«

BKNTSCES.RVW 20031210

"Network Security Essentials", William Stallings, 2000, 0-13-016093-8,
U$48.00/C$75.81
%A William Stallings
%C One Lake St., Upper Saddle River, NJ 07458
%D 2000
%G 0-13-016093-8
%I Prentice Hall
%O U$48.00/C$75.81 201-236-7139 fax: 201-236-7131
%O http://www.amazon.com/exec/obidos/AS...bsladesinterne
http://www.amazon.co.uk/exec/obidos/...bsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASI...bsladesin03-20
%P 366 p.
%T "Network Security Essentials: Applications and Standards"

The existence of this book is a bit odd, particularly in view of the
fact that it shares so much material with Stallings' "Cryptography and
Network Security." The (clear and structured) preface, however,
states that the intent is to provide a practical survey of network
security applications and standards, particularly those in widespread
use. As with the earlier work, this book is intended to serve both as
a textbook for an academic course of study, and as a self-study and
reference guide for practicing professionals. There is reduced detail
in regard to cryptography.

Chapter one is an introduction, and provides a good list of basic
concepts and vocabulary. It may not be completely apparent to all
readers that the emphasis is on threats to data transmissions and
there is limited review of attacks on functioning systems.

Part one deals with cryptography. Chapter two covers symmetric block
ciphers in fundamental but sound terms, illustrated by an explanation
of DES (Data Encryption Standard). The logic is heavily symbolic at
times, but that should not be an impediment to the reader. It is
interesting that chapter three views asymmetric cryptography as an
extension of message authentication codes, but the explanations are
articulate, including both algebraic and numeric examples, although
the numeric illustrations could be fuller.

Part two deals with network security applications. Chapter four looks
at authentication applications, concentrating on Kerberos and X.509.
The examples of email security systems given in chapter five are PGP
(Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail
Extension). Security provisions for the Internet Protocol (IP) itself
are reviewed in chapter six. Web security, in chapter seven,
discusses SET (Secure Electronic Transaction) and SSL (Secure Sockets
Layer). Chapter eight reviews SNMP (Simple Network Management
Protocol) both in terms of network management for security purposes,
and in regard to cryptography for authentication of the application
itself.

Part four outlines general system security. Intruders and malicious
software are lumped together in chapter nine, with a reasonable
outline of the types of malware, but not dealing as well with viruses
themselves. (Activity Monitors are referred to as "third generation"
tools, when they actually predate both signature scanners ["first
generation"] and heuristics ["second generation"].) Chapter ten
finishes off the book with a description of firewalls, but has a
rather odd inclusion of basic access control and trusted systems.

Each chapter ends with a set of recommended readings and problems.
Many chapters also have appendices giving additional details of
specific topics related to the subject just discussed.

A very reasonable guide, although possibly less practical than it
intended to be.

copyright Robert M. Slade, 2003 BKNTSCES.RVW 20031210

--
======================

"If you do buy a computer, don't turn it on." - Richards' 2nd Law
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
or mirror http://sun.soci.niu.edu/~rslade/
CISSP refs: [Base URL]mnbksccd.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
Security Educ.: http://groups.yahoo.com/group/comseced/
Review mailing list: send mail to techbooks-
or techbooks-

In other words the book is "academic" in nature, and
not realistic in terms of providing actual security on a
network. A new book is being written collectively on
the Internet .. which I would like to recommed to
everybody. It has no title, yet, .. but basically, I can
only describe it in terms of "acceptable losses". Don't
quote me on these figures .. I've been reading too
many sites to be accurate: last year, ebay did 2 billion
dollars in sales. Roughly 21 million was stolen by
spoofing URLs and stealing buyer / seller identities.
Meaning what? Meaning that so-called Internet security
regards financial dealings is a joke !!!!!!!!!!!!!!!!!!!!
For example: If you try to make a VISA payment
through 2Checkout.com, you are likely to get an "address
error - authorization failed: TRY AGAIN" error
message. If you "try again", the error will repeat as
many times as you "try again". Unknown to you, those
VISA payments are actually going through to VISA,
and potentially to an off-shore client. If you don't catch
it in time either: VISA eats it. You get your card canceled.
Ebay does a "charge back" to a seller who is not in-
country ( fat chance ). Or, possibly, it was a spoof site,
and the crook is gone ... many possibilities. This kind
of Social Engineering is ingenious, and all this academic
talk about network security is just silly. Oh .. and if you
call the FEDS about getting ripped off ... there will be
this great silence coming back in the form of a canned
reply suggesting that you "try again". HTML is not spoof
proof at all. Web pages that look like legit sites are
easy to create .. including all the crap about "secure"
connections, and anybody can fall for the con ... including
professionals working inside a so-called secure network
who respond to a link in an email from "the boss" ... the
link sending them to the "bosses" web page where they
give up the shop. The Courts and the big companies
are moving fast to "weasel word" what they do, and
run from potentially about 200,000 lawsuits against
ebay alone ( that is how many hits I got when I googled
"ebay fraud" ). Ebay now claims that they are not
"auctioneers", so it is not their fault

