Open-Node.net - Security Blog

November 22, 2005

A review on Practical UNIX and Internet Security

The book “Practical UNIX and Internet Security” written by Gene Spafford and Simson Garfinkel , is one of the most effective and comprehensive books on information security ever, and maybe one of the most famous too, this review is based on the 2nd edition which was published in 1996 but is nevertheless still valid and impressive, the book is currently in the 3rd edition, but as apparent from the table of contents published at O’reilly’s web site, it’s hasn’t evolved much.

Gene Spafford is one of the most respectable information security authors ever, no one can forget his analysis of the internet worm, or his other books*.

This book takes the responsibility to clarify security concepts and advise best security practices especially related to the UNIX platform and the Internet.

The book is pretty huge, containing exactly 1004 pages split in 7 Parts, the first being an introduction to Computer Security, ,and the last being a collection of nice appendixes.

Part 2 contains some clarifications of widely used concepts like cryptography concepts, filesystem concepts and the concepts of users and groups in the UNIX platforms.

Part II: User Responsibilities

Chapter 3: Users and Passwords
Chapter 4: Users, Groups, and the Superuser
Chapter 5: The UNIX Filesystem
Chapter 6: Cryptography

Part 3, being the definitive system security guide for system administrators, guiding them to managing systems’ security from defining accounts to saving backups, to auditing and logging practices, to managing system integrity, defining various kinds of programmed threats and ways to protect against them, and at last, defining best practices for personal and physical security, the thing that is usually overlooked or forgotten.

Part 4 is the interesting part for most of us, the part about “Network and Internet Security”, here we must say, that this part is somewhat outdated in the second edition, maybe it’s better to get the third edition for that, or to read it carefully and then go read other new stuff elsewhere, it is however very interesting and very well written.

Chapter 14 handles the security of telephone networks. (the third edition contains some wireless stuff it seems)

Chapter 15 talks about UUCP which I think is not useful anymore. (please correct me if I’m wrong)

Chapter 16 is a great overview over TCP/IP networks in general (only IPv4 is covered)

Chapter 17 in a comprehensive discussion about various TCP/IP network services and servers, ranging from mail to news to even the most overlooked services like NEXTSTEP Window server and RIP service security, remember here that we are UNIX oriented, all the services and security implications discussed is UNIX related. The discussion is very comprehensive along with a lot of advices on how to make those services more secure.

Chapter 18 is about WWW security, very outdated, there are a lot of better resources for web security. Hope this was handled in the third edition.

Chapters 19 and 20 are a really great resource about RPC, NIS, ,NFS and Kerberos security, I really loved those chapters, although I didn’t get all the Kerberos stuff, I had to read about Kerberos elsewhere to understand it (but hey, Kerberos is truly sophisticated) both chapers remain my favorite reference for PRC, NIS/NIS+, NFS, and Kerberos security.

Part 5 handles some advanced topics, actually firewalls, wrappers and proxies, and secure programming. Chapter 21 contains a very good overview on firewalls in general and their anatomy. Chapter 22 discusses comprehensively custom wrappers like tcpwrappers and proxy servers like SOCKS.

Chapter 23 is my personal favorite. It discusses in great details the general guidelines and practices for secure programming, building secure network servers, secure SUID/SGID programs etc. , of course further information can be found in more specialized writings like:

Building Secure Software by John Viega and Gary McGraw
Practical UNIX and Internet Security 2nd Ed. from O’Reilly
Writing Solid Code by Steve Maguire
The Practice of Programming by Kernighan and Pike
Programming Windows Security by Keith Brown
Code Complete by Steve McConnel
Writing Secure Code by Howard and LeBlanc

But this chapter remains one of the best fast references for the topic, with a very compact and insightful checklist.

Part 6 is about handling incidents, and guess what, … I didn’t read it ;o) , guess I’ll read it when an incident happens.

That’s it, … my overall rating for the book is GREAT, a must read, very well written and can be used as a definitive guide for a lot of topics.

by Ahmed EL Deeb

November 22nd 2005 Posted to

Just Test

Comments(0)

November 17, 2005

The obligatory MT entry

I’ve been working on Bookslut, redesigning (which is a huge strain on me — I hate everything I do, which I feel is an important part of the process), rearranging, and recoding. Once I’m done, it will have the much-requested author-pages and sortable entry indexes (by date, title, and category) be in mostly valid XHTML (I say mostly because I’m not going back to change every apostrophe from the last two years of articles, and I won’t be held responsible for the ads), and be a nice, text-heavy-but-pleasantly-spaced, multi-column layout of pink, brown, and peach (colors I got from some of my favorite dirty pictures, which is appropos). It will also still use Movable Type for the time being, though I’m checking into alternatives as we speak. The big news, if you haven’t heard, is that MT is now charging money to use their product. You see that spiky circle in the upper left hand corner? That means it’s not free. Really it was never intended to be, as many of us are suddenly learning. (more…)