This wide-ranging, up-to-date, conversational guide to network security focuses on the most important success factors: process and mindset. Security expert Thomas Wadlow shows exactly what it means to "be" a successful network security manager within a large business organization. Learn how to define what an organization's security goals ought to be -- and how to implement an effective security policy quickly, without endless committee meetings or company politics. Understand who may be attacking you, and how to "think pathologically" about your network, putting yourself in the shoes of your attacker. Evaluate which information resources are most worth protecting; learn how to build an effective security team; and discover how to build security systems that protect the enterprise as a whole, not just individual devices. Learn how to fortify your network components and design; monitor and audit your network; even quantify the value of security. The book also presents five exceptionally detailed chapters on how to respond effectively to an attack -- from forensics and log analysis to damage control. For every manager and executive concerned with network security, including sysadmins, netadmins, security managers, CIOs, CFOs, and CEOs.
1. Understanding Security.
What Are We Protecting?
Thinking Like a Defender.
The Reader of This Book.
The Organization We Are Protecting.
The Process of Security.
How Do You Know That the Process Is Working?
Staging a Coup
Contents of the Policy
The Nature of the Beast.
Security as an Evolutionary Strategy.
Thinking About Security.
Principles of Security.
The Shape of Your Defenses.
The Shape of Your Security Organization.
Job Functions in a Security Team.
Training and Cross-Training.
Interviewing Security Candidates.
What Is a Network Component?
Trouble with Employees.
What Are the Threats?
Physical Security Basics.
Denial of Service.
Access Control Logging and Log Analysis.
The Shape of the Logging System.
What to Log.
Logging System Design.
Why Should You Audit Your Network?
Types of Audit.
What Should the Audit Measure?
Who Should Do the Audit?
Perception of Value.
Process of Explaining Security Issues.
Developing a Response Plan.
Survival Pack Contents.
Choosing Hiding Places.
Set Your Own Ground Rules.
Exciting, but Not Fun.
What You Can Do.
What You Should Not Do.
Priorities During an Attack.
The Art of Investigation.
The Clean Room.
Analyzing the Contaminated File System.
What to Look For.
A friend of mine said to me the other day that he wanted his old Internet back again. Things worked as well as they needed to. Everyone was nice. You could send mail to people you'd never met, and you'd typically get a nice reply. People gained access to different machines all around the world, which was given more or less freely, so you could log into those machines and see what they'd accomplished this month or just chat with friends. If something needed to be done, a bunch of smart people got together and did it, without too much fuss or bother. It was a nice place, for the most part.
He really wasn't serious, this friend of mine. He makes his living using the Internet we have today and by speaking about the Internet we'll have tomorrow. He gets most of his news from CNN's Web site, and the computer industry-specific sites such as Slashdot and Freshmeat. I can't remember the last time he traveled without a laptop; you can send him e-mail anywhere he travels, and (if you get past his filtering software) he'll answer it from Tokyo or Singapore or Paris. The Internet is probably the most complicated thing created by the human race, and yet it is (relatively speaking, of course) easy to use and just about everywhere you'd want it to be.
But I understand his point. The Internet isn't the friendly place it used to be. What was once a small town, where neighbors were friendly and you could leave your door unlocked, is now the largest (virtual) community in the world, and it's growing bigger every day. There are bad parts of town, and there are muggers and thieves and con men, just as in every other city on Earth. You can't get beaten up, but you can be robbed of your time and in some cases of your money.
For all that, the Internet is probably the safest community of its size ever in existence. But that isn't something to take much comfort in. The reason I say this is that I and other members of my profession are called on to look at the security of sites on the Internet from time to time. I know the Internet is mostly safe, because the doors to most places are still unlocked and yet major catastrophes have not happened. Reasoning from that, it appears that most of the people on the Internet are not Bad Guys. Not yet, anyway.
Of course, this can change at any time. And it has begun to. The 1990s saw an ever-growing number of people systematically trolling for computer weaknesses. These people are not trying to attack a specific site; rather, they are just fishing to see what they can catch. The late 1990s saw the beginning of Internet attacks for political reasons. As this book was written, the news media referred to the conflict in Kosovo as the "First Internet War" because of several hostile incidents that occurred and also because much of the unofficial communication between sides was taking place over the Internet.
The Internet is becoming a dangerous place. But it is important to see this in perspective. Any large community has its bad neighborhoods, robberies, muggings and trouble spots, but that doesn't mean it is impossible to live and work there safely. The trick is to keep your eyes open, take reasonable precautions, and not act foolishly. The same rules apply to the Internet.
But computer security means far more these days than the ability of one person to protect himself or herself from the dangers that can arise on the Internet. It's one thing to protect yourself. It's a very different thing indeed to protect a hundred computers, or a thousand, or ten thousand.
This book is intended for the people facing that formidable challenge and the people who will assist in such an endeavour. It is not a tutorial on how to become a hacker. Nor is it a technical manual on how to run a large computer network. Many other sources cover those subjects, for better or worse. My goal here is to give a person charged with the responsibility of running the network security for a large organization a tool for understanding the language and practices of network and computer security, and to provide some hints along the way to save some time and some scraped knuckles. As with any large project, there are many ways to approach these issues. I don't claim that this book is an exhaustive survey of all possible ways. It is, however, a collection of good methodology and tips and tricks, with some warning signs at the rough spots, that have worked for me.
So who am I? Well, I am an electrical engineer by training, but I was swept up into computer science in my high school and college years. My first experience with the Internet was in the late 1970s, when I discovered that I could connect from Carnegie-Mellon University, where I went to school, to a machine in London, England, over something called the ARPANET, which was just appearing on the scene at that time. Like many others at CMU, I worked in the university Computer Center. Unlike many of my colleagues there, I've kept much the same job ever since, running larger and larger collections of computers and their networks at Lawrence Livermore Laboratory, Schlumberger's Palo Alto Research Center, Xerox's Palo Alto Research Center, ParcPlace Systems, and Sun Microsystems Laboratories. Along the way, I've learned a few things about keeping large collections of machines happy and healthy and about keeping the Bad Guys out and the Good Guys working. Now I find myself as the Chief Technology Officer and Vice President of Security for Pilot Network Services, Inc., a company I helped to found and whose function is to handle Internet security for our customers, a diverse collection of some of the most dynamic and interesting (as well as the largest) companies on Earth. The principles we use to run our business safely can be found in this book. That may strike you as odd, creating a book that says how we do our business, because it enables people to compete against us, using our own principles. Well, read on. If you still think it's easy, give it a shot. We welcome the competition.
A great many people helped me with the production of this book, directly or indirectly, but I'd like to thank several specifically:
Dr. Martine Droulers and Dr. Celine Broggio, wonderful friends who fed me delicious food and gave me the use of their French seaside attic to finish the book. Fromage! Eileen Keremitsis, who put up with my grumbling, made sure that I wasn't working too hard, and was ready with an invitation to dinner whenever I needed one. Dennis Allison, who tempted me back into the book-writing business after a long absence, and Karen Gettman and Mary Hart of Addison-Wesley, who made sure that I stayed the course. Steve Riley, Joseph Balsama, Steve Rader, John Stewart, and Clifford Neuman, who read the entire manuscript and whose numerous and insightful comments I found very helpful. And of course, the people at Pilot Network Services, who are the hardest working and nicest bunch of security folks I've ever met.
San Francisco, California, USA
Le Crotoy, Picardie, France, 2000