Bibliography

[Previous] [Next]

General Security

American Bar Association. Digital Signature Guidelines: Legal Infrastructure for Certification Authorities and Electronic Commerce. Chicago, IL: American Bar Association, 1996. This is a wonderful book outlining the legal aspects and pragmatics of using digital signatures in e-commerce. The real beauty of the book is that it isn't technical; it's a legal commentary. You can purchase it from the ABA Web site, or it's available for free at www.abanet.org/scitech/ec/isc/dsgfree.html. Well worth reading.

Biddle, C. Bradford, et al. "Web Security—A Matter of Trust," World Wide Web Journal 2, no. 3 (summer 1997). This journal is a collection of papers covering the Secure Sockets Layer (SSL) protocol, trust management, security in the Domain Name System (DNS) and BIND, and more. It's dry in places, but most of the authors are well known and well respected.

Burstein, Harvey. Security: A Management Perspective. Englewood Cliffs, NJ: Prentice Hall, 1996. Burstein's book covers an oft-overlooked aspect of security: how to budget for and prepare personnel for security. No technologies are covered in this book, but pick it up if you deal with management and need to convince them that money should be spent on securing the company.

Electronic Frontier Foundation. Protecting Yourself Online. New York: HarperCollins, 1998. This small book deals with what happens when you go on line as a user. It covers online hoaxes, privacy issues, free expression, anonymity, and intellectual property. It's a no-nonsense treatise and should be read by anybody going on line.

Garfinkel, Simson, and Gene Spafford. Practical UNIX & Internet Security. 2d ed. Sebastopol, CA: O'Reilly & Associates, 1996. This is a huge book and a classic. Although it focuses almost exclusively on security flaws and administrative issues in UNIX, its concepts can be applied to just about any operating system. It has a huge UNIX security checklist and gives a great rendering of the various Department of Defense security models as defined in the Rainbow Series of books.

———. Web Security & Commerce. Sebastopol, CA: O'Reilly & Associates, 1997. The best part of this book is its explanation of the SSL protocol. It covers certificates in detail, as well as cookie security, downloadable code implications, and common administration mistakes, but its coverage of SSL is superlative.

Kaeo, Merike. Designing Network Security. Indianapolis, IN: Cisco Press, 1999. This book is destined to be a classic. It's not a big book, but it covers virtually every aspect of building secure networks, including identity technologies, router configuration, VPNs, risk management, policy, firewall architectures, and much more. It comes highly recommended.

National Research Council. Trust in Cyberspace. Edited by Fred B. Schneider. Washington, DC: National Academy Press, 1999. This book is the result of a government security think-tank given the task to analyze the U.S. telecommunications and security infrastructure and make recommendations about making it more resilient to attack. It's a hard-to-read book but well worth reading.

Online Law. Edited by Thomas J. Smedinghoff. Reading, MA: Addison-Wesley Developers Press, 1996. This book gives an insightful rundown of the legal aspects of digital certificates, the state of current law relating to their use, privacy, patents, online cash, liability, and more. This is a recommended read for anyone doing business on line or anyone considering using certificates as part of an electronic contract.

Summers, Rita C. Secure Computing: Threats and Safeguards. New York: McGraw-Hill, 1997. A heavy read but very thorough, especially the sections about designing and building secure systems and analyzing security. Other aspects of the book include database security, encryption, and management.

Tung, Brian. Kerberos: A Network Authentication System. Reading, MA: Addison-Wesley, 1999. A small book that covers the Kerberos authentication well. It has a UNIX flavor but deals with some tools that are redundant in Microsoft Windows 2000, such as kinit. It covers the MIT APIs in detail and is therefore a good resource for developers.

Wood, Charles Cresson. Information Security Policies Made Easy: Version 5. Sausalito, CA: Baseline Software, 1996. Weighing in at over 500 pages, this is the best treatment of security policies the authors have seen. Every conceivable security policy is discussed in the book, including privacy, physical security, encryption, and personnel issues.

