"Designing and Building Enterprise DMZs", Ido Dubrawsky et al, 2006,1-59749-100-4, U$59.95/C$77.95 %E Ido Dubrawsky %C 800 Hingham Street, Rockland, MA 02370 %D 2006 %G 1-59749-100-4 %I Syngress Media, Inc. %O U$59.95/C$77.95 781-681-5151 fax: 781-681-3585
Chapter one does outline some basic DMZ (DeMilitarized Zone) concepts and design, but is vague and verbose, with many large (in page size) and simplistic (in terms of information content) illustrations with little detail and minimal differences between them. (Figures 1.5 and1.6 are, in fact, identical, even though they purport to show different topologies.) Windows DMZ design, in chapter two, is both too broad (it discusses very general aspects of planning for a DMZ setup) and too detailed (the text almost immediately jumps into the specifics of particular outside hardware to be purchased for an isolated example) to be of practical use. Much the same is true of chapter three, which is based on Sun's Solaris operating system.
Chapter four lists wireless network attacks and some security technologies, but doesn't really deal with DMZ aspects, and chapter five, purportedly about implementing wireless DMZs, just has lots of screenshots for installing various products.
Chapter six starts a section of the book cataloguing various firewall products. In this case it is Cisco's PIX and ASA systems, and discusses unit specifications, licensing, and some Cisco commands. Chapters seven through ten, respectively about Checkpoint, SecurePlatform and Nokia, NetScreen, and ISA Server 2005, basically contain screenshots for installation and configuration.
Chapter eleven, entitled "DMZ Router and Switch Security," would have been a good place to deliberate on security considerations of the different routing protocols, but only suggests hardening routers and switches. VPN (Virtual Private Network) topologies and products are noted in chapter twelve, with almost no mention of DMZs at all. The standard advice for building MS Windows bastion hosts is in chapter thirteen. We are told to remove unnecessary services (without being told which are necessary), to rename the administrator account (although nobody mentions that the renamed account can still be determined), and the text recommends using Terminal Services (even though this service is widely considered to be a security risk). Most of the material is about how to use the configuration utilities, rather than suggestions on the settings themselves. Much the same type and level of advice is given in chapter fourteen, in regard to Linux.
Ultimately, while there is content in the work that can be helpful in terms of security, there is relatively little that actually relates to DMZ concepts, design, use, or protection.
copyright Robert M. Slade, 2006 BKDBEDMZ.RVW 20061223
====================== (quote inserted randomly by Pegasus Mailer) firstname.lastname@example.org email@example.com firstname.lastname@example.org Be very glad that your PC is insecure--it means that after you buy it, you can break into it and install whatever software you want. What YOU want, not what [content providers] want. - John Gilmore Dictionary of Information Security