grabbed an old 486 off the shelf and threw 2 token ring cards and an ethernet card in it. I put Linux on
  • by Anonymous Coward on Tuesday November 02, 2004 @04:53PM (#10704622)
    A beta version of the book was leaked to the internet a year ago.
  • by Jacco de Leeuw ( 4646 ) on Tuesday November 02, 2004 @04:54PM (#10704640) Homepage
    "Written by three Microsoft security researchers, the book provides a great overview as well as an in-depth coverage of assessing security via penetration testing."

    From the referenced BN page [barnesandnoble.com]:

    "I have been fascinated by leadership dynamics throughout my working career. [...] A concern is that we often get to hear the same leadership issues over and over again, yet leaders continue to lead with mediocrity and passiveness".

    His Billness will not take this lightly! These guys can kiss their jobs at Microsoft Research goodbye! :-)

  • by DenDave ( 700621 ) on Tuesday November 02, 2004 @04:54PM (#10704641)
    Being relitvely novice at network security I only have an extremely humble opinion but at the same time I must say that Mr. Chavaukin strikes me to be an extremeley adept man on this subject. Having just finished the Security Warrior I have learned a lot and I find his (and his co-author Mr. Pekari) insights and information to be extremely astute.
    No, I will take no grain of salt regarding his comments about the book in question, untill I have achieved a decent status in the matter I will refer to Mr. Chavaukin's comments eagerly!

  • by Anonymous Coward on Tuesday November 02, 2004 @05:10PM (#10704840)
    Stewie: "Does anyone else smell astroglide?"
  • that from the city of the fallen, True believers come ?
  • First, one takes all relevant MS security bulletins.
    Next one invent some text around it.
    Publish it and makes people pay for it.
    So you make money from you're mistakes.

    Funny:
    I doubt most hackers who contributed to this masterpiece will ever see a paycheck. Probably they are mention in the hall of shame. (As ought to be)

    Seriously, this might be a good book.
  • by jthayden ( 811997 )
    M$ is the best source ever on security. After all they've made all the mistakes and created all the holes. Who else would know it better?
  • by Anonymous Coward on Tuesday November 02, 2004 @05:28PM (#10705022)
    With all these folks pointing out the funny irony of all this, I'm here with what I think are valid questions --

    What's up with creating an inherently insecure system and selling a book on security? Shouldn't they use that same advice to create better products? Almost like the conspiracy theory of making someone ill and then selling them the cure.

    Maybe the book brings up interesting points and great ideas...but it's like asking me to believe everything Baghdad Bob said.
  • by erucsbo ( 627371 ) on Tuesday November 02, 2004 @05:32PM (#10705068)
    Ben Smith (one of the authors) is also actively involved in Microsoft's private trainer newsgroups, and has always been a good source of information for security related questions that are way, way out of what "the theory" is normally limited to.
    The utility of the book comes from not just spreading the word about security, but having to do so in forums and formats that require it to be relevant, useable and correct.
    As a security consultant and trainer myself I can attest to the gap between theory and practice and the need to put security issues in to terms that are able to be applied in the real world.
    Comments above that assume that just because someone works for Microsoft, they don't know how things work in reality are generalisations made out of ignorance or jealousy. This book is a good example that the truth about Microsoft employees, like security, is often misunderstood.
  • oh christ (Score:1, Flamebait)

    by painehope ( 580569 )
    someone posted story w/ the words "penetration" and "testing" following each other on /., that's like saying it in front a bunch of 15 year old boys.

    Wait a minute...
  • by nurb432 ( 527695 ) on Tuesday November 02, 2004 @07:00PM (#10705897) Homepage Journal
    Most are actually quite intelligent, and like the money and perks you get when working for the best funded company on the planet..

    I bet a lot of them do great work FOR the company, but its caught up and diluted by the much larger 'machine' that makes Microsoft go..
  • by robbyt ( 528845 ) on Tuesday November 02, 2004 @07:28PM (#10706135)
    it's really too bad that microsoft classified port scanning tools (nmap) as "attack tools."
    http://seclists.org/lists/nmap-hackers/2004/Jul-Se p/0002.html [seclists.org]
    • Yeah - I've always wondered about things like this. In a company as large as Microsoft, they must have *many* security experts, in turn with many different views. I imagine they have a lot of infighting when decisions like this are made. Perhaps explains some of the inconsistency in their security initiatives over time. Also, I think most of the changes in SP2 were made to protect the home user - port scans can be quite useful for sys admins, but stopping home PCs from using raw sockets will probably stem
      • Yeah - I've always wondered about things like this. In a company as large as Microsoft, they must have *many* security experts, in turn with many different views. I imagine they have a lot of infighting when decisions like this are made.

        Ben Smith has had the same kind of problems with buy-in at Microsoft that you'd expect at any very large company. As with Windows, Office, IE code, etc. - just because they have some of the best security experts in the world working there doesn't mean that all of their re

  • Open source tools? (Score:3, Interesting)

    by Earlybird ( 56426 ) <slashdot&purefiction,net> on Tuesday November 02, 2004 @07:46PM (#10706254) Homepage
    This reminds of a question I've been pondering lately, which I believe would be on topic.

    I have a box on a public IP -- speaking as a person who cannot devote 24/7 to security, are there any good automated tools to verify its "openness" in terms of security vulnerabilities?

    I'm not talking about just potential root exploits and the like, but also about things like file permissions, which I find are hard to get exactly right on Unix (read: Linux with no special ACL stuff installed), where the file system does not support inheritance of security attributes.

    Many Linux distros come with a script that's run nightly to report potential vulnerabilities, changed files etc. There are also tools like Snort and Tripwire. I also use Munin and check it daily for signs of DOS attacks and other suspicious activity (eg., a sudden increase in the number of listening ports).

    What other automated tools do people here recommend?

You know you've landed gear-up when it takes full power to taxi.

Working...