Public Key Infrastructure and Certificates

Adams, Carlisle, and Steve Lloyd. Understanding the Public-Key Infrastructure. Indianapolis, IN: Macmillan Technical Publishing, 1999. A new and complete book on X.509 certificates and the Public Key Infrastructure with X.509 (PKIX) standards. The authors consider this book the "IETF standards written in English." This is much more complete than Jalal Feghhi's book, but it is a more difficult read. That said, if your work with certificates will take you beyond the basics, consider purchasing this book.

Feghhi, Jalal, and Peter Williams. Digital Certificates: Applied Internet Security. Reading, MA: Addison-Wesley, 1999. The concepts behind digital certificates are somewhat shrouded in mystery, and this book does a great job of lifting the veil of secrecy. Quite simply, it's the best book there is on X.509 certificates and public key infrastructure (PKI).

Ford, Warwick, and Michael S. Baum. Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption. Upper Saddle River, NJ: Prentice Hall PTR, 1997. Like Digital Certificates: Applied Internet Security by Jalal Feghhi and Peter Williams, this book explains X.509 certificates well. However, it goes further by delving into the effects PKI has on electronic commerce by covering some legal aspects also.

Secure Protocols

Ford, Warwick. Computer Communications Security: Principles, Standard Protocols, and Techniques. Englewood Cliffs, NJ: Prentice Hall PTR, 1994. Covers many aspects of communications security, including cryptography, authentication, authorization, integrity, and privacy, and has the best coverage of nonrepudiation outside of academic papers. It also discusses the Open Systems Interconnection (OSI) security architecture in detail.

Security Protocols. Edited by Bruce Christianson, et al. Berlin: Springer, 1998. This is a wonderful set of research papers on many aspects of secure communications. It's not for the weak-hearted—the material is complex and requires a good degree of cryptographic knowledge—but it's well worth reading.

Thomas, Stephen A. SSL and TLS Essentials: Securing the Web. New York: Wiley, 2000. A complete and readable explanation of the SSL and Transport Layer Security (TLS) protocols. Also covers the mysteries of ASN.1 syntax, as well as Microsoft Server Gated Crypto (SGC), the 128-bit exportable version of SSL. If you need to know the innards of SSL/TLS, consider this book. If all you need is a basic understanding of the principles of SSL/TLS, this book is overkill.

Security Theory

Amoroso, Edward G. Fundamentals of Computer Security Technology. Englewood Cliffs, NJ: Prentice Hall PTR, 1994. This is one of our favorite books. Amoroso has a knack for defining complex theory in a form that's useful and easy to understand. His coverage of threat trees is the best there is. He also explains some of the classic security models, such as the Bell-LaPadula disclosure, Biba integrity, and Clark-Wilson integrity models. The only drawback to this book is that it's somewhat dated.

Gollmann, Dieter. Computer Security. New York: Wiley, 1999. We consider this to be a more up-to-date and somewhat more pragmatic version of Amoroso's Fundamentals of Computer Security Technology. Gollmann covers security models left out by Amoroso, as well as Microsoft Windows NT, UNIX, and Web security in some detail.

Firewalls and Proxy Servers

Amoroso, Edward G., and Ronald Sharp. PC Week Intranet and Internet Firewall Strategies. Emeryville, CA: Ziff-Davis Press, 1996. This is a reasonable book if you're new to firewalls. The basics are explained in an easy-to-follow fashion. It also covers some of the commercial firewall offerings.

Chapman, D. Brent, and Elizabeth D. Zwicky. Building Internet Firewalls. Sebastopol, CA: O'Reilly & Associates, 1995. Probably the best and most comprehensive coverage of firewalls, presented in an easy-to-read format. The book also covers what to do in the case of an intrusion.

Cheswick, William R., and Steven M. Bellovin. Firewalls and Internet Security: Repelling the Wily Hacker. Reading, MA: Addison-Wesley, 1994. An old book but one of the best on firewalls.

Luotonen, Ari. Web Proxy Servers. Upper Saddle River, NJ: Prentice Hall PTR, 1998. Easy to read and complete, this is possibly the only book you'll need on proxy servers. Luotonen is a well-known proxy expert, having worked on the CERN and Netscape proxy products.

