Issue No.10 - October (2007 vol.8)
Published by the IEEE Computer Society
Antonio Izquierdo Manzanares , Carlos III University of Madrid
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MDSO.2007.59
A review of "Hardening Network Infrastructure" by Wesley Noonan
Hardening Network Infrastructure
McGraw-Hill/Osborne Media, 2004
The recent technological developments of computer networks, as well as the increase in attacks on network devices , have resulted in today's typical network environment: many devices to manage and many security issues to worry about. Because most security measures in today's literature are based on absolute assertions (such as "Do not ever allow Windows shares in your network"), implementing those measures is rarely feasible. In Hardening Network Infrastructure, Wesley Noonan intends to provide a realistic approach to hardening networks, taking into account the most common limitations we might encounter in real life.
With this idea in mind, Noonan aims to give readers a guide to securing firewalls, switches, and so on. Although much of the book is dedicated to explaining security techniques such as IPSec (IP security), you shouldn't use it as a textbook for these topics. Everything is oriented toward the configuration of network devices, so it's not an in-depth review of these techniques. In fact, Noonan doesn't provide a complete guide for securely configuring devices: he spends much time explaining technologies and reviewing other important security issues (such as security policies and recovery plans) that aren't in the scope of device configuration.
This book might be interesting for managers of employees in charge of deploying and configuring a network in their company. It provides an extensive list of all the issues we should take into account when configuring network devices, from avoiding default configurations and passwords to restricting wireless modes, using MAC (media access control) filters, or isolating network segments. It also covers the most important practices in today's network management: security policy integration, change management, security reviews, and user and staff training.
Although the book covers many subjects and devices, it's structured logically, so you don't ever feel like asking, "What does this have to do with the previous chapters?" Noonan explains all the subjects in an interesting way while keeping straight to the point, so the book never becomes boring.
However, the book's main drawback is precisely what differentiates it from other available books on security: the guides for securing devices are intended to be commands you could just run to quickly and efficiently secure your network infrastructure. But this solution is useful only if you own a device like the ones Noonan uses in the examples. For example, if your switch isn't a Cisco, the chapter about securing switches will be mostly disappointing because you won't be able to use any of the commands. On the same tack, eventually you'll run into capabilities that are proprietary to the example device, so you won't be able to use it in your network.
Furthermore, Noonan presents these ready-to-run commands as magic boxes that achieve the desired results, but you don't get any idea of the syntax being used or what each parameter refers to. So, readers without access to those devices' user guides could find the commands confusing and even annoying. On the other hand, readers who have access to the guides will have to look at them to change anything from the proposed configurations, and helping readers avoid this step was supposed to be one of the book's main purposes. Actually, many of those guides already provide a security checklist (something this book leaves out, although the table of contents could serve as one) with references to detailed information on applying each entry in the list.
In the end, you can view the book as another explanation of different security technologies or as a security configuration guide for network devices. If you don't own one of the devices the book covers (mostly Cisco hardware and other software vendors), it will fail you. My recommendation in this case is to look for other books that provide in-depth analysis and information about each technology. If you have one of the devices Noonan discusses, you might want to supplement this book with a guide for performing fast security configurations while you become proficient with advanced configuration issues.
Antonio Izquierdo Manzanares is an assistant professor at Carlos III University of Madrid. Contact him at firstname.lastname@example.org.