Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security

Getting Started in Network Security? 193

pixelgeek asks: "Security has not only become an important topic but also a critical issue for admins and even the average user in their home. To someone new to the topic the wealth of material can be a bit daunting and, you can imagine, a little confusing. Does anyone have any suggestions on where to start getting a handle on the concept of network/computer security and what are the most important and useful applications (CLI primarily) that a person should examine and learn?" We've touched on these issues before, but it was a while ago. Taking a network security class, could help, but which classes are really worth the money and might there be enough information on the web to make such a choice, unnecessary?
This discussion has been archived. No new comments can be posted.

Getting Started in Network Security?

Comments Filter:
  • Majors? (Score:5, Informative)

    by krisp ( 59093 ) * on Sunday May 25, 2003 @07:01PM (#6037230) Homepage
    Perhaps a BS in Applied Networking and System Administration [rit.edu] could get you some of the answers you are looking for.
    • Re:Majors? (Score:4, Informative)

      by Jonsey ( 593310 ) on Sunday May 25, 2003 @11:42PM (#6038565) Journal

      I'm a student up at RIT, going into 2nd year, and this is my major. While Network Security is not yet a 6 class focus, it should be before long. Sure 4 years is too long to explode into the field, but if you meet pre-reqs, you can take the classes as night classes, or even on-line with no other offiliation to RIT.

      I love the new degree though, it was just presented as a new major last year, technically an off-shoot if IT. It itself is... a bit weak of a major at RIT, trying to cover too many things with too many introductory classes, but cut out some web design and interactive media, and you've got a usable, enjoyable major.


      Just my 0.0169284 Euro (as of 3:41 GMT) (thanks XE.com)

      - Jones

    • Re:Majors? (Score:5, Funny)

      by orcaaa ( 573643 ) on Monday May 26, 2003 @12:02AM (#6038632)
      Steps to foolproof security 1) Get a PhD in Number Theory/Theoretical CS from Harvard/MIT. 2) Write the newest encryption technology which is NP Hard to decrypt, takes O(1) time for encryption. - PROVE it. 3) Make all network applications use this technology (Don't worry, this will be possible once you get the fields medal for proving the Reimann Hypothesis and people know/trust you and your work) 4) Now lay back and enjoy
  • by rxed ( 634882 ) on Sunday May 25, 2003 @07:07PM (#6037257)
    In security you have to have a well rounded education and experience simply because the job demands it. A good start would be probably 5 years in network administration with large user group enviroments, fluent programming skills (java, c, c++, perl), some experience in web server farm administration etc. I don't know any security or computer fornesic who worked for our company who is under 35 yo.
    • by ink_13 ( 675938 )
      A good start would be probably 5 years in network administration with large user group enviroments, fluent programming skills (java, c, c++, perl), some experience in web server farm administration etc. I don't know any security or computer fornesic who worked for our company who is under 35 yo.

      Well, this is lovely, but it's not exactly the way to "get a handle" on things. Seriously, if you expect this from everyone in Network Security, you're going be unable to get anyone new. I'll grant you don't wa

      • by MoreBeer ( 91936 ) on Sunday May 25, 2003 @09:54PM (#6038126)
        Agreed. We try to 'greenhorn' in good network admins/engineers. Start them off in basic fw administration, show them the ropes of the IDS (Snort!), and teach them why it's important to ride their former coworkers like zorro to ensure thier stuff is up to date patchwise.

        The basic fact of the matter is, Network Security _requires_ a seasoned network admin/engineer/programmer who has the potential to analyze systems on all levels of the OSI model (when analyzing a production payroll server - is it plugged into a hub all the way up to transmitting passwords in cleartext or non-aged accounts?). I'd say it's damn near impossible for a hair stylist to come into a company as a Network Security Administrator, but a hungry NT admin or Network Engineer has great potential.
  • by ezs ( 444264 ) on Sunday May 25, 2003 @07:11PM (#6037276) Homepage
    I found Zieglers book 'Linux Firewalls' useful http://www.amazon.com/exec/obidos/ASIN/0735710996/ qid=1053904217/sr=2-2/ref=sr_2_2/002-0456066-36248 65 ; also this is a great site http://www.linux-firewall-tools.com/linux/
    • Link [amazon.com]

      This book covers more than I could have hoped for. Since reading this book and following it's suggestions I've made my systems significantly more secure. You've still got to keep up with your software patches but if you've done a good job hardening your system, you get more time to implement the patches before the shit hits the fan.

      Or at least that's how it's worked for me!
    • Since it's sorta on topic (security, privacy), you should know that only this:

      http://www.amazon.com/exec/obidos/ASIN/0735710996/ [amazon.com]

      is required to get to books on Amazon. The rest of that junk is your Amazon ID, referral information, and so forth.

      (Besides which, it's good practice to use linked text like so [google.com], instead of a long URL. It's just easier for people to use. The status window at the bottom of the browser will tell people where the link goes, if they want to know.)

  • Know the protocols (Score:5, Interesting)

    by AstroJetson ( 21336 ) <gmizell.carpe-noctum@net> on Sunday May 25, 2003 @07:13PM (#6037291) Homepage
    Learn everything you can about IP, TCP and UDP. Read the RFCs. Then learn about application level protocols like ssh, telnet, HTTP, FTP and the various mail protocols. Almost all vulnerabilities are caused by a system mishandling a certain type of message.
  • by viega ( 564643 ) <viega@[ ]t.org ['lis' in gap]> on Sunday May 25, 2003 @07:14PM (#6037294) Homepage
    O'Reilly has a good security bibliography here [oreilly.com]. Be sure to read Practical Unix and Internet Security (which is now in its third edition). Beyond that, pick some books that seem the most interesting to you.
  • by asifyoucare ( 302582 ) on Sunday May 25, 2003 @07:15PM (#6037301)
    You cannot be a security specialist without a good broad computing background and strong networking skills. For this reason, people rarely start out to be security specialists, and it is difficult to imagine anyone tackling a serious security role without that background.
    • by CausticWindow ( 632215 ) on Sunday May 25, 2003 @07:32PM (#6037380)

      Amen brother. If you're starting out in your parents basement, tcpdump is your friend. Rudamentary C skills are also important.

    • "Can you teach me how to hack?"
      "Do you know what IP subnetting is?"
      "Uhh, no. I don't care about that, I just want to break into people's computers!"
      "Go away."

      I hear this all the time, and it probably applies to the other side of the fence as well. Learn how stuff works and the theory behind it. If you don't know the difference between TCP and UDP, don't try to learn how to do system administration and network security - learn how networking works first. Learn the protocols. If you don't know how to check your POP3 e-mail and retrieve a web page with nothing more than a telnet client, learn how to do that and more. Then you can decide whether security is even where you want to go, or if another path presents itself.
      • If you don't know how to check your POP3 e-mail and retrieve a web page with nothing more than a telnet client

        That's nothing! Back in my day we had to use SSH with nothing but a phone line and a toothpick, and we were lucky! Some people didn't get the toothpick.
    • Your best bet is to pick up a few books and then build a cheap test lab where you practice setting up different scenarios as well as trying to run various exploits to break into the machines. I.e set up a windows server, linux web server with apache and sendmail and see if you can break into them. Some books I recommend are TCP/IP illustrated vol 1, hacking exposed (all of them), Building Internet Firewalls (2nd edition) and a great non-technical background book is one by the godfather of crypto, Bruce Shni
  • by HotNeedleOfInquiry ( 598897 ) on Sunday May 25, 2003 @07:16PM (#6037310)
    I just bought Building Secure Servers with Linux and so far I've been very inpressed. It has the first understandable (to a mostly hardware guy like me) explaination of iptable configuration. It also has a good section analyzing different firewall/router configurations, setting up ssl and loads of other good stuff. Very well written and probably an excellent start.

    Written by Micheal D, Bauer, O'Reilly & Associates, ISBN 36920-00217

  • by bizitch ( 546406 ) on Sunday May 25, 2003 @07:18PM (#6037315) Homepage
    Allways remember - (re:CLI)

    A PIX (Firewall) is not a Router and a Router is not a PIX

    This little morsel of knowledge still eludes me continuously in my day to day work in this field.

    • You're a moron to mention that you have trouble with this publically. They are obviously different devices, targeted at different tasks, running completely different OSs, on completely different hardware platforms.
      It's also OT.
      • Allow me to clarify ....

        I was refering to the CLI -

        There is also a tendancy to want to route thru a PIX and to use Routers as firewalls - Neither is a good idea and in the case of the PIX, its impossible to route - even though it seems like it should.

        • There is also a tendancy to want to route thru a PIX and to use Routers as firewalls

          Oh...you're talking about people who have no real business touching edge equipment in the first place. Nevermind...I was confused by thinking you meant actual network engineers who know what they are doing.

          And, FYI, a properly-sized IOS router with an ik9os image makes a damn fine firewall. You just don't have a point and drool interface like a PIX to admin it by (which doesn't realy reflect the actualy config of the
          • And before someone who reads too many magazines and has too little actual experience tryes to reply to this, yes I know IOS as a firewall isn't stateful. A PIX isn't truly stateful either. And very few people actually NEED a stateful firewall (lots want, few need...there's a difference).
            • Okay, you're the only person in the world who is allowed to be interested in or even practice network security.

              Did you see Bruce Almighty yet? You're Bruce. And you've got 3,157,019 user requests in your inbox.
              • Okay, you're the only person in the world who is allowed to be interested in or even practice network security.

                The original post doesn't show interest, it demonstrates ignorance.

                The saddest part is that I'm pointing out very basic and very obvious facts. What I've mentioned so far can't even be considered "expert" level knowledge.
              • Did you see Bruce Almighty yet? You're Bruce. And you've got 3,157,019 user requests in your inbox.

                Ah, big deal - I've got the power, so all I have to do is temper it with intelligence. First thing to do, of course, is automatic filtering: greedheads that want a holy ATM get a the $1 prize and a subscription to Forbes, kids blessing their parents and puppy and so on get a pat on the head, and by the time that's done, I only have 120,000 requests that need tailored attention. That's child's play when you'

    • by GC ( 19160 ) <giles@coochey.net> on Sunday May 25, 2003 @07:25PM (#6037350)
      Denise Richards on the PIX Firewall [routergod.com], she explains why the PIX is not a router.
    • to make this post interesting :

      this page [cisco.com] describes differences and common points between PIX and firewall

      Please moderate this post as karma whoring.
  • OpenBSD (Score:4, Informative)

    by Anonymous Coward on Sunday May 25, 2003 @07:18PM (#6037316)
    I find that while using OpenBSD, you get to learn a lot about security.
    The OpenBSD developers are security experts (and that's an understatement), and thus everything in OpenBSD is done the way it should be done, from a security point-of-view.
    When you install OpenBSD, it's secure out-of-the-box. Of course no services are enabled by default. While you enable the ones you need, take the time to read through the excellent manpages (which are far superior in quality than linux's manpages), faq,... and you'll learn a lot.
    Just don't expect no-brainer pointy-clicky interfaces *shiver* ;)
  • Nasty Catch-22 (Score:5, Insightful)

    by acceleriter ( 231439 ) on Sunday May 25, 2003 @07:19PM (#6037320)
    The corporate/law enforcement security community is fairly tight-knit, and suspicious of newcomers. Attempting to "break in" (no pun intended) to that community will be met with suspicion.

    And, interestingly, getting a job in network security requires a knowledge of network security, but having knowledge of network security without previous employment in the field can make you suspect.

    Worst of all is to admit knowledge of security in a corporate environment by pointing out flaws--then you're an easy mark for those "in charge" of security, whom you've made look bad. Like a bad "in Soviet Russia" joke, security problem report you.

    Fortunately, I haven't learned any of this by experience, only by obeservation.

  • tricky question (Score:5, Interesting)

    by stinky wizzleteats ( 552063 ) on Sunday May 25, 2003 @07:20PM (#6037330) Homepage Journal

    Security is unlike any technical discipline because it is not a technical discipline. When you try to make a web server work, your "enemy" is simply entropy. You learn what you need to know about how the technology works, and you are good to go.

    In security, your enemy is another human being. This changes everything. What do you have to know? More than the best cracker you will go up against. The question is not, therefore, what do you have to know, but what don't you have to know. The only effective teacher of security is experience. If you try to play fresh out of college/certification mercenary in the security game, you will get your ass burned.

    • Re:tricky question (Score:2, Interesting)

      by nalfeshnee ( 263742 )
      A great point, and one also made by Bruce Schneier (author of *Practical Cryptography* of course). His point that 'security isn't a technical problem, it's a people problem' is one to consider before one charges off down the road to becoming a networking god.

      All the networking experience in the world is not going to be of much use if the security *policy* in your company/org. is not well thought-out and implemented, and THAT is another ball game entirely.

      Hence the importance of experience: knowing how peo
  • by GC ( 19160 ) <giles@coochey.net> on Sunday May 25, 2003 @07:22PM (#6037338)
    Try "Network Intrusion Detection: An Analyst's Handbook" [amazon.com] by Stephen Northcutt.
    "Know your Enemy" [amazon.com] from the Honeynet Project

    Experiment with the following programs:
    Snort [snort.org]
    Ethereal [ethereal.com]
    IPTables [netfilter.org]
    TcpDump/LibPcap [tcpdump.org]

    Follow articles/join mailing lists at:

    CERT [cert.org]
    Securityfocus [securityfocus.com]

    Examine analysis of the Scan of the Month Challenge at the Honeynet Project [honeynet.org] website.

    Get yourself CISSP reference texts [cissp.com] and generally increase your knowledge. I believe Cisco now has a few Security based certifications as well YMMV.
    • by Shoten ( 260439 ) on Sunday May 25, 2003 @08:11PM (#6037602)
      I am a CISSP, and have worked with a lot of them also, and I can tell you that it, or its study materials, are not...NOT...the way to go. A CISSP exam only tests knowledge of the underlying concepts of security, at a very high level (and not just related to computers either...you have to learn things like "which of the following camera installation locations also requires installation of an auto-iris?" You can learn a lot, yes, but very little of it will be what you want to know.

      I've seen CISSPs who didn't know the difference between a penetration test, vulnerability assessment, or certification/accreditation. I've seen CISSPs who thought that a firewall was all that was needed to protect against outside attacks, and CISSPs who didn't realize that patching systems constantly isn't quite as simple as it may seem when it comes to a large environment, or one in which unstable third-party appls are hosted.

      Yes, I am a CISSP. And I'm telling you that it's not a fountain from which you should drink if you wish to learn about computer/network security. It's not bad for a better paycheck, though...
      • I'm a CISSP too. The point's well taken about the required knowledge being broader than it is deep.

        I'd argue that's a good thing, though. If you want to improve real security, then you *have* to know physical security. If you want to keep a system running, well, remember that fires and broken pipes and chemical spills are a kind of DoS attack. You *have* to know disaster planning and recovery.

        If you've really learned the security mindset and have a good background, you'll challenge a lot of questions on t
    • All very good for the beginner, for sure.

      Don't forget tripwire [sourceforge.net], nmap [insecure.org] and Nessus [nessus.org]. I find Nessus particularly interesting, especially if you have more than a modicom of network experience under your belt.

      I think security is the one area of the IT industry that's growing. Thanks, Microsoft!

      Soko
  • How I did it. (Score:5, Interesting)

    by rdunnell ( 313839 ) on Sunday May 25, 2003 @07:22PM (#6037340)
    Got a job at a decently large financial firm in their IT shop. Worked my way into supporting the security organization. While I was doing that, I learned as much as I can about good design principles and how to explain them to others. Eventually an opening came about in our network security group and there I am. We're not a Fortune 100 company but that's only because of the way we're structured, that's the size and scope of company I work for.

    One of the most important things to remember is that security isn't all hackers and breakins and tiger teams and forensics. The day to day life of a security analyst (at least at a big firm) is fraught with arguments from operations, from development, from management. A very significant part of your job will be to propose The Right Thing To Do, which will almost always cost more and be more complex than the average Mickey Mouse bandaid solution that people tend to come up with. Security absolutely has to be designed into things from the start, not bolted on at the end. Execs and developers don't like to hear this a lot of the time, because it might cost more. Operations hates to hear it because it means they have another box to administer (a firewall instead of just a router) or some procedudes that require them to have accountability.

    Definitely develop your people skills. You'll spend a LOT of time trying to convince people that you're worthy of what you're saying, but once you do they'll start coming to you before they do stuff and it gets a LOT easier. The important thing is to convince people that you're not just here to be an asshole and cost people money. That's the image the average security organization projects, but it's really not the case.

    Like others have said, learn as much as you can about as many technologies as you can, rely on other experts in the company for depth of knowledge, and you'll be fine. You don't have to be the ultimate CCIE router nerd to perform decent network security. You need to know how and where to research things, how to communicate those results to the people that need to know them, and how to stick to your guns when needed. You won't always win. Management is funny like that. But if you're creative in finding solutions and very firm and confident when you do have to deliver the bad news, you're well on your way to being a decent security analyst.

    • by rdunnell ( 313839 )
      1) Sometimes you can get a job in security operations (log monitoring, user account management, etc). They typically pay about what an IT helpdesk does - read, peanuts with a daily bonus of annoying calls. But you can get your foot in the door that way.

      2) A lot of the security industry is based on trust, even though the people that are in it aren't supposed to say that (it's not PC or something). Getting to know the people in security groups and showing them that you're trustworthy is the best approa

    • The important thing is to convince people that you're not just here to be an asshole and cost people money.

      Gentlemen, your communication lines are vulnerable, your fire exits need to be monitored, your rent-a-cops are a tad undertrained. Outside of that everything seems to be just fine. You'll be getting our full report and analysis in a few days but first, who's got my cheque?
    • Re:How I did it. (Score:4, Insightful)

      by dogfart ( 601976 ) on Monday May 26, 2003 @01:35AM (#6038941) Homepage Journal
      I will second this. What you learn on your own time is very good. What you can learn on-the-job is even better. Corporate folks are very suspicious of individuals claiming to know about network security without the work experience to back it up (are you a hacker? or just another BS artist?)

      No matter where you work in IT, there is a security aspct that needs attention. Coding practices, change management are concerns in programming. System administrators need to harden and continually patch systems. People in training and documentation need to include security rpactices for end users.

      Security is one of those things that gets too little respect, yet is recognized as as a need. Being pro-active in your job, thinking through how security fits in, and trying to help your overworked security admin will give you precious experience, and also give you the reputation as someone to groom for further security work.

      The best security people I know started somewhere else and "volunteered" themselves to be the security point person in their area.

      What you first do might not be all that exciting. You may be resetting user passwords, setting up new accounts, or dealing with trivial "non events" that turn out to have nothing to do with security (surprising how many network configuration mistakes look like hostile port scans). Just keep at it, do a good job, enhance your skills on the side. eventually a good opportunity will open up and you will be the first in line.

      Most important, learn how the business operates, what are its priorities, what MUST work right, and what are the types of arguments that pursuade upper management. Security in commercial businesses is a give-and-take of cost, risk, and exposure. Learn to be flexible and not rigidly dogmatic about security practices. Your role isn't to make your company's security perfect, it is to educate non-technical managers about the real risks they might be taking, and the various options to limit (NOT eliminate) those risks.

  • by dachshund ( 300733 ) on Sunday May 25, 2003 @07:25PM (#6037351)
    Firewalls and Internet Security: Repelling the Wily Hacker by Cheswick, Bellovin and Rubin.

    A great primer on some of the fundamentals of the field, along with a few of the more common attacks (mind you, any technique you find in a printed book is liable to be slightly behind the cutting edge.)

  • by heli0 ( 659560 ) on Sunday May 25, 2003 @07:26PM (#6037357)
    Might want to check it out: MIT Network Security Team [mit.edu]

    "On the following pages you will find information about protecting your computer or network from malicious hackers, dealing with a suspected attack or system compromise, and MIT network security policies"
  • by Anonymous Coward
    at their Networkers conferences in Orlando and L.A., including one entitled 'How to Think Like a Security Administrator When It's Not Your Full-Time Job'.

    More details here [cisco.com].
  • by phaetonic ( 621542 ) on Sunday May 25, 2003 @07:30PM (#6037372)
  • Computer Security (Score:5, Insightful)

    by friscolr ( 124774 ) on Sunday May 25, 2003 @07:30PM (#6037373) Homepage
    Secrets and Lies, by Bruce Schneier, will give you a good overview of computer security (other books exist for this general overview too,but ihappen to have just finished this one). From there you can delve into more in depth overviews or specific topics.

    More in depth overviews:
    any CISSP/GISC/Security+ certification book (plus, after reading it go get certified!).

    Topic Specific:
    Firewalls (contrary to what others may tell you, there is more to security than firewalls). Some good books: the O'Reilly Firewall book, Building Linux and OpenBSD Firewalls (a bit dated but still on topic).
    Do a search for all O'Reilly books with 'security' in the title/description, flip through it, decide if it suits your need (e.g. Web Security, Computer Security Basics, OpenSSL security, etc).

    Learning the topic *really*well* is very important - e.g. really understand TCP/IP (something beyond "i plug in the cable, run dhclient, and i get internet!") andlook at it with an eye for security. Same goes for web server, general sysadmin tasks, programming, etc.

    Remember: security is a process. and a moving target. and impossible to fix %100 but try anyways.

    Experience is essential too. Get yourself an experimental network and try attacks, network sniffing, securing, MiTM'ing, getting around firewalls, DoS'ing, snort'ing, arpspoofing, etc. Once you've run some attacks then you'll have a working idea of what is going on and will hopefully be able to see when a line of thought would lead you in the same direction in setting up your network. Plus it helps to know you could set up a quick demo to show how easy it is to sniff someone's password, even on a switched network.

    Become a keen observer of people. The users are your number one enemy in terms of security. They'll give their password away to anyone, try to thwart your attempts to secure the network, print out and take confidential docs to the cafe, etc. Not on purpose, but b/c their priority is getting work done. Understand them so as to best work with them.

    And there's a whole lot more, but most importantly remember that security requires a very robust approach. Not just a firewall, not just encrypting everything, not just checking all code, but a well thought out approach that is followed, revised, updated, explained to all employees, etc etc

    • The users are your number one enemy in terms of security

      This was worth repeating.

      But you should also know that users have needs and wants - some legitmate, some not so much, but if someone in the organization is not responsive they'll start looking for ways to do it themselves and this is a very good way to get insecure.

      "responsive" (above) does not mean "I'm the sysadmin and you have to do things my way." Making users angry is probably going to make them try to break things even faster. Very very h

  • CISSP book..... (Score:2, Informative)

    by devitto ( 230479 )
    A CISSP book (and maybe a copy of ISO17799) should cover everything you should need to know.

    The rest is just details, which you should endevour to become an expert in as/when needed.

    Dom
    (PS. A good CISSP book is >500 pages)
  • by oneiros27 ( 46144 ) on Sunday May 25, 2003 @07:35PM (#6037400) Homepage
    Applications change with time, but the basic concepts stay the same.

    When you're dealing with risk analysis, it doesn't matter what protocol or application you're protecting. You only have to deal with your definition of risk. Typically, something like:
    Risk = ( (Threat x Vulnerability) x Impact ) / Countermeasures
    If you're dealing with human threats, then you might use MOMM (Motive, Opportunity, Means, Method) to break it down.

    You should also learn other ways of breaking down the anslysis, like the McCumber Cube [ibm.com], the laws that you can use to prosecute perpetrators, oand what you need to do so that you're not sued for monitoring your users (which might be a violation of various privacy acts).

    Applications aren't nearly as useful, as well, they might help you on that whole 'detect/protect/correct' front, but they rarely lock down a system completely -- you need multiple layers of protection, from not only technology, but you need the policies so you can actually implement good security practices, and you need to train your employees so they aren't creating security problems. [quite a few books claim that the majority of security incidents come from inside a company, and users will give up authentication information with minimal prompting].

    blah, blah, blah...you get the idea...
    take a general overview, and work from there. .
  • Not just networking (Score:3, Interesting)

    by Gurp ( 7581 ) * <glennp.null@net@nz> on Sunday May 25, 2003 @07:36PM (#6037404)
    I'm seeing a lot of comments here that say "Set up your own firewall" or "Learn TCP".

    Repeat after me:
    Security != firewall
    Security != networking

    I see this misunderstanding all over the place, but you can't secure a system through the network only. And you certainly won't make it in the "security industry" if that's what you think.

    It's a cliche, but security is a process. It starts at the design of <whatever> and never really finishes. A security expert will know enough about each step of the plan that he/she can guide the team to the implementation a secure enough solution to their part of the problem, whether that solution is software or a business process doesn't matter.

    I say secure enough on purpose because a truly secure solution is not possible. And this is really another key part of the security experts arsenal - knowing when the cost of more security outweighs the cost of the risk/exposure you're covering up.
    • by chill ( 34294 )
      The problem with most projects is that they are completed and rolled out before security is addressed. It is not realistic to think security can only happen when "designed in".

      Real world situations include "securing" existing LANs/WANs; Internet e-commerce sites; etc.

      Learning the basics of TCP/IP *IS* a good idea. And *understanding what a firewall is/is not, and what its limitations are* is CRITICAL.

      Two days ago I had the head of a medium-sized financial services firm call me and say "my tech here say
  • i don't get it (Score:3, Insightful)

    by minusthink ( 218231 ) on Sunday May 25, 2003 @07:41PM (#6037441)
    mod me down as a troll, off-topic or whatever, but I don't understand the ask slashdots when people ask 'how do I begin learning [something]?"

    google for the topic, find a book, or a how-to, or whatever and start reading. inevitably you will come across an idea, or jargon, that you don't understand. so google for that. continue until you finish the book.
    then find another book/how-to.

    all you need to know is avoid books like 'advanced topic X'.

    i dunno. maybe i'm just a supergenius. but most likely not.

    learn, baby, learn.

    • I agree that googling has to be the first step, one that some "how do I . . ." posters clearly haven't taken. The answer is always the same as well - you will have to read a lot, start at the beginning, and work hard, that's how it's done. That said, only a person can show you how knowledge is applied, and I appreciate the responses and advice people give. Some of y'all are true badasses in your particular branch of IT and your time is worth serious money, so I'm thankful that you take a minute to give y
  • Everyone says... (Score:3, Informative)

    by xaoslaad ( 590527 ) on Sunday May 25, 2003 @07:52PM (#6037500)
    True firewalling is a good start, but consider knowing good OS practices too, liking patching up and hardening Solaris, using tools like HFNetChk and others to help harden Windows, up2date and hardening RedHat Linux. Sure that's not all operating systems, but it's a good start. Disable services you don't need, secure the ones you do want to run, and so on.

    Understand firewalls, NAT, port forwarding; set up an internal LAN mess with doing scans with nmap, try and do some things with nc...

    set up things like ssh and scp in place of telnet and ftp. Know about the different forms of encryption their strengths and weakness, when one might be appropriate over the other.

    Learn about VirusScan. Maybe McAfee VirusScan and NetShield and centrally administrating it with e-Policy so that you can automatically update all your servers and clients in case of an emergency DAT rollout cause of the latest virus running amok.

    Also mail scanning, spam filtering, maybe things like clearswifts mailsweeper product, content filtering, lexical scanning, and other stuff.

    Learn to set up postfix and sendmail so that they aren't acting as open relays, etc.

    You might also consider something like Websense for URI filtering. Often not only are you trying to keep the bad things from getting in but also your users from getting to harmful material as well; in essence protecting them from themselves.

    And of course you can mess with IDS, like say snort.

    Learn about IPSec VPN's I'm sure there is free stuff to get you started, also learn about the big players in VPN's like say checkpoint, nortel networks with contivity, netscreen and probably lots of others.

    Security only starts with a firewall. It also demands good practices with server updates and patches, mail scanning, web content scanning, virusscan, choosing secure methods over the easy ones....

    Some of these programs are free, some you can download demos of, others you may not be able to get your hands on until your in a position to use them, but at least knowing about the different methods of making a network more secure is at least a start.

  • by Shoten ( 260439 ) on Sunday May 25, 2003 @08:03PM (#6037551)
    First off, computer security is much like many other forms of security, at the concept level. The particulars of implementation are very different, but the underlying motives of the players and the interactions aren't. The infamous 419 scam was originally done in person, then by phone, and then by fax before it was possible to do it via email, for example, and lesser variants of it (the pigeon scam, for example) have existed in the offline world.

    If you're looking to grasp home user or end user security, the first thing I'd do is buy The Gift of Fear [amazon.com] by Gavin de Becker. Right off, that will give you a good understanding of intuitive threat modeling for everyday life. Unfortunately, I can't find a book out there that does home-user security for the average joe, nor can I find a class...but I am writing a book myself.

    If you're interested in security from a more admin-oriented perspective, I would go to SecurityFocus [securityfocus.com] and check out some of their mailing lists. At first, the material may be over your head, but you'll find that that only pulls you up a bit. Also, get yourself a linux box and learn linux (if you don't already know it). Set up a honeynet [honeynet.org] and see what's going to happen to an unpatched, exposed box. Or just set up snort [snort.org] with ACID [cmu.edu] as the front-end console to observe the attacks that are taking place. Once you understand the threat, it becomes a lot easier to decide what to study to defend against it.
  • by mark_space2001 ( 570644 ) on Sunday May 25, 2003 @08:03PM (#6037556)
    I can only add a little to what's already been said here. First, learning everything about security is a big job, plan to take it in steps. If you want a quick start guide, here's my best stab:

    1. Use a dedicated firewall - I don't believe a fire wall on the machine you are trying to protect is sufficient, especially windows. Get either a router [amazon.com] with a built in firewall, or use linux with iptable masquerade [e-infomax.com] firewall. The latter option is more $$ and more trouble than the former, but I think it's untilmately more robust. You should also use a firewall [com.com] on your PC, just in case.

    2. Secure your browser and mail reader - these are the primary "back doors" into your computer. No firewall will protect you if you download and execute a virus attached to an email message. Sorry, no links here, but ask around, and becareful what you download.

    3. Read up - Building Internet Firewalls [oreillynet.com] is excellent for the novice. I have their simplest system at home - one dual homed PC that acts as NAT, firewall, and router. Not as secure, but good enough for me. Then just start reading more books as you have time. The O'Rilley series on Ethernet and the various TCP/IP protocols is good, and so are the relavent RFCs. But also consider more academic books like Comer. [purdue.edu]

  • by bigberk ( 547360 ) <bigberk@users.pc9.org> on Sunday May 25, 2003 @08:10PM (#6037595)

    When I started playing around with Linux five years ago, I had no understanding of 'real world' network security. Today I consider myself quite knowledgeable on the subject; I oversee network configuration and security for several LANs (including my own business); I've written academic papers on the subject and I am currently involved with university research in networking.

    Learning any complicated system is an iterative process. First get started, then keep the ball rolling. I started by setting up an internet connected linux server in my basement, which immediately got hacked. Then I read up to understand how it happened; I started reading USENET groups like comp.os.linux.security and I rapidly gained a pretty good idea of what was going on.

    The benefit of playing around with linux is that you immediately have access to all the major tools and technologies that power the internet - and can tinker around with them. Get slackware [slackware.com], and play around with iptables (firewall), ssh, apache configuration, mail, and all the other fun stuff like unix permissions!

  • Learn things like C and TCP/IP inside and out. Play with stuff for a long while. After you feel comfortable in your areas of interest, examine the source code of exploits and security tools. Read every quality whitepaper you can find. Keep abreast of the latest security "news", which currently seems to be the now-mediocre SecurityFocus and Bugtraq.

    Until then, you aren't a good security player.
  • Most important.... (Score:3, Interesting)

    by Anonymous Coward on Sunday May 25, 2003 @08:13PM (#6037616)
    The most important thing you can do, IMHO, is to join bugtraq or similar lists so you have a rough idea what is happening.

    Other ideas
    • set up a network of very cheap boxes with old software you know to be vulnerable, and try using exploits against them.
    • Try hardening and patching those boxes so the exploits don't work anymore. (You'll frequently be patching/protecting obsolete boxes in the real world, so this is actually realistic.)
    • Try adding tripwire [llnl.gov] and snort [snort.org] to stop/detect attacks. Configure snort with database logging, with syslog/swatch [insecure.org], etc. Clients will want it done in a variety of ways, so it is good to be able to do it in different ways.
    • Familiarize yourself with as many of the tools in Fyodor's list [insecure.org] as possible. Using them will be the bread an butter of your work. That includes scanners like nessus [nessus.org].
    • Read an ultra paranoid book that will give you an overall view of the field (e.g. John M. Caroll's "Computer Security, Third Edition").
    • Practice security. As you install [purdue.edu] and register [securityfocus.com] software, watch what is happening to the box.
    • Pick an area of security that you want to specialize in...there are too many bugs and holes each week to know all of them...just the PHP code injection stuff will keep you swamped.
    • Don't be afraid to ask more advanced people security questions, but do your homework first, and make sure that they know you have. They will take your more seriously if you say "I've already read the FAQ and the man page, but I'm not clear on...." than if you say, "Dude, how do I do...". This can make your learning experience far less painful [slashdot.org]
  • by jrl ( 4989 )
    The best way I know to measure something is to test it, and the best methodology I know of to test network security is the Open Source Security Testing Methodology Manual (OSSTMM).

    You can download the latest version from http://www.osstmm.org. The latest is 2.0, although the 2.5 version has been slated to come out VERY soon, so check back in the next week or so for the update.

    The OSSTMM is the most widely used peer-reviewed "Open Source" security testing methodology in existance. It is contributed to by
  • Things you should do (Score:5, Informative)

    by evenprime ( 324363 ) on Sunday May 25, 2003 @08:15PM (#6037625) Homepage Journal
    The most important thing you can do, IMHO, is to join bugtraq or similar lists so you have a rough idea what is happening.

    Other ideas
    • set up a network of very cheap boxes with old software you know to be vulnerable, and try using exploits against them.
    • Try hardening and patching those boxes so the exploits don't work anymore. (You'll frequently be patching/protecting obsolete boxes in the real world, so this is actually realistic.)
    • Try adding tripwire [llnl.gov] and snort [snort.org] to stop/detect attacks. Configure snort with database logging, with syslog/swatch [insecure.org], etc. Clients will want it done in a variety of ways, so it is good to be able to do it in different ways.
    • Familiarize yourself with as many of the tools in Fyodor's list [insecure.org] as possible. Using them will be the bread an butter of your work. That includes scanners like nessus [nessus.org].
    • Read an ultra paranoid book that will give you an overall view of the field (e.g. John M. Caroll's "Computer Security, Third Edition").
    • Practice security. As you install [purdue.edu] and register [securityfocus.com] software, watch what is happening to the box.
    • Pick an area of security that you want to specialize in...there are too many bugs and holes each week to know all of them...just the PHP code injection stuff will keep you swamped.
    • Don't be afraid to ask more advanced people security questions, but do your homework first, and make sure that they know you have. They will take your more seriously if you say "I've already read the FAQ and the man page, but I'm not clear on...." than if you say, "Dude, how do I do...". This can make your learning experience far less painful [slashdot.org]
  • by Psarchasm ( 6377 ) on Sunday May 25, 2003 @08:36PM (#6037723) Homepage Journal
    Real world experience is where its at. Know your packets first and your policies second - but keep in mind that both are equally important.

    I've met plenty of tools that have "jumped into security". They try to talk a good game of the which type of firewall is better than what, and why PKI solves or doesn't solve everything. In reality they don't know squat and have even less of a clue on how to apply their solutions to the real world.

    The best general network security people I've met are those who understand the systems they are protecting and have the power to tell management and developers 'no'. But apply it only when they absolutly have to. Business has to get done - but when the cost of doing that business unnecessarily puts your assets at risk, it is imperative to have the power to tell people no.

    Books, classes, certs all have some value - but for me... if I'm not sitting there dealing with it, configuring it, and applying it to a homemade or real world situation... I'll never get as much out of it.
  • Personal thoughts (Score:4, Informative)

    by harikiri ( 211017 ) on Sunday May 25, 2003 @08:42PM (#6037758)
    Fook, don't hit preview then the back button on your browser. :-(

    Ok, time to summarise my longer post.

    Background: I've worked in security professionally since late '99. I started with Unix and *cough* hacking back in '96.

    1. Subscribe to security mailing lists: Best place to start with this is from www.securityfocus.com. These guys have lots of good lists to get onto - including Bugtraq.

    2. Work (at home) with the systems you're likely to work with: This means building a home network, running up some unix servers, windows servers, a managed switch (try to find an old one).

    3. Get some good books: For introduction to firewalls - "Building Internet Firewalls", for security design - "Security Engineering: A Guide to Building Dependable Distributed Systems", for crypto - "Applied Cryptography". There's heaps more, but those are some good starters. A good all-rounder is "Secrets and Lies" from Bruce Schneier.

    4. Learn to hack: My motto for security work is - "You've got to know where the holes are in order to fix them". This means learning what those holes are, and what are common types of security vulnerabilities and threats are out there. The best way to do this (IMHO) is to start hacking your home systems. Grab Nessus (http://www.nessus.org) to begin with, and work from there.

    5. Learn to program: You'll eventually get to a point where you want to develop your own tests, checks and scripts that available programs don't provide. If you are feeling game, try to write your own sniffer with libpcap (http://www.tcpdump.org) or your own scanner with libnet (http://www.packetfactory.net/projects/libnet/)

    6. Teach yourself: I don't have much faith in security courses out there, primarily because I have had to work with people in "security" whose only experience/qualifications are a certain firewall certification (glances sidewards at Checkpoint). But if you need it to break into the market, go for it - just don't rely on it entirely. I don't have any real certifications, but I have practical experience with the top firewalls out there (most common security job is firewall admin), heaps of Unix's (solaris, digital, aix - and the various *BSD's and Linux), and can also do some programming. If you're going to work for a good company, they'll be more impressed with your skills than your certifications - though they help differentiate you.

    Hope this helps.
  • Read Kevin Mitnick's book The Art of Deception. [amazon.com] Kevin points out that the human side of security is often completely overlooked, and can be the source of your most serious security problems.

    His book also gives plenty of realistic examples of how "hackers" of various types exploit the people in an organization, to gain access to priveleged information... and he explains the policies and practices that need to be in place to prevent this from happening.

    You can have every sophisticated packet filtering fire
  • by mrnick ( 108356 ) on Sunday May 25, 2003 @09:08PM (#6037897) Homepage
    The market is flooded with qualified people who can't find a job. Why would someone choose to enter a career that is so dismal?

    Nick Powers
  • I highly reccomend Practical Unix & Internet Security [oreilly.com] by O'Reilly Associates. It a good primmer on the broad concepts that encompass security architecture.
  • by plcurechax ( 247883 ) on Sunday May 25, 2003 @10:02PM (#6038160) Homepage
    IMHO any information security professional needs to develop a professional paranoia, being thoughtful of potential risks and failures, and understand what might go wrong.

    Reading Bruce Schneier's Secrets and Lies [counterpane.com] is a really good start in this area. It is a not very technical book, written at the level suitable for an IT manager. This is also useful to help explains risks, vulnerabilities, and failures to IT Management.

    The ever so ugly covered Hacking Exposed [hackingexposed.com], which explains the basics of what criminals (or attackers) do commonly to gain unauthorized access to (networked) computer systems. This is so you a) know how easy it is, and b) are familiar with an overview of the basic steps and techniques to gain illicit access.

    For online resources, RISKS digest [ncl.ac.uk] (not focused on malicious activities, but how systems fail - very insightful and low volume), and Bugtraq [securityfocus.com] a full disclosure mailing list will show you recent exploits, and vuln notices, but it is fairly lacking in actual educational content, and there are several other mailing lists at SecurityFocus that could also be useful to developing professional paranoia.

    Next you need the language and basics of information/computer security. For this textbooks like Computer Security [wiley.com] by Dieter Gollmann, Information Security Management Handbook by Tipton and Krause, Practical Unix & Internet Security [oreilly.com] by Simson Garfinkel, Gene Spafford, Alan Schwartz, and Security in Computing by Pfleeger and Pfleeger.

    For procedures look at CISSP study material, BS 7799 / ISO 17799, and security auditing and incident handling materials. Some knowledge of risk management can also be useful.

    From these basics, of the right mindset, the common language of infosec, and procedures and policy you can get into the low-level details of firewalls, VPNs, IDS, and network design. For this you should have a good network/internetworking basics, a very detailed understanding of TCP/IP, and understand firewalls, VPNs, and IPsec.

    Firewalls and Internet Security: Repelling the Wily Hacker, 2nd ed. [wilyhacker.com] by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin is a great place to start, and Building Internet Firewalls by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman is a great follow-up. An alternative book on firewalls and VPNs is Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Intrusion Detection Systems by Stephen Northcutt, Karen Frederick, Scott Winters, Lenny Zeltser, Ronald W. Ritchey (crowd from SANS [sans.org]).

    For networking basics, a Cisco certification like CCNA [cisco.com] could useful in providing knowledge about internetworking and Cisco router's IOS. For the gory details of TCP/IP either TCP/IP Illustrated: Volume 1: The Protocols [kohala.com] by Richard Stevens or Internetworking With TCP/IP Volume 1: Principles Protocols, and Architecture, 4th edition [purdue.edu] by Douglas Comer.

    For IDS - Network Intrusion Detection: An Analyst's Handbook by Stephen Northcutt and Intrusion Signatures and Analysis by Matt Fearnow, Stephen Northcutt, Karen Frederick, Mark Cooper are the best IMHO.

    I am not sure what to recommend for VPNs, other than you need to know about IPsec.

  • I found Counter Hack [phptr.com] a good book to read and Tangled Web [gocsi.com]

    Both emphasize that Internal Factors should be given as high (if not higher) priority than just blocking incoming ports (which is all a lot of the /. 'Use iptables dude' guys do...)

    If you want to get serious, you'll have to understand the social, ecenomic and technical factors behind computer security, especially if you want to play with the big guys.

    My $0.02
  • by tz ( 130773 ) on Sunday May 25, 2003 @10:26PM (#6038263)
    Let me start out with some orthodoxy someone else stated:

    Security is a process.

    Not something you can bolt-on, buy, or issue a memo on. Beyond that the learning resources mentioned by other posters are all good if not overkill. http://www.insecure.org/tools.html was covered in another article earlier this month.

    But let me add a bit of heresy:

    You don't have to be an uber-geek to do security, merely figuring out how to be properly secure against skript kiddiez will cover most cases, and the rest are more likely from internal threats - negligence or malice. And there is no anti-social engineering CLI or GUI tool.

    Currently, the most common practice it to fire, buy-off, or otherwise silence the "whistleblowers". This is the police state model. So flaws continue since reporting them gets you in trouble with everyone including your boss. The monoculture "corporate load" takes care of everything. (monoculture in the agricultural sense, and in the most narrow one where every stalk of corn is a clone of all the others so one blight can destroy the whole like happened in Ireland in the late 1840s).

    There are enough tools to detect and contain break-ins and outbreaks, but a CDC epidemiologist is probably a better model than a KGB officer. Use surveillance and containment, but unless someone insists on being "Typhoid Mary", ignore the user's idiosyncrasies and just make sure things get done.

    You don't need to do cryptanalysis for the process to work, buy you need to have some people skills and have a corporation that understands what and how much they are asking for. You also have to take care of details like security patches and deleting old accounts and doing normal auditing.

    The most common problems are that they want to be both secure and transparent. This is a tradeoff. And barring that they want to use Brand X software to "solve all their problems". Brand X may be good or bad, but processes create layers and usually Brand X only handles one layer, or can't handle some cases gracefully (abandon security or transparency in that case).

    One other difficulty is that the average corporation doesn't really know about network security. They assume because there have been no detected attacks or other problems that there is no problem. Or the "process" is split and is part of an ongoing turf war between the guards insuring you have a visitor's badge and the IT department that has to do this as part of the gazillion other things they do. This usually creates policies but not the process.
  • getting started (Score:3, Informative)

    by rakerman ( 409507 ) on Sunday May 25, 2003 @10:33PM (#6038285) Homepage Journal

    If you want to get started, start by securing your home Internet connection. This will benefit you and the Internet community in general. I have a page with some information on home broadband security [chebucto.ns.ca].

    When you move to security in a business environment, in my opinion you need to frame security as a tool for risk management. CERT provides good information on handling security professionally, including their book The CERT Guide to System and Network Security Practices and a large collection of Articles, reports and papers [cert.org].

    Information Security Magazine [infosecuritymag.com] will give you a sense of where the infosec business is going. On the academic side there's the new IEEE Security and Privacy Magazine [computer.org] and the IEEE Computer Society Technical Committee on Security and Privacy [ieee-security.org]. Also on the academic side there are the more established journals from compsec online [compseconline.com].

  • For those who are willing and able to learn about network security, I encourage them to learn as much as possible and talk to as many people as possible about security. Many of your are correct, a firewall alone does not make a secure system.

    However, for the average person, who thinks of their computer the same as a video recorder or microwave oven (that you shold plug it in and it should just work), these people need a secure home operating system, designed by experts to be as secure as possible without p
  • Security is a myth (Score:3, Insightful)

    by JonathanX ( 469653 ) on Sunday May 25, 2003 @10:46PM (#6038343)
    Does anyone have any suggestions on where to start getting a handle on the concept of network/computer security and what are the most important and useful applications (CLI primarily) that a person should examine and learn?

    First you must understand that security doesn't really exist. It's all about mitigating risks and setting priorities. You just can't close every hole. The basic steps are simple:

    1) Define what needs to be protected
    2) Identify the potential threats
    3) Prioritize (focus on most likely threats)
    4) Put obstacles in place to slow down the attack
    5) Monitor and react
    6) ???
    7) Profit

    If the obstacles you put in place in step 4 slow the attacker down enough for you to react in step 5, step 6 becomes irrelevant. Step 4 and 5 is where the technical part comes into play and you can have all the flashy tools you want...but if you aren't any good at 1 and 2, you will fail. To answer the second part of your question, there are many tools out there. It's a "horses for courses" situation. What works in one situation might not even be considered in another. A good working knowledge of the relevant platform is more important than third party tools. Often, the right tool for the job is already there.
  • Bastille Linux (Score:2, Informative)

    by Kojo ( 1903 )
    I forgot about this; at the "Locking down a Linux Box" level, there's Bastille Linux [bastille-linux.org].

    Not only will it secure your box, one of their major goals is to "teach" you how as it does it. Here's a quote from their site:

    Bastille Linux has been designed to educate the installing administrator about the security issues involved in each of the script's tasks, thereby securing both the box and the administrator. Each step is optional and contains a description of the security issues involved.

    Seems like a good

  • A few resources... (Score:3, Informative)

    by elizalovesmike ( 626844 ) on Monday May 26, 2003 @12:29AM (#6038715)
    There is actually a 3-part Cryptography course (the 1st part of which is merely entitled, "Network Security") that I intend to take the 2nd two parts of pretty soon here.

    Since timing will not allow me to take the entire sequence, I'm covering the material of the first course on my own.

    To that end, a few resources:

    [the following presumes a background in network engineering, the protocols, etc.; it also presumes some number theory but most of that is covered as needed]

    1. For starters: Charles & Shari Pfleeger's Security in Computing, 2nd Edition -- this is a nice, intro text for high level (a) security, (b) encryption, (c) OS security, (d) DB security

    2. Then move onto more specific texts, i.e. Silberschatz's Operating Systems Concepts, 6th Edition -- this provides a much more detailed look into OS security -- mechanisms/policies/implementations etc.

    3. Then there are a couple wortwhile Cryptography only texts: (a) Schneier's Applied Cryptography, (b) Menezes' Handbook of Applied Cryptography

    4. Then there is a good course website for the course I referred to, the 1st in the series of three [stanford.edu] that also has downloadable handouts as well as some coding projects that you could do independently, providing an enviro

    5. Finally, I'd suggest a subscription to the Counterpane Crytpogram newsletter -- found at this link [counterpane.com]. Also, checking out this site [cert.org] periodically or perusing it somewhat in-depth will give you far more visibility into day-to-day threats.
  • For starters... (Score:5, Informative)

    by Znonymous Coward ( 615009 ) on Monday May 26, 2003 @01:09AM (#6038859) Journal
    1. Don't install Telnet, TFTP, RSH, RLOGIN or anyother clear text services.
    2. Disable remote root login.
    3. Use IP Tables and TCP Wrappers.
    4. On "gateways", bind services to local interfaces only.
    5. Use a strong password.
    6. Don't install unused services (Example: Do you really need a BIND or SMTP server on your laptop?).
    7. One word... up2date (www.redhat.com).
    8. One word... www.chkrootkit.org.
    9. Monitor your log files (seriously all of them /var/log).
    10. Anything windows based is a security nightmare (and no that's not a troll).

    And don't forget about all the great _free_ tools out there: nmap, ethereal, tripwire, logwatch.

    Google search for any of the above pointers that are not slef explanitory.

  • General Info (Score:5, Interesting)

    by stikk ( 134509 ) on Monday May 26, 2003 @02:25AM (#6039108) Homepage
    -Start with a good understanding of the technology with sys-admin's experience.
    -Read TCP/IP Illustrated Volume I
    -Read Applied Cryptography
    -Read Hacking Exposed 4 (shameless plug) or other similar books directly related to hacking activities and have a good networking security section
    -Install an old OS version and hack it, understand the flaw and how to fix it.
    -Understand and be comfortable with coding.
    -Understand the purpose and how to use these well know tools http://www.insecure.org/tools.html
    -Pass the CCNP and CISSP tests, I would expect this of any good consultant.
    -Ask questions, but read http://www.linuxsilo.net/docs/smart-questions-en.h tml first.
    -www.cymru.com
    -phenoelit.de
    -qorbit.net

    -Mailinglists
    -bugtraq
    -nanog
    -isp-security
    -checkpoint
    -CERT
    -first.org
    -honeypot

    General Topics to understand first hand, and experience.
    -Firewall
    http://www.qorbit.net/documents/maximizing-firewal l-availability.htm
    -IDS
    -Dynamic Routing
    Internet Routing Architectures - Bassam Halabi
    -IPSEC
    -SSL
    Create your own CA, understand the downfalls of our current system
    -Token based authentication
    RSA and Authenex have free demo packages
    -DNS
    -packetstormsecurity tools
    Try and CONTRIBUTE to non-corporate activities; specifically the opensource community
    -VPN
    -GLB, HIPPA, FIPS security policy
    -Wireless (not just 802.11a/b/g) Security Methodology
    -General Cryptography Overview
    Know the pro's con's of using AES instead of 3DES for exmple.

    Most of all, try and understand things from scratch, read old exploits and advisories and understand the exact source of problems. I've attended and taught several security courses; none of the 7 day security braindumps will make you an expert consultant, you need to think outside the box, and be paranoid on your own. Be one of the few individuals which check the MD5 sums of apps, uses PGP for all sensitive emails, dosen't send enable passwords via AIM or nextel two way, and pushes their snmpv1(v3!) traffic over IPSEC tunnels just because it runs through a piece of fiber in 1 whilsire (shudder!!). An important subject which very few articles cover is your personal habits, be organized, document, and share security responsibility and paranoia with other admins in your organization; this is by far the largest hurdle and largest downfalls of many.

    (please excuse any mispellings, gramar, limited details, and bad formatting)
  • fdfS (Score:3, Informative)

    by B747SP ( 179471 ) <slashdot@selfabusedelephant.com> on Monday May 26, 2003 @04:16AM (#6039383)
    I used to run two and three day 'intro to security' classes for folks who were already competent system admins, but needed a solid grounding in TCP/IP and network security. The classes tended to spend a day or so on TCP theory - network layers, packets, ports, payloads - routing (everyone knew what an IP address and a subnet mask looked like, but they rarely knew what they did) - and then combined those with a bit of basic filtering, and covered proxies and blah-di-blah.

    The object wasn't to turn them into security wizzes in a day, but to give them a grounding in some of the more fundamental bits of the game so that they could go away and do sensible things with their new firewall, etc, etc.

    I gave a suggested reading list for the keen ones. The list was as follows:

    1) Mccarthy, Linda
    "Network Security, Stories from the Trenches"
    ISBN: 0138947597

    For 'fear of god', and a general real-life example of the kind of wierd shit you're dealing with. (Mccarthy is also an excellent book to pass on to your boss when you're done with it. A *Very* usefull tool if you've been having trouble getting security budget - it will scare the bejesus out of him/her. This is not a particularly technical book, but it's very good for laying the groundwork, and getting your head around the security business. Teaches you to think outside the square too.

    2) Stoll, Clifford
    "Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage"
    ISBN: 0743411463

    A real world, entertaining, walk-through the process of tracking a bad guy around the world. A nice easy to read book - technologically outdated now, but still interesting from the point of view of forensics and legals. This is not a technical book at all, but your boss still won't understand this one. NOTE: Don't make the mistake of being impressed by this book and running out to buy Cliff's other books. The first is a masterpiece, the rest are the ramblings of a tired and cynical man - not worth, frankly, the paper they're printed on. The Cuckoo's Egg is a nice book - buy it when your brain is just completely full of technical stuff, and you need a nice light (but still on-topic) story to give your brain a break.

    3) Cheswick, William/Bellovin, Steven
    "Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition"
    ISBN: 020163466X

    A bible for network and unix security. A detailed run-down on packets, ports, bells, whistles and how it all works. This book spends a lot of time analising specific network services, and their weaknesses. One chapter on a real-life tracking a bad guy, and some discussion of honeypots and lures. If you only buy one book, buy this one.

    4) Garfinkel, Simson et-al
    "Practical Unix & Internet Security, 3rd Edition"
    (The Safe Book)
    ISBN: 0596003234

    A practical, real-world, HOWTO on implementation of sensible security practices for unix administrators in particular. This is one you keep on your desk at work (well, chained to your desk with all your other O'Rielly books!) for day to day use.

    5) Hunt, Craig
    "TCP/IP Network Administration (3rd Edition)"
    (The Crab Book)
    ISBN: 0596002971

    A definitive bible on TCP/IP and how it works. All the guts from a techo (but not a programmer) point of view. This one doesn't spend much time on security per-se, but it is the book for TCP/IP.

    The Sixth book in the pentology, for extra keen readers is The Cricket Book...

    6) Liu, Cricket/Albitz, Paul
    "DNS and BIND, Fourth Edition"
    ISBN: 0596001584

    Because, if you're working with the Internet, you're gonna be working with DNS, and if your DNS is broken (or you don't have the skills to tell that your DNS is broken) then you're screwed! You haven't arrived until you have a GOOD understanding of DNS, what it is, and how it works. After reading this one, go back and re-read Cheswick & Bellovin's discussion on securing DNS, and giving different answers to different people depending on who they are.

  • I used to run two and three day 'intro to security' classes for folks who were already competent system admins, but needed a solid grounding in TCP/IP and network security. The classes tended to spend a day or so on TCP theory - network layers, packets, ports, payloads - routing (everyone knew what an IP address and a subnet mask looked like, but they rarely knew what they did) - and then combined those with a bit of basic filtering, and covered proxies and blah-di-blah.

    The object wasn't to turn them into security wizzes in a day, but to give them a grounding in some of the more fundamental bits of the game so that they could go away and do sensible things with their new firewall, etc, etc.

    I gave a suggested reading list for the keen ones. The list was as follows:

    1) Mccarthy, Linda
    "Network Security, Stories from the Trenches"
    ISBN: 0138947597

    For 'fear of god', and a general real-life example of the kind of wierd shit you're dealing with. (Mccarthy is also an excellent book to pass on to your boss when you're done with it. A *Very* usefull tool if you've been having trouble getting security budget - it will scare the bejesus out of him/her. This is not a particularly technical book, but it's very good for laying the groundwork, and getting your head around the security business. Teaches you to think outside the square too.

    Perhaps the most important thing about the Mccarthy book is that it almost completely ignores technical subjects, and concentrates on the human and social engineering sides of security. Blocking ports and changing passwords every month is all well and good, but if someone can sweet talk your receptionist into handing over her password, then...

    2) Stoll, Clifford
    "Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage"
    ISBN: 0743411463

    A real world, entertaining, walk-through the process of tracking a bad guy around the world. A nice easy to read book - technologically outdated now, but still interesting from the point of view of forensics and legals. This is not a technical book at all, but your boss still won't understand this one. NOTE: Don't make the mistake of being impressed by this book and running out to buy Cliff's other books. The first is a masterpiece, the rest are the ramblings of a tired and cynical man - not worth, frankly, the paper they're printed on. The Cuckoo's Egg is a nice book - buy it when your brain is just completely full of technical stuff, and you need a nice light (but still on-topic) story to give your brain a break.

    3) Cheswick, William/Bellovin, Steven
    "Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition"
    ISBN: 020163466X

    A bible for network and unix security. A detailed run-down on packets, ports, bells, whistles and how it all works. This book spends a lot of time analising specific network services, and their weaknesses. One chapter on a real-life tracking a bad guy, and some discussion of honeypots and lures. If you only buy one book, buy this one.

    4) Garfinkel, Simson et-al
    "Practical Unix & Internet Security, 3rd Edition"
    (The Safe Book)
    ISBN: 0596003234

    A practical, real-world, HOWTO on implementation of sensible security practices for unix administrators in particular. This is one you keep on your desk at work (well, chained to your desk with all your other O'Rielly books!) for day to day use.

    5) Hunt, Craig
    "TCP/IP Network Administration (3rd Edition)"
    (The Crab Book)
    ISBN: 0596002971

    A definitive bible on TCP/IP and how it works. All the guts from a techo (but not a programmer) point of view. This one doesn't spend much time on security per-se, but it is the book for TCP/IP.

    The Sixth book in the pentology, for extra keen readers is The Cricket Book...

    6) Liu, Cricket/Albitz, Paul
    "DNS and BIND, Fourth Edition"
    ISBN: 0596001584

    Because, if

  • Tell a company you can make their main server totally secure from network attack. Make sure they sign an agreement to pay you. Tell them they can have double their money back if the machine is susceptible to any network attacks afterwards. Get them to sign on the dotted line.

    Walk into server room, remove network plug.
  • experience (Score:3, Insightful)

    by Tom ( 822 ) on Monday May 26, 2003 @07:34AM (#6039753) Homepage Journal
    I am a security officer with an ISP and telecom company, here's how I got there: Real-life work experience.

    Unless you are already a proficient hacker and have published a couple of advisories, don't try to get started in network security. Start as a sysadmin. Get some experience on how the system works.
    When you can run a system (and believe me, if you want to tell admins what to do or not to do, you must be on their level or they'll laugh you out the door), start to concentrate on the security aspects. Dig deeper into the host-based firewall, install an IDS or tripwire, that stuff.

    Move up, step by step. There are already way too many people with a solid half-true partial knowledge of the field in the security business. Lay a solid foundation. If you don't know how to operate a server or a network, you have no business securing it.
  • Taking a network security class, could help, but which classes are really worth the money and might there be enough information on the web to make such a choice, unnecessary?

    I believe there is enough information on the web, that is why I started the project Information Security Bible [ibiblio.org] for beginners coming into the field that want to read the necessary documentation to get the basic grasp on all the wide varitity subjects under information security, and for the pros to keep on the the latest info. All the do

  • by wrax ( 570032 )
    This cannot be overstated.

    If you are new to the company and the field, find someone who has been doing this job for a while and pick their brain whenever you can. Then go out to the net and find what information you can. I have found that a mentor can really give you a step up in the game. Talk to people online who have been hacked, find out what they did wrong, read security vulnerability reports, subscribe to CERT and BugTraq and any other security list you can find, then realize that you still don't
  • I first read Improving the Security of Your Site by Breaking Into it [fish.com] by Dan Farmer (author of Satan). It is an old article, but a classic and got my interest going.

Don't steal; thou'lt never thus compete successfully in business. Cheat. -- Ambrose Bierce

Working...