Inside Network Perimeter Security [Englisch] [Taschenbuch]

This review is for the 2nd edition of this book.

"Inside Network Perimeter Security" (INPS) by Northcutt, Zeltser, Winters, Kent, and Ritchey suitably covers the broad topic of securing a network's edge. The book is based, on part, from various SANS Institute training material (Northcutt is the CEO of the SANS Institute). Most of the items documented in INPS are honed from years of discussions in classes (and is mentioned an `excellent supplementary resource" for the GIAC Certified Firewall Analyst (GCFW)).

The book first focuses on perimeter fundamentals - including dedicating about 100 pages to the three main types of firewalls (Packet, Stateful & Proxy). The second section discusses how to fortify other areas of the perimeter - by implementing hardened routers and hosts, VPNs, IDSs, and IPS. The third section discusses designing a secure perimeter from the ground up (consider it best practices). This includes a much-needed chapter on wireless security. The last section is how to monitor and maintain the perimeter.

It is hard to characterize who this book should be aimed at. While configurations examples are given for many different platforms and OSs, the configs cannot be considered complete. I feel this book would serve network admins well as a starting point and as introduction to concepts that they might not be familiar with.

Some items I like from Inside Network Perimeter Security:

-Chapter 6 gives a great discussion on Cisco routers. What really impresses me is, since the documentation is from someone besides CiscoPress, you get an idea of other ways to harden Cisco routers (see the telnet trick on page 142). The first appendix also gives a great collection of different ACLs (consider it an update of the NSA's list). I have over 50 CiscoPress books, and information found in these 2 chapters I have not seen documented in any CiscoPress book.

-Chapter 21 provides a `quick' list of tools to use to help troubleshoot and isolate an issue. While there are some great books that are wholly dedicated to showing the ins-and-outs of different tools, sometimes you can't see the trees through the forest. Within just a few short pages, INPS is able to suggest a plethora of different tools to use based upon the issue.

The book mentions that it's goal "...is to create a practical guide for designing, deploying, and maintaining a real-world network security perimeter." I believe they have done just that!

I give this book 5 pings out of 5:
!!!!!

The authors provide a nicely detailed explanation of current network defenses and practises. Each major topic in this field is well covered. Firewalls and packet filtering are clearly done. The preferred choice of example router is from Cisco. But the principles are obviously applicable to devices from any competing vendor.

The book also recommends egress filtering; which is not often discussed in other texts. It helps guard against your net being used to send out malware. This helps the overall environment of the Internet. Moreover, there is also a tangible benefit to you. By doing egress checks, you can detect if one of your machines has been subverted. Which is always good to know.

VPNs are given an entire chapter, due to their importance. The book also goes beyond talking about Intrusion Detection Systems to discuss Intrusion Prevention Systems. More proactive.

To some sysadmins, the most important chapter might be that on wireless networks. As these have grown hugely, so too have the attacks against them. You can learn how to bolt down your wireless network.

I first looked at Inside Network Perimeter Security, 2nd Ed (INPS:2E) for my blog, in May 2005. I decided to try reading it this week because I've been reading books on related topics. Individually, the INPS:2E authors largely know their craft. Unfortunately, the book is so poorly organized and diffused that I don't know why other reviewers rate it so highly. Furthermore, the choice of material covered and certain recommendations drag the book down. A third edition might be promising, but I recommend avoiding INPS:2E.

On the macro level, I question the ordering of the book's parts. It's best to lead with definitions, policy, and design, but that doesn't happen here. Part I is mostly about firewalls, with a chapter about policy at the end (Ch 5). Fundamentals of Secure Perimeter Design (Ch 12) appears in Part III (Designing a Secure Network Perimeter). Another design chapter (Ch 23) pops up in Part IV. This makes no sense. The book should have been divided into Theory / Implementation / Processes or some other rational system, with all related material in the proper place.

For example, the operation of FTP (control vs data channels, active vs passive FTP, etc.) is separated into three chapters (2, 3, and 4). FTP should have been explained early in one place, then referenced later. Host IPS appears as part of Ch 11, when it should have been in Ch 10 (Host Defense Components). VPNs appear in Ch 7 and again in Ch 16. TCP state is explained in Ch 3 (Stateful Firewalls), when it should have been covered in Ch 2 (Packeting Filtering) or in a different and earlier section. Yet another firewall -- Pf -- isn't shown until Ch 10 (which covers host defense). Ch 6 (The Role of a Router) covers routers, but Ch 2 mostly covered using routers for filtering.

Beyond organization, the book's choice of technical material is sometimes questionable. INPS:2E spends a good deal of time on reflexive ACLs, even though Cisco recommends using CBAC instead. INPS:2E mentions CBAC but gives no implementation details. Worse, the extrusion RACL suggestion on p 51 allows outbound FTP control (port 21 TCP) but makes no provision for FTP data channels. Ch 19 promotes the virtues of Big Brother, a monitoring tool that's been declining for years since its acquisition. Nagios should have been covered instead. When I also see discussions of IPChains (Ch 2) and FWTK (Ch 4), I question the relevancy of the text.

Despite these problems, most of the book's technical recommendations are sound. I found fault with a few suggestions, e.g. "a good way to improve security is to disable SSID broadcasts on all wireless access points" (p 364). I did like the tip on changing Windows MAC addresses on p 365.

If a third edition is planned, I would like to see a ground-up rewrite. A lead author should plan the chapters of the book, including a rough outline of each chapter's contents. Experts can work within that framework, and then have the lead author edit for consistency and coherency. As it stands, INPS:2E reads more like a collection of disparate thoughts loosely bound by a network security theme. If the existing material was rewritten with clarity and structure in mind, the book would probably be 350-400 pages (not 660).

Richard Deal's Cisco Router Firewall Security, while Cisco-centric, is a better book on this subject. The older Security Sage's Guide to Hardening the Network Infrastructure is helpful. Sean Convery's Network Security Architectures might be the best of all.