UKUUG home

UKUUG

(the UK's Unix & Open Systems User Group)

Home

Events

About UKUUG

UKUUG Diary

Membership

Book Discounts

Other Discounts

Mailing lists

Sponsors

Newsletter

Consulting

 


 

Network Security Hacks Andrew Lockhart
Published by O'Reilly Media
ISBN:0-596-00643-8
316 pages
£ 17.50
Published: April 2004
reviewed by Mike Smith
   in the September 2004 issue (pdf), (html)
bookcover  

Those of you who have read my previous reviews on the Hacks series will know that I like the format -- it's a quick reference guide with 100, usually relatively well documented, tips.

I'm not quite as happy with this particular book. A Hack, to me, implies a clever trick -- something unusual, out of the ordinary or innovative. This interpretation is compatible with other books in the series I looked at, such as creating smart addons for eBay, and tips for Servers -- but not really appropriate for security. Security is all about process and methodical control to reduce risk -- so I think the scope for Hacks is limited. I know this is a general statement, so there may be exceptions. One example would be to establish a Port Knocking environment, for instance. This is still relatively new and innovative, with several different ways to implement it. However I didn't spot port knocking being covered.

Some examples of ``Hacks'' here include scanning for suid and sgid programs, group and world writable files, and using sudo. ie General good practice. I could go on (use chroot, for instance)... So these things are not hacks as far as I am concerned. There are some interesting tips though -- its not all bad. I'll to get them later.

The book covers Unix (20 hacks), Windows (10 hacks), Network Security (23), Logging (7), Monitoring (6), Secure Tunnels (15), NIDS (14) and Recovery and Response (5). So the scope for each area is limited.

grsecurity is interesting -- I hadn't come across it. Its a kernel patch with various features -- increasing entropy for the things requiring randomness, and locking down various areas better with ACLs (in both kernel and user space).

The obvious first Windows tip is to use HFNetChk. Also, a tool from sysinternals (who I know of) is recommended, and another from Foundstone (who I didn't) that provides a feature I've always wanted -- displaying network ports and the associated running processes (like lsof on Unix, but not quite as good I suspect). I didn't know about the IP Security Policy Management snap-in for the MMC. This lets you set up firewall rules on the host -- worth knowing, if you have to use Windows in your environment.

In the network section, there is some good stuff. One product is recommended for network scanning -- Nessus, obviously. Also SFS to replace NFS, advice on securing MySQL and BIND and lots of other areas.

On to Logging. There's a tool for forwarding Windows Event Log events to a remote syslog. This helps with consolidation of events in a multi-OS environment. syslog-ng is covered too. Not a lot else: logwatch and swatch.

Monitoring is one of my favourite areas (I wrote a monitoring system years ago, before Big Brother and the commercial frameworks came on the scene -- its still in use today, actually. That's stood the test of time!). The ``Hacks'' here include using Nagios, RRDTool, ntop and argus. These aren't really Hacks, as I discussed at the beginning of this article, just product recommendations and a few screen shots really.

There's a good chapter on tunnelling. One of the other Hacks books (the server one, I think) had some tips on setting up tunnels and similar areas are covered. Large commercial environments tend not to tunnel across the Internet much. I think they should, but they don't -- it's not a question of security (which tunnelling addresses), but of guaranteed availability. Although the Internet infrastructure is resilient, when things do go wrong with something you're relying on, there is rarely compensation. Having ``dedicated'' (hardly anything is dedicated these days, of course) communications infrastructure permits service level agreements to be enforced.

FreeS/WAN is covered -- the final release of FreeS/WAN came out in April and is no longer being developed. So I'm not sure what'll happen in future, or of the wisdom of using it for any long term solution. There are also tips on setting up IPSec on FreeBSD and OpenBSD, PPTP on Windows (but not on other OSs), SSH, stunnel, httptunnel, VTun, OpenVPN and using PPP with SSH.

The Nids section can be summarised by the following list: Snort, ACID, sgutil, SnortCenter, Snort_inline, SnortSam, Oinkmaster, Banyard, honeyd, sebek and writing Snort rules. i.e. (Mostly) Snort, Snort, Snort, Snort, Snort, Snort, Snort! That's a little one-sided perhaps.

There is a short chapter on ``recovery and response'' -- i.e. forensics. Use tripwire and rpm to check for changed filesm and chrootkit to scan for root kits. A good tip (the very last one) is to use geektools for whois lookups. This was from Rob Flickenger -- he gets all over the place! I have has a script awhois.sh that I must have picked up somewhere that does a similar thing -- selects the right nic for a whois query based on the domain or netblock.

Despite my initial reservations, I do again quite like the book. The format isn't quite as appropriate for security, but it does cover a lot of ground (very briefly, obviously) and it provides a good starting point to build on. Alas, nearly as good would be to get the list of contents and simply Google for them (as long as Google is up, unlike what we saw at the end of July!)

Back to reviews list

Tel: 01763 273 475
Fax: 01763 273 255
Web: Webmaster
Queries: Ask Here
Join UKUUG Today!

UKUUG Secretariat
PO BOX 37
Buntingford
Herts
SG9 9UQ
More information

Page last modified 02 Apr 2007
Copyright © 1995-2011 UKUUG Ltd.