[unisog] Network security textbooks (fwd)
crispin at immunix.com
Fri Nov 7 23:58:02 GMT 2003
A friend forwarded this to me and I thought I could help, so please
pardon my intrusion onto your list. cc: to me if you want me to see your
>I am a Security Analyst, probably like many people on this email list.
>I have an opportunity to teach a Computer Science course in Network
>Security, and I'm looking for advice on a good textbook (along with
>good homework problems). This class could be either for new graduate
>students, or upper level undergrads.
This is indeed a hard problem. I taught graduate computer security
<http://www.cse.ogi.edu/%7Ecrispin/527/> for 4 years, and went through
several texts, none completely satisfying.
> I have an idea of what I would
>cover in this class, starting with the theory of stuff like crypto
>(symmetric encryption, asymmetric encryption, hashes, PKI,
>authentication techniques) and security protocols (SSL, IPsec, SSH,
>Kerberos). These are the pieces you can use when designing a secure
>Then I would like to go into practical things - stuff that we all deal
>with on a daily basis, like buffer overflows, port scanning,
>vulnerability scanning, DOS attacks, how to use network firewalls and
>personal firewalls, auditing, intrusion detection, PGP, locking down a
>host (Windows or Linux), router security, honeypots, patching, and
>maybe even traffic shaping.
As you've just discovered, security is a surprisingly large field of
knowledge. This is a problem when you try to cram it into a single
course: you are forced to decide how to subset the space.
* Breadth: try to cover everything at a shallow level. This begs for
a follow-on course or two in depth.
* Depth: attack only some aspects of security. This begs for
multiple courses covering other aspects.
I have tried both of these approaches. I most prefer the breadth
approach (have an intro and advanced course) because it allows you to
relate one issue to another, but your mileage may vary.
>I can find lots of book on the theory. I can also find lots of books
>on practical security or on hacking. But I haven't yet found one good
>textbook that covers both.
Yep, that's a problem.
Where to begin: *all* intro to security courses should start with the
class covering " The Protection of Information in Computer Systems
Saltzer <http://web.mit.edu/Saltzer/> & Schroeder, Proceedings of the
IEEE, V.63, N.9, November 1975. This paper is nearly 30 years old, but
remains stunningly relevant to nearly all aspects of computer security.
The only major issues not addressed in this paper are DRM and public key
crypto, both because they had not been invented yet, and Saltzer &
Schroeder were prescient enough to wish for both.
The book I used to use is "Fundamentals of Computer Security Technology
by Edward Amoroso. This book is nicely comprehensive, but badly dated.
Then I attempted to use "White-hat Security Arsenal
<http://white-hat.org/> " by Aviel Rubin, but it was too anecdotal, and
far from comprehensive. With my co-instructor Elisabeth Sullivan, we
supplemented with chapters from "Computer Security Art and Science", an
in-progress draft of a book by Matt Bishop which was still in
preparation at the time.
We added an advanced topics course, with advanced topics in both theory
and practice. I taught the advanced practice section, where I was very
happy with "Building Secure Software" by Viega & McGraw. This is a
*superb* book on the topic of software security (vulnerabilities due to
defective software) but not nearly comprehensive enough for a course
unless the course topic is software security.
I subsequently stopped teaching, and Sullivan carried on using the now
available "Computer Security Art and Science" from Matt Bishop. This
huge book is a landmark in computer security texts, very comprehensive,
and very challenging to cover all of it. But even so, it is stronger on
theory than practice, and practitioners would still benefit from
practical books such as Viega&McGraw, Cheswick Bellovin & Rubin
<http://www.wilyhacker.com/>, or Zwicky Cooper & Chapman
>Does anyone have any suggestions for a good network security textbook?
>How about one of the books by William Stallings?
I really don't like Stallings for a general security text; it is 7/8
crypto. Similarly, Pfleeger is a widely used text, but it is 1/2 crypto,
which I still view as unbalanced for a general security course.
>Also, I'd like to hear if anyone has good ideas for practical,
>real-world, hands-on lab assignments or homework assignments.
Bishop includes extensive homework assignments. None of the other books
I used include homework, and many didn't even consider themselves text
> This is
>a bit tricky, since I don't want anyone to "accidentally" hack into
>something real, or mistakenly send out a virus email.
I recommend that the first lecture include a stern talk on hacking
ethics: it is ok to experiment with whatever software you want, but do
not do experiment on computers you do not have legitimate administrative
control over. Even so, every year of teaching brought some kind of
incident from the class, e.g. 10 minutes after a student does a SAINT
scan of the school's main server, I get a call from the sys admin
wanting to know WtF this student is doing. There's really nothing you
can do about this beyond giving sound advice, because the hacker
how-to's are out there in public, and you cannot effectively prevent
evil or careless people from accessing it.
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
Chief Scientist, Immunix http://immunix.com
More information about the unisog