johns

Correction: make that "acceptable loss" $48 billion
according to the Federal Trade Commission. That
is everybody I guess. Meaning what? Meaning that
you "security experts" have not a clue !!!!!

johns

In article <c6p1lo$jie$>,
johns <> wrote:
:Correction: make that "acceptable loss" $48 billion
:according to the Federal Trade Commission. That
:is everybody I guess. Meaning what? Meaning that
:you "security experts" have not a clue !!!!!

Oh, some of us have a clue or three.

I don't do any business on ebay, so the possibility of my being ripped
off by ebay's security is zero. No-one can fake my credit card information
into some ebay any other electronic service, or copy my credit card
info in the back room of some restaurant, because I don't have any
credit cards at all. No-one can secretly record the PIN on my ATM
or debit cards, because I don't have any of those either.

I do my banking in person, at the branch my account is at, and each
time a teller does not recognize me, the teller looks up my signature
on file: even if the teller has seen me there before and knows my
face but has not -personally- looked up my signature before, they take
the time to look it up. I never -ever- complain about the "delay"
because the checking tells me that they are taking the time to ensure
that my money is kept secure.

My bank account uses a passbook, which I regularily update, and each
time I get it updated, I examine it for unexpected transactions or
strange codes, and I question everything that I don't expect.

No-one can use my SSN to for identity fraud, because I don't have
an SSN In Canada, you are only required by law to give the equivilent
number for a small number of purposes directly related to taxes,
and any business that asks for my number as a form of ID will not
be given it -- even if it means that I have to take my business elsewhere.

Oh, and no-one can use my driver's license for identity fraud either:
I don't have one of those either.


My point here is not something arcane such as "all those things are Evil":
my point is that security is about controlling risks, and some of us have
the sense to control those risks that are under our control. The mechanisms
that I use to control personal risks have associated costs and benefits,
and I fully respect anyone who takes the time to evaluate the costs
and benefits as would apply to their situation and comes up with different
choices as to what is acceptable to them and what is not.

Risks such as that someone might have their paypal password phished from
them are NOT under my control. That doesn't mean that I "have not a clue":
it means that I do not have a martyr complex that leaves me feeling
responsible for righting all the wrongs in the electronic world.
**** happens, and I do NOT accept the guilt or worthlessness that you
would dump on me for my not having come up with mathematical or
electronic solutions to social problems that have existed for all of
known history.
--
Entropy is the logarithm of probability -- Boltzmann

johns wrote:
> Correction: make that "acceptable loss" $48 billion
> according to the Federal Trade Commission. That
> is everybody I guess. Meaning what? Meaning that
> you "security experts" have not a clue !!!!!
>
> johns
>

More likely it means the business analysts who designed and
implemented these fiascos don't have a clue --- the buesiness designs
and business cases behind the implementations ar faulty to begin with.

The internet was never designed or meant to be a robust business
deliver medium. Security experts have been telling comapnies for many
years that the internet is a pooor choice for implementing critical
systems -- but the bean counters and the trendy-know-nothing-IT-masses
have all fallen for the hype and charged headlong witghout a clue or
care...

Place the blame where it belongs -- faulty application designs,
clueless programmers and business analysts... we security people have
been telling them for ages what the problems -- and solutions -- are,
but no one wants to listen....

Clearly, you are a genius! I think you have the only
solution to the problem there is. I'm thinking about
becoming a Mormon rabbit farmer, and moving to
the jungle.

johns

The FTC is blaming its BOSS. That guy is stonewalling
spam legislation, and seems to actually like getting all
the email from vendors ... read about it on ZDNET
just this morning ??????????

johns

"johns" <> wrote in message
news:c6orlm$hth$...

<snip>

eBay != the entire Internet

USA != the entire world

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

I am totally green on the subject of network security and want to know
whether this book will really give me the basic concepts.
Who knows whether it does?





