Monday, January 14, 2008

Unposted Review: Network Security Assessment 2nd Ed

I wrote a 4 star review of review of the first edition of Network Security Assessment by Chris McNab in May 2004. I read the second edition and tried to post a three star review at Amazon.com. Unfortunately, Amazon.com would not let me post a new review because I reviewed the first edition. Therefore, here is my review:

In May 2004 I reviewed the first edition of Network Security Assessment (NSA1). Almost four years later, the second edition (NSA2) is basically the same book. This makes sense, given the majority of the action in digital security over the last 5-6 years has occurred at the application layer, not the network layer. (For reference, OWASP -- the Open Web Application Security Project -- was created in 2002.) The end result is the material in NSA2 is a foundation for higher level assessments. While NSA2 contains chapters on Assessing Web Servers and Assessing Web Applications, it doesn't devote enough depth to change the focus of the book.

In some ways NSA2 is a step backward from NSA1. First, I liked the end-to-end case study in NSA1. The case study applied the author's methodology in a simulated customer assessment. I prefer reading that sort of material to a list of tools. Unfortunately, the case study is gone in NSA2. Second, NSA2 wastes too many tables enumerating CVE entries of vulnerabilities in various applications. A directive to the reader to check CVE or a similar Web site directly would have been better. Third, the appendices really add nothing but filler. Similar to the CVE listings, it's not necessary to waste paper printing the vulnerabilities exploited by CANVAS, CORE IMPACT, and Metasploit.

Because NSA2 markets itself as a "network security assessment" book, I think the author should have focused on layers 1-4 and left 5-7 for other books. I accept that the author chose not to discuss wireless issues, since that medium has entire books devoted to it. However, I was disappointed that NSA2 decided to once again start at layer 3. If you're going to write a network book, why not address layer 2 attacks? Are all assessments done remotely, with only layer 3 available?

NSA2 does update material from NSA1, and adds some new items. I think NSA2 would be a good book for a PCI auditor who sticks to his/her script and ensures the basics are covered. Those looking for a thorough assessment are going to spend time in areas (like Web apps) not well-covered in NSA2.

I recommend reading my May 2004 review of the first edition, because most of that review still applies to NSA2. At this point people wanting to read this sort of material should probably turn to the Hacking Exposed series. I like the approach taken in HE, because there is a core book that is augmented by domain-specific books (Windows, Web 2.0, Linux, etc.).

2 comments:

sean_e_connelly said...

Thanks for the review. I've been chugging through NSA2, but never purchased NSA1 to compare.

I'd assume this book would be a full revision, but I noticed a lot of the URLs cited have 2000-2003 dates - thus I don't think everything has been updated. Google Books has some of NSA1 available for free viewing, and from what I can see, there's not much difference.

I agree with your disappointment at nothing on layer 2. If the book is touted as a 'network' book, shouldn't it document the 'network'?

Sean

Jackline said...
This comment has been removed by a blog administrator.