[unisog] Network security textbooks (fwd)

Crispin Cowan crispin at immunix.com
Fri Nov 7 23:58:02 GMT 2003


A friend forwarded this to me and I thought I could help, so please 
pardon my intrusion onto your list. cc: to me if you want me to see your 
reply.

>I am a Security Analyst, probably like many people on this email list.
>I have an opportunity to teach a Computer Science course in Network
>Security, and I'm looking for advice on a good textbook (along with
>good homework problems).  This class could be either for new graduate
>students, or upper level undergrads.
>
This is indeed a hard problem. I taught graduate computer security 
<http://www.cse.ogi.edu/%7Ecrispin/527/> for 4 years, and went through 
several texts, none completely satisfying.

>  I have an idea of what I would
>cover in this class, starting with the theory of stuff like crypto
>(symmetric encryption, asymmetric encryption, hashes, PKI,
>authentication techniques) and security protocols (SSL, IPsec, SSH,
>Kerberos).  These are the pieces you can use when designing a secure
>network.
>
>Then I would like to go into practical things - stuff that we all deal
>with on a daily basis, like buffer overflows, port scanning,
>vulnerability scanning, DOS attacks, how to use network firewalls and
>personal firewalls, auditing, intrusion detection, PGP, locking down a
>host (Windows or Linux), router security, honeypots, patching, and
>maybe even traffic shaping.
>
As you've just discovered, security is a surprisingly large field of 
knowledge. This is a problem when you try to cram it into a single 
course: you are forced to decide how to subset the space.

    * Breadth: try to cover everything at a shallow level. This begs for
      a follow-on course or two in depth.
    * Depth: attack only some aspects of security. This begs for
      multiple courses covering other aspects.

I have tried both of these approaches. I most prefer the breadth 
approach (have an intro and advanced course) because it allows you to 
relate one issue to another, but your mileage may vary.

>I can find lots of book on the theory.  I can also find lots of books
>on practical security or on hacking.  But I haven't yet found one good
>textbook that covers both.
>
Yep, that's a problem.

Where to begin: *all* intro to security courses should start with the 
class covering " The Protection of Information in Computer Systems 
<http://web.mit.edu/Saltzer/www/publications/protection/index.html> ", 
Saltzer <http://web.mit.edu/Saltzer/> & Schroeder, Proceedings of the 
IEEE, V.63, N.9, November 1975. This paper is nearly 30 years old, but 
remains stunningly relevant to nearly all aspects of computer security. 
The only major issues not addressed in this paper are DRM and public key 
crypto, both because they had not been invented yet, and Saltzer & 
Schroeder were prescient enough to wish for both.

The book I used to use is "Fundamentals of Computer Security Technology 
<http://www.amazon.com/exec/obidos/ASIN/0131089293/qid%3D915000715/002-4939836-9768223>" 
by Edward Amoroso. This book is nicely comprehensive, but badly dated.

Then I attempted to use "White-hat Security Arsenal 
<http://white-hat.org/> " by Aviel Rubin, but it was too anecdotal, and 
far from comprehensive. With my co-instructor Elisabeth Sullivan, we 
supplemented with chapters from "Computer Security Art and Science", an 
in-progress draft of a book by Matt Bishop which was still in 
preparation at the time.

We added an advanced topics course, with advanced topics in both theory 
and practice. I taught the advanced practice section, where I was very 
happy with "Building Secure Software" by Viega & McGraw. This is a 
*superb* book on the topic of software security (vulnerabilities due to 
defective software) but not nearly comprehensive enough for a course 
unless the course topic is software security.

I subsequently stopped teaching, and Sullivan carried on using the now 
available "Computer Security Art and Science" from Matt Bishop. This 
huge book is a landmark in computer security texts, very comprehensive, 
and very challenging to cover all of it. But even so, it is stronger on 
theory than practice, and practitioners would still benefit from 
practical books such as Viega&McGraw, Cheswick Bellovin & Rubin 
<http://www.wilyhacker.com/>, or Zwicky Cooper & Chapman 
<http://www.oreilly.com/catalog/fire2/>.

>Does anyone have any suggestions for a good network security textbook?
>How about one of the books by William Stallings?
>
I really don't like Stallings for a general security text; it is 7/8 
crypto. Similarly, Pfleeger is a widely used text, but it is 1/2 crypto, 
which I still view as unbalanced for a general security course.

>Also, I'd like to hear if anyone has good ideas for practical,
>real-world, hands-on lab assignments or homework assignments.
>
Bishop includes extensive homework assignments. None of the other books 
I used include homework, and many didn't even consider themselves text 
books.

>  This is
>a bit tricky, since I don't want anyone to "accidentally" hack into
>something real, or mistakenly send out a virus email.
>
I recommend that the first lecture include a stern talk on hacking 
ethics: it is ok to experiment with whatever software you want, but do 
not do experiment on computers you do not have legitimate administrative 
control over. Even so, every year of teaching brought some kind of 
incident from the class, e.g. 10 minutes after a student does a SAINT 
scan of the school's main server, I get a call from the sys admin 
wanting to know WtF this student is doing. There's really nothing you 
can do about this beyond giving sound advice, because the hacker 
how-to's are out there in public, and you cannot effectively prevent 
evil or careless people from accessing it.

Good luck,
    Crispin

-- 
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
            http://www.immunix.com/shop/




More information about the unisog mailing list