REVIEW: "Fundamentals of Network Security", John E. Canavan
- BKFNNTSC.RVW 20010512
"Fundamentals of Network Security", John E. Canavan, 2001,
%A John E. Canavan canavan@... jcnv@...
%C 685 Canton St., Norwood, MA 02062
%I Artech House/Horizon
%O U$69.00 617-769-9750 fax: 617-769-6334 artech@...
%P 319 p.
%T "Fundamentals of Network Security"
This commonplace guide to security can provide the newcomer with some
basic information. However, it also contains some rather large gaps,
and not a little misinformation.
Chapter one outlines the usual reasons why we need security, and it
also provides some basic security terms and concepts. Most of the
material is reasonable, but some is not quite standard. A number of
different threats are outlined in chapter two. However, errors are
rife in this material, although most are fairly minor. Of the
fourteen mailing lists it is suggested readers might find useful, at
least three have been dead for over a year; at least two of those for
more than three. The overview of cryptology, in chapter three, is at
a very high level, with limited discussion of key management, and
almost none dealing with strength and key length. Chapter four starts
out very badly, by stating that Kerberos uses both symmetric and
asymmetric cryptography. (It doesn't: despite proposals for public
key extensions, Kerberos itself uses a very elegant system of purely
private key encryption to avoid sending passwords and keys in clear
text at any time. Such a basic misunderstanding taints everything
else in the chapter.) World Wide Web encryption is supposed to be the
topic of chapter five. However, after a very terse outline of SSL
(Secure Sockets Layer) and SHTTP (Secure HyperText Transfer Protocol),
and a tiny bit of the missing discussion of key length, we get pages
of screen shots of browser certificates, which are almost meaningless
without the background review. There is also a tiny overview of
Authenticode, with no mention of its flaws. Chapter six presents
something of a grab bag of email related topics, mentioning encryption
systems, spam, identity problems, privacy of employee email, and even
auto-responders. With the addition of more screen shots a number of
pages are taken up with little information imparted.
Most of chapter seven concentrates on access control and passwords.
The material is reasonable, if not deep, but could be better
organized. So too with the suggested policies for network management
in chapter eight, although the author does seem to think that one set
of recommendations can fit all LANs. Chapter nine's look at network
media does not really deal with security at all, unless you count the
somewhat problematic opinions regarding the relative difficulty of
tapping. There really isn't much discussion of routers and SNMP
(Simple Network Management Protocol) in chapter ten: it concentrates
on a few proprietary products.
Chapter eleven mentions a number of VPN (Virtual Private Network)
related protocols, but gives neither details for assessment nor
conceptual discussions for determining relative usage. There is a
decent overview of basic firewall terms, with some areas of confusion,
in chapter twelve. Chapter thirteen has a basic outline of biometric
concerns, but no details of the technologies. The review of security
policy development in chapter fourteen is pedestrian. Chapter
fifteen, entitled "Auditing, Monitoring, and Intrusion Detection," is
oddly confused since the author makes no distinction between outside
audits, and the ongoing auditing of materials that result from regular
monitoring. There is unimaginative advice on disaster recovery in
chapter sixteen. "Cookies, Cache, and AutoComplete" is a strange add-
on: yes, there are security risks associated with these functions, but
they are hardly fundamental to network security.
In the introduction, while stating that this book is intended for
beginners to computer security, the author disclaims the title of
computer security expert, and, in fact, asserts that many who do
profess ace status may not have as much right as they maintain. I can
greatly sympathize with this sentiment. However, simply by writing a
book, Canavan implicitly professes some mastery of the subject, and
the mere abdication of the rank does not relieve him of the
responsibility for his mistakes. There are a number of other texts
with better coverage, greater readability, superior accuracy, and less
copyright Robert M. Slade, 2001 BKFNNTSC.RVW 20010512
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
Freebie Mags: http://sun.soci.niu.edu/~rslade/magazine.htm
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade