- Hardcover: 526 pages
- Publisher: John Wiley & Sons (1 Jan. 1972)
- Language: English
- ISBN-10: 3805512848
- ISBN-13: 978-3805512848
- Amazon Bestsellers Rank: 9,213,834 in Books (See Top 100 in Books)
Frontiers of Radiation Therapy and Oncology: Radiation Effects and Tolerance, Normal Tissue: 6th Annual San Francisco Cancer Symposium, San Francisco, ... Effects and Tolerance, Normal Tissue v. 6
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
About the Author
Yanek Korff graduated with a Bachelor's degree in Computer Science from the College of William and Mary and is currently a Certified Information Systems Security Professional (CISSP). Mr. Korff joined Bell Atlantic as a Systems Engineer where he played a major role in the strategy, design, and deployment of a key Northern Virginia test facility. He later joined Cigital, Inc., a software quality management company, where he played a central role in the design of their systems infrastructure. He is now an essential member of the Information Security division at America Online. During his career, Mr. Korff has been able to identify and mitigate information security risks particularly relating to host-based BSD security. By leveraging his experience, he has been able to apply security fundamentals to influence business and industry practices.
Paco Hope is a Technical Manager with Cigital. His areas of expertise software security, security testing, and casino gaming. He specializes in analyzing the security of software, software systems, and software development processes. Paco frequently speaks at conferences such as the Better Software Conference, STAR East, and STAR West. He conducts training on risk-based security testing, writing security requirements, and software security fundamentals. He can be reached at email@example.com.
Bruce Potter is a Senior Associate at Booz Allen Hamilton. Prior to working at Booz Allen Hamilton, Bruce served as a software security consultant for Cigital in Dulles, VA. Bruce is the founder of the Shmoo Group of security professionals. His areas of expertise include wireless security, large-scale network architectures, smartcards, and promotion of secure software engineering practices. Bruce coauthored the books 802.11 Security and Mac OS X Security. He was trained in computer science at the University of Alaska, Fairbanks.
Excerpt. © Reprinted by permission. All rights reserved.
CHAPTER 1 The Big Picture
First we crack the shell, then we crack the nuts inside.
The Transformers: The Movie
Security is hard. We have all heard this phrase as a rationale for insecure systems and poor administrative practices. Whats worse, administrators seem to have different ideas about what "security" entails. There are two common approaches to securing systems: some view security as a destination while others see it as a journey.
Those who see security as a destination tend to characterize system security in terms of black and white; either a system is secure or it is not. This implies that you can attain security. You can arrive at the end of a journey and youll somehow be secure; you win. One problem with this viewpoint is determining where "there" is. How do you know when youve arrived? Furthermore, how do you stay there? As your system changes, are you still at your secure goal? Did you move away from it, or were you not there to begin with? As you can probably tell, this is not our philosophy.
Instead of being a destination, we think security is best described as a journeya product of ongoing risk management. Rather than trying to make your system impregnable, you continually evaluate your exposure to risks and keep the system as secure as you need it to be. An appropriate level of security is achieved when the risks facing a system balance against the level of effort spent mitigating those risks. No one buys a $5,000 vault to safeguard a pair of fuzzy slippers. You judge the value of what youre protecting against the kinds of threats it faces and the likelihood those threats will succeed, and then you apply appropriate safeguards. This is a much more practical way to view modern day information security.
When following a risk mitigation process, you will periodically pass up the opportunity to enable certain security mechanisms, even though youre capable of doing so. The additional effort may not be warranted given the level of risk your organization faces. You will eventually reach a point of diminishing returns where you simply accept some risks because they are too costly to mitigate relative to the likelihood of the threat or the actual damage that would occur. Sure, it may be fun to use encrypted filesystems, store all OS data on a CD-ROM, and deploy every other countermeasure you can think of, but do you really need to?
We define security in the context of risk. Risk is present as long as the system exists, and risks are constantly changing, so security cannot be a destination; it must be an ongoing process. "Doing security," then, is an iterative process of identifying and responding to risks. This is the philosophy that we encourage you to take in securing your infrastructure.
As youll see in the rest of this book, FreeBSD and OpenBSD are robust operating systems that offer myriad ways to maintain secure systems. Throughout the book we provide security-minded walkthroughs of software installation, configuration, and maintenance. Along the way youll notice that we seem to point out more security-related configuration options than you care to implement. Just because we explore options doesnt mean that you should implement them. Come at it from the perspective of managing risk and youll maximize the cost-benefit of "doing security."
Before we get ahead of ourselves, however, we need to cover a few concepts and principles. In this chapter, we define system security, specifically for OpenBSD and FreeBSD systems, but also more generally. We look at a variety of attacks so that you, as an administrator, will have some perspective on what youre trying to defend against. Well look at risk response and describe how exactly you can go about securing your FreeBSD and OpenBSD systems.
What Is System Security?
Security professionals break the term security into three parts: confidentiality, integrity, and availability. This "CIA Triad" is a set of security requirements; if youre not taking into account all three of these concerns, youre not working towards providing security. We offer a lot of recommendations in this book that should help you work towards building secure systems, but we dont tell you how these recommendations fit in with the CIA Triad. Thats not what this book is about, and it would detract from the real message. Nevertheless, as youre looking at building encrypted tunnels for transferring files, jailing applications, and so on, think about what part of the Triad youre focusing on. Make sure youve addressed all three parts before your project is done.
Whether were talking about physical security, information security, network security, or system security, the CIA Triad applies. The question is, exactly how does it apply to system security?
Confidentiality is all about determining the appropriate level of access to information. Confidentiality is often implemented at the most basic level on FreeBSD and OpenBSD systems by traditional Unix permissions. There are a variety of files scattered across the filesystem that are readable only by the root user. Most notable, perhaps, is /etc/master.passwd, which contains hashes for users passwords. The vast majority of files are readable by everyone, however. Even system configuration files like /etc/resolv.conf, /etc/hosts, and so on are world readable. Is this wrong? Not necessarily. Again, confidentiality isnt about having to protect data from prying eyes; its about classifying data and making sure that information deemed sensitive in some way is protected appropriately. --This text refers to the Paperback edition.
Most Helpful Customer Reviews on Amazon.com (beta)
Mastering FreeBSD and OpenBSD Security
By Yanek Korff, Paco Hope, Bruce Potter
First Edition March 2005
464 pages, $49.95 US
This book has been long awaited as the *BSD community has been lacking the number of security geared books compared to the Linux and Windows communities. I found that this book is almost the equal of "Linux Server Security", but for OpenBSD and FreeBSD. With OpenBSD being said to be one of the most secure operating systems, you would think there would be more books about the security other than the normal online documentation.
I'm glad O'Reilly finally put out this book as it covers a broad area of security within OpenBSD and FreeBSD.
This covers *BSD basics, initial install and hardening of the specific OS, security practices, running secure servers (DNS, Mail, Web), firewall, intrusion detection, system audits, incident response, and forensics. This is a broad coverage of security, but I wish on some of the specifics they would have went into detail discussing.
Some points I wish were added in detail was coverage on OpenNTPD's security and/or atleast mentioning that it is contained within OpenBSD. Another would be more coverage of Qmail on FreeBSD/OpenBSD as there really wasn't much more than a mention of Qmail and basic information. Compared to the details given to Sendmail and Postfix, Qmail info was really slacking. The last point I would like to mention that I found lacking was possibly a more in-depth guide to CARP and what it's capable of doing. The main thing dealing with CARP that I would have liked to see would be about load balancing firewalls using CARP and PFSYNC.
Other than these few minor lacking areas, I found this book to be great addition to other security books based around general Linux and BSD servers. I almost wish this book would have waited a little while longer before releasing or hope they plan an update soon as OpenBSD 3.7 is scheduled for release on May 19th and this book mainly just covers versions 3.5/3.6 for OpenBSD. Along with the new version of OpenBSD releasing, FreeBSD 5.4 was released not long after this book was published.
Even lacking the parts that it does, I enjoyed reading the sections about DJBDNS comparison to BIND with details of the specifics. On top of this, there is enough information to get anyone with general *nix knowledge going with a OpenBSD/FreeBSD firewall or secure server. By no means is this book the answer to first time OpenBSD/FreeBSD system administrators to learn the basics from, but seems to be more geared for those atleast somewhat familiar with the *BSD feel of things and aware of what's going on inside their machine. In the beginning of the book it mentions this book was written "by system administrators for system administrators". For someone just getting started with OpenBSD I'd recommend this book, but also would recommend picking up Absolute OpenBSD ([...]) for more coverage of the basics. Otherwise, it will be difficult picking up on what they are saying in this book. Also, on the FreeBSD side of things I'd recommend Absolute BSD ([...]) or The Complete FreeBSD ([...] If your new to *BSD this book will help but a book to compliment it will help even more. Atleast once you learn the basics, you will get a detailed bit of information on securing your new *BSD box.
I believe the writers met their goal of creating a book to solely cover the security features of OpenBSD and FreeBSD aswell as the types of servers run on those platforms. I'm glad this book arrived and look forward to seeing if they release a 2nd edition that is updated and possibly covers the parts that seem to be missing or lacking in detail. Congrats to O'Reilly and the writers.
Pensacola Linux User's Group
Note: I am in a somewhat awkward position as I write this review, since I know one of the authors as a fellow local security professional. I've spoken at a conference he organizes and I even have all three authors' signatures on my copy of MFAOS! Still, I hope they will consider incorporating my ideas when O'Reilly asks for a second edition.
First, I think MFAOS:2E should address FreeBSD, OpenBSD, and NetBSD. It's appropriate to read a book only about ONE of the BSDs, or all three of the BSDs. It's odd to cover FreeBSD and OpenBSD but not NetBSD. I think DragonFly BSD's miniscule userbase puts it on the fringe, and Mac OS X is not BSD.
Second, the authors should rigorously concentrate on covering BSD-specific administration and security issues. I do not need to read about generic security issues in Ch 1, or standard DNS/Mail/Web attacks in Chs 5/6/7. I definitely did not need YASD (Yet Another Snort Doc) in Ch 9 -- especially when ACID is explained as the console of choice. (BASE replaced ACID in Sep 04). I do not need the advice on incident response and forensics found in Ch 11. MFAOS should be a more of a BSD book and less of a security book.
Removing all of this generic material in a second edition would provide room to focus on BSD-specific material not found elsewhere. For example, Dru Lavigne's briefer, older, all-BSD book BSD Hacks gives more information on FreeBSD's Mandatory Access Controls than MFAOS -- and MFAOS is a BSD security book. I would have liked more details on building FreeBSD jails, especially with respect to creating a local package builder.
While reading MFAOS, I frequently felt the authors did not provide enough details on the subjects I felt were different from multi-platform Unix books. For example, why write five pages on Nagios in Ch 4 if that information really isn't enough to do anything useful?
It seemed the authors assumed many of their brief discussions of useful behavior was sufficient for the reader. In reality, I probably wouldn't be reading the book if I could get by on the information provided; I'd be implementing on my own. For example, the authors devote 3 1/2 pages in Ch 4 to using CVS to track changes to configuration files. While not BSD-specific, this is the sort of good practice not frequently covered elsewhere. Yet, when I hoped for more advanced discussions I see the phrase "beyond the scope of this book" on p 136.
I was disappointed that Qmail was ignored in Ch 6, even though Djbdns was addressed in Ch 5. Furthermore, when the authors repeatedly admit that Dan Berstein's software isn't well documented, they should recognize that as an opportunity! Say less on Apache, BIND, etc., and cover the lesser-known but potentially more secure alternatives.
I rate this book highly (four stars) because it's full of good advice. For example, I liked recommendations on using flags, secure levels, and similar topics in Ch 2. I liked the two-tiered Web server architecture in Ch 7, as well as comparisons of IPFW and Pf in Ch 8. You won't find me disagreeing with the authors of this book -- except when they configure Snort to log directly to a database. (Ouch -- that has been bad advice since Barnyard was released in Dec 02.)
A second edition should also keep in mind the binary upgrade and patching tools available since FreeBSD 5.x -- updating via source isn't necessary for many admins these days. Also, if they insist on demonstrating how to set up well-documented servers (DNS/Web/Mail), try picking one app and one BSD. Then thoroughly document setting up the entire system, from install to deployment. Consider providing templates, especially for automated and repeatable installations. Tie them to standards like CISecurity if possible. That would be exceptional.
I wish the authors had directed their talents toward BSD-specific quirks and less on topics covered elsewhere. This is still a solid BSD book, but I would be very glad to see MFAOS:2E take this advice to heart.
Although both FreeBSD and OpenBSD maintain very good online documentation and manual pages, it's nice to have a book such as "Mastering FreeBSD and OpenBSD Security" as a reference.
The book is broken into three sections. The first section emphasizes the cost of security and how cost should be directly related to the value of the system(s) or data being secured. Spending $60,000 to secure data valued at less than $100 is not a good idea. It's an inefficient use of scarce resources (time and money). The book encourages implementing an appropriate level of security, no more and no less. Secure installation and install tweaks are also covered in this section.
The second section covers implementation of services in detail. DNS, mail, Web, etc. Firewalls are discussed in depth along with the particulars of PF and IPFW. Differences between FreeBSD jails and chrooted environments on OpenBSD systems are clearly explained. Traditional Unix servers such as Sendmail, BIND and Apache are covered in depth, however, alternative (and arguably more secure) servers are covered as well... using software such as djbdns, postfix, qmail and thttpd in place of the more traditional solutions are described.
The third section goes over auditing, logging and incident response. From setting-up a secure log server to responding to break-ins. How to triage and decide how many resources should be spent on responses. Again, the book emphasizes an appropriate, cost-effective response. Resources are limited and both time and money should be used wisely.
In conclusion, Mastering FreeBSD and OpenBSD Security is a worthwhile book. It covers BSD security topics (in detail) that are not often seen in books. It's a good read and a good reference written in a terse manner that gets the points across without being overly verbose... unlike many technical books on the market today.
It's an easy read that will help you far more than the crummy Unix documentation. A good introduction as well as a long term resource.
Look for similar items by category
- Books > Health, Family & Lifestyle > Medical & Healthcare Practitioners > Ancillary Services > Radiography
- Books > Health, Family & Lifestyle > Medical & Healthcare Practitioners > Internal Medicine > Diseases & Disorders > Oncology
- Books > Health, Family & Lifestyle > Medical & Healthcare Practitioners > Other Branches of Medicine > Medical Imaging
- Books > Reference > Almanacs & Yearbooks
- Books > Science & Nature > Medicine > Diseases & Disorders > Radiology
- Books > Science & Nature > Medicine > Medical Sciences A-Z > Radiology & Medical Imaging
- Books > Scientific, Technical & Medical > Medicine & Nursing > Basic Medical Science
- Books > Scientific, Technical & Medical > Medicine & Nursing > Medical Sciences A-Z > Radiology & Medical Imaging