IEEE DISTRIBUTED SYSTEMS ONLINE 1541-4922 2005 Published by the IEEE Computer Society Vol. 6, No.

. 5; May 2005 Editor: Marcin Paprzycki, http://www.cs.okstate.edu/%7Emarcin/

Book Reviews: Sensible Network Protection

Antonio Izquierdo Manzanares, Carlos III University of Madrid

Network Perimeter Security: Building Defense In-Depth By Cliff Riggs 410 pages US$79.95 CRC Press, 2004 ISBN: 0-8493-1628-6 In recent years, concerns about computer security in general and network security in particular have become more and more relevant. Network administrators have grown increasingly insecure with the news and sometimes their personal experiences of virus propagations that shut down networks, black hats that posted confidential information on Web servers, and many other publicly known attacks. The solution Network Perimeter Security proposes to protect our assets focuses on defining and implementing security policy development instead of relying on often-improvised technological patches. So, the book's primary audience is the administrator who must deal with technology, devices, and users on one side and managers, budgets, and network responsibilities on the other. The book doesn't explain the internals of cryptography, firewalls, or virtual private networks in detail; anyone looking for an in-depth analysis of these techniques and mechanisms should head for specialized resources. Given its subject, the book recommends some networking background (mainly TCP/IP), although one chapter reviews network concepts and protocols. This book addresses a major problem of trying to protect a medium- or large-sized network: how can a computer-literate network administrator talk about security with a business-oriented manager who has minor computer skills? Cliff Riggs provides a basic methodology, with
IEEE Distributed Systems Online May 2005

examples and alternatives, to achieve this task. Riggs' methodology is clear and straightforward. He starts with an approach for translating concerns to the management level (such as, translating "the company depends on information" to "if we don't protect our information, the company will lose money"). Implementation and documentation follow, with good explanations of what to reflect in each document, ending with a revision plan. Network Perimeter Security talks about technologies (eight of the 16 chapters are about security technology), but it doesn't explain ciphers' mathematical background. Riggs approaches all technologies as disposable tools, so we must answer the questions, "How can I use them?" and "If I have to choose (because of budget or other constraints), which should I choose?" To answer these questions, the book gives generic background information that we might need to support our decision. However, this information is by no means a detailed study of the technology or an implementation guide for any device or software. The main drawback is the book's organization. Riggs professes to support security policies' schemas by relating technologies that we can use and ending the book with other important aspects of the policies, such as penetration tests, incident response, and continuity plans. However, the technologies account for about two-thirds of the book, so by the final chapters, I had forgotten what Riggs said in the beginning about the policies. Similarily, the chapter about the network stack and its security mixes its discussion about each protocol with security considerations and attacks. This structure creates many references to previous and following subsections, resulting in a confusing read.

Conclusion
The book's interesting approach how to design security from a management viewpoint could help many people, especially network administrators and those looking for a security technologies overview. It could even be adequate for an introductory computer-security course. Its approach isn't well-suited for readers looking for a description of security tools or detailed information about specific technologies. If you decide to read it, my suggestion is to skip the technology related chapters (three through 11) and read them only after you've reviewed the rest of the book. Antonio Izquierdo Manzanares is a PhD student and a graduate assistant in the Computer Science Department of the Carlos III University of Madrid. Contact him at antonio.izquierdo@uc3m.es. Cite this article: Antonio Izquierdo Manzanares, "Sensible Network Protection," IEEE Distributed Systems Online, vol. 6, no. 5, 2005.

IEEE Distributed Systems Online May 2005