Review of "Network Security Hacks: 100 Industrial-Strength Tips & Tools" by Andrew Lockhart

Publisher: O'Reilly Publication Date: April 2004

In this book, Lockhart presents 100 recipes, or "hacks", for making your BSD, Linux or Windows server more secure and for monitoring network activity. Each hack is accompanied by an icon indicating a level of difficulty: beginner, moderate, or expert. The hacks are organized into eight chapters: Unix Host Security, Windows Host Security, Network Security, Logging, Monitoring and Trending, Secure Tunnels, Network Intrusion Detection, and Recovery and Response. Most sysadims who are responsible for a network or who maintain any sort of server will find some material of interest.

The hacks range from the elementary, many of which should be in the top drawer of every sysadmin's toolbox, to the esoteric, which few rarely find use. A good example of the former is hack #8 "Check for Listening Services: Find out whether unneeded services are listening and looking for possible backdoors". This hack illustrates the use of netstat on a Linux or Unix system to get a list of ports that have processes listening. This enables you to readily identify unwanted services that are potential security holes and therefore candidates for removal. The hacks dealing with honeypots (numbers 94 and 95) are about as esoteric as could be imagined.

Lockhart is to be commended for his cogent instructions for setting up a Linux firewall using Netfilter (Hack #33). I personally found Chapter 6 "Secure Tunnels" to be the most enlightening. The exposition of forwarding using SSH and other tools is the best I have yet encountered.

Within Chapter 6, hack #77, "Tunnel Connections Inside HTTP: Break through draconian firewalls by using httptunnel", explains how to use httptunnel to access the outside world when you are on a network that only allows email and basic web browsing. I have worked worked at school district sites where the only outgoing connections allowed were for email and a heavily filtered list of web sites. I didn't know about httptunnel at time, but if I'd had it set up on my own server, I would have been able to break out of the firewall inspired by the "Lord of Insufficient Light" and finish my work more quickly.

Chapter 7, "Network Intrusion Detection" illustrates how to use snort, ACID and other tools to audit potentially hostile activity on your network. It presents an excellent hands-on introduction to these tools and is highly recommended. The final part of the chapter presents hacks for setting up and monitoring honeypots - apparently vulnerable systems designed to entrap crackers.

There are a few errors: For example, in hack #99 chkrootkit is called chrootkit a couple of times. While this isn't the end of the world, this reviewer expects better from O'Reilly. It's especially disconcerting when this type of error occurs in what is presented as literal output from a terminal. Readers should consult O'Reilly's online errata (see resources, below) where this particular error is posted. I found and reported a few other errors.

A criticism of "Network Security Hacks" is that it is too general to allow for many specific recipes that the sysadmin can follow verbatim. In most cases you are forced to refer to the documentation specific to your distribution or software version. An example of this issue can be found in Hack #93 "Detect and Prevent Web Application Intrusions" where some what disjointed instructions are given for both version 1.X and 2 of apache.

"Network Security Hacks" frequently gives instructions for building programs from source - even though it is usually preferable to use a package management system for installing software. Perhaps the author is trying a little too hard to be OS or distribution neutral. But then he breaks his own precedent with hack #98, "Find Compromised Packages with RPM" which is applicable only to RPM-based Linux distributions such as Fedora. In an ideal world, perhaps we'd have a version of "Network Security Hacks" for each distribution of each operating system.

While this book does give you the tools you need to address numerous security issues, it is not complete. A more comprehensive book would address backup and recovery as well as planning your network with security in mind - activities that perhaps wouldn't correctly be classified as hacks. Furthermore, there was no mention of SELinux? or virtual machine technology such as Xen.

A problem with any book that has gone to print is that technology advances while the text in the book in frozen in time at its publication date. For example, hacks 13 and 94 both refer to Linux kernel version 2.4, whereas most of the Linux distributions have moved on to version 2.6. What revisions, if any, are needed for the hacks to work with up-to-date kernels? Of necessity, that is left as an exercise for the reader.

This reviewer is a Linux user and advocate. When I first looked at the book, I was not happy to see the significant amount of material devoted to Windows and BSD Unix. However, as I read the book I found the side-by-side comparison of different methods on the three operating systems entertaining. Not having a BSD system at hand I didn't try out any of the BSD hacks. The Windows hacks worked about as well as I expected, which is to say not very well.

This reviewer's attempts with two of the Windows hacks failed. When I tried to follow hack #36 "Firewall with Windows", I found that the dialogs on my XP Professional system were very different from the illustrations in the book. I'm sure it is possible to make a firewall with Windows using a method like this if you are willing to look for documentation beyond what is provided in the book. I view this situation not so much as a critism of "Network Security Hacks", but more as a problem with the gui approach to system adminstration in general and Windows OS in particular. In the Linux/Unix command line world, the commands and their options change very little over the course of years or even decades. With Windows, or a window manager in Linux, the dialogs and options can change considerably with every release.

The other Windows hack that failed on my machine was hack #21 "Check Servers for Applied Patches". This hack shows how to use the mbsacli command line tool to make sure all of Microsoft's patches are correctly applied. Since the book was printed the mbsacli has been replaced with mbsacli2. On my machine, mbsacli2 refused to function, saying there was an XML parsing error. Lacking access to the source code and short on time, I didn't resolve the problem. I was able to visit microsoft.com and use a web-based interface that performed a similar function. For a sysadmin responsible for a network of Windows machines, the command-line inteface would be preferable.

"Network Security Hacks", in spite of the caveats enumerated in this review, is recommended as a useful and enlightening book. The chapter on Secure Tunnels was this reviewer's favorite. The chapters on Network Intrusion Detection and Logging were also very good.

The Reviewer: George Geller is a freelance programmer and sysadim based in San Diego, California. He is an active member of the Kernel-Panic Linux Users Group (http://www.kernel-panic.org) and an advocate of open-source software. O'Reilly donates numerous titles to the user group for review, but George purchased his own copy of this book.

Resources: http://www.oreilly.com/catalog/netsechacks/errata/netsechacks.confirmed - Confirmed errata