----------------------------------------------------------------------
Find out about your true character at http://www.testmypersonality.com



(Rob Slade, doting grandpa of Ryan and Trevor) wrote in message news:<8fQjc.361$>...
> BKNTSCES.RVW 20031210
>
> "Network Security Essentials", William Stallings, 2000, 0-13-016093-8,
> U$48.00/C$75.81
> %A William Stallings
> %C One Lake St., Upper Saddle River, NJ 07458
> %D 2000
> %G 0-13-016093-8
> %I Prentice Hall
> %O U$48.00/C$75.81 201-236-7139 fax: 201-236-7131
> %O http://www.amazon.com/exec/obidos/AS...bsladesinterne
> http://www.amazon.co.uk/exec/obidos/...bsladesinte-21
> %O http://www.amazon.ca/exec/obidos/ASI...bsladesin03-20
> %P 366 p.
> %T "Network Security Essentials: Applications and Standards"
>
> The existence of this book is a bit odd, particularly in view of the
> fact that it shares so much material with Stallings' "Cryptography and
> Network Security." The (clear and structured) preface, however,
> states that the intent is to provide a practical survey of network
> security applications and standards, particularly those in widespread
> use. As with the earlier work, this book is intended to serve both as
> a textbook for an academic course of study, and as a self-study and
> reference guide for practicing professionals. There is reduced detail
> in regard to cryptography.
>
> Chapter one is an introduction, and provides a good list of basic
> concepts and vocabulary. It may not be completely apparent to all
> readers that the emphasis is on threats to data transmissions and
> there is limited review of attacks on functioning systems.
>
> Part one deals with cryptography. Chapter two covers symmetric block
> ciphers in fundamental but sound terms, illustrated by an explanation
> of DES (Data Encryption Standard). The logic is heavily symbolic at
> times, but that should not be an impediment to the reader. It is
> interesting that chapter three views asymmetric cryptography as an
> extension of message authentication codes, but the explanations are
> articulate, including both algebraic and numeric examples, although
> the numeric illustrations could be fuller.
>
> Part two deals with network security applications. Chapter four looks
> at authentication applications, concentrating on Kerberos and X.509.
> The examples of email security systems given in chapter five are PGP
> (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail
> Extension). Security provisions for the Internet Protocol (IP) itself
> are reviewed in chapter six. Web security, in chapter seven,
> discusses SET (Secure Electronic Transaction) and SSL (Secure Sockets
> Layer). Chapter eight reviews SNMP (Simple Network Management
> Protocol) both in terms of network management for security purposes,
> and in regard to cryptography for authentication of the application
> itself.
>
> Part four outlines general system security. Intruders and malicious
> software are lumped together in chapter nine, with a reasonable
> outline of the types of malware, but not dealing as well with viruses
> themselves. (Activity Monitors are referred to as "third generation"
> tools, when they actually predate both signature scanners ["first
> generation"] and heuristics ["second generation"].) Chapter ten
> finishes off the book with a description of firewalls, but has a
> rather odd inclusion of basic access control and trusted systems.
>
> Each chapter ends with a set of recommended readings and problems.
> Many chapters also have appendices giving additional details of
> specific topics related to the subject just discussed.
>
> A very reasonable guide, although possibly less practical than it
> intended to be.
>
> copyright Robert M. Slade, 2003 BKNTSCES.RVW 20031210
>
> --
> ======================
>
> "If you do buy a computer, don't turn it on." - Richards' 2nd Law
> ============= for back issues:
> [Base URL] site http://victoria.tc.ca/techrev/
> or mirror http://sun.soci.niu.edu/~rslade/
> CISSP refs: [Base URL]mnbksccd.htm
> Security Dict.: [Base URL]secgloss.htm
> Security Educ.: [Base URL]comseced.htm
> Book reviews: [Base URL]mnbk.htm
> [Base URL]review.htm
> Partial/recent: http://groups.yahoo.com/group/techbooks/
> Security Educ.: http://groups.yahoo.com/group/comseced/
> Review mailing list: send mail to techbooks-
> or techbooks-

(John) writes:

> I am totally green on the subject of network security and want to know
> whether this book will really give me the basic concepts.
> Who knows whether it does?

It covers some nice concepts. I like the taxonomy he uses to describe
classes of vulnerability. But it depends on what you are looking
for. No single book will help. It won't help you close holes, for instance.

--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.