Hacking and Intrusion Detection

Amoroso, Edward G. Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Traps, Traceback, and Response. Sparta, NJ: Intrusion.Net Books, 1999. This book takes off where Terry Escamilla's Intrusion Detection stops. It's a somewhat more academic book that offers some superb case studies to give a real-life flavor to intrusion detection (ID). Highly recommended.

Escamilla, Terry. Intrusion Detection: Network Security Beyond the Firewall. New York: Wiley, 1998. Wiley has produced some good security books, and this one is reasonable, too. It's an introductory text on the topic; you should read this to get a feel for the ID marketplace and the tools and technologies required. Once you've read this, read Edward Amoroso's Intrusion Detection.

Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network. 2d ed. Indianapolis, IN: Sams, 1998. Similar to Hacking Exposed: Network Security Secrets and Solutions but not quite as polished. However, it does list more tools and more vulnerabilities. You should consider having both books on your bookshelf.

McClure, Stuart, Joel Scambray, and George Kurtz. Hacking Exposed: Network Security Secrets and Solutions. Berkeley, CA: Osborne/McGraw-Hill, 1999. This book will make you realize how vulnerable you are to attack when you go on line, regardless of operation system! It covers security vulnerabilities in NetWare, UNIX, Windows 95, Windows 98, and Windows NT. Each vulnerability covered includes references to tools to use to perform such an attack. The book's clear purpose is to motivate administrators.

Shimomura, Tsutomu, and John Markoff. Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw—By the Man Who Did It. New York: Hyperion, 1996. This is the story of the infamous hacker Kevin Mitnick and his attacks on various computer systems at The Well, Sun Microsystems, and others. It's a much slower read than Stoll's The Cuckoo's Egg but worth reading nonetheless.

Stoll, Clifford. The Cuckoo's Egg. London: Pan Macmillan, 1991. Not a reference or technical book, this book tells the story of how Cliff Stoll became a security expert by default while trying to chase down hackers attacking his systems from across the globe. A hearty recommendation for this easy and exciting read.

Cryptography

Electronic Frontier Foundation. Cracking DES: Secrets of Encryption Research, Wiretap Politics & Chip Design. Sebastopol, CA: O'Reilly & Associates, 1998. This book is presented in two big sections. The first deals with the Electronic Frontier Foundation's DES Cracking project, as well as with some political issues. The rest, indeed the bulk, of the book deals with the hardware and firmware required for a machine to perform as a brute-force DES cracking engine. It's an interesting read, but it's not really applicable to building applications.

Schneier, Bruce. Applied Cryptography: Protocols, Algorithms, and Source Code in C. 2d ed. New York: Wiley, 1996. Probably the best book there is on cryptography outside of academia. Easy to read, complete, and very big, it's the one to buy if you want only one book on cryptography.

Stallings, William. Practical Cryptography for Data Internetworks. Los Alamitos, CA: IEEE Computer Society Press, 1996. This is a gem of a book. If I were stranded on a desert island and had to choose one book on cryptography, this would be it. Comprising a series of easy-to-read papers, some from academia and some from the press, the book covers a myriad of topics, including DES, IDEA, SkipJack, RC5, key management, digital signatures, authentication principles, SNMP, Internet security standards, and much more.

———. Cryptography and Network Security: Principles and Practice. Englewood Cliffs, NJ: Prentice Hall, 1999. Stallings does a good job of covering both the theory and practice of cryptography, but this book's redeeming feature is the inclusion of security protocols such as S/MIME, SET, SSL/TLS, IPSec, PGP, and Kerberos. It might lack the cryptographic completeness of Applied Cryptography: Protocols, Algorithms, and Source Code in C, but because of its excellent protocol coverage, this book is much more pragmatic.

Windows NT and Windows 2000 Security

Blum, Daniel. Understanding Active Directory Services. Redmond, WA: Microsoft Press, 1999. If Active Directory is new to you, turn to this book. Not only is it an easy read, but it's very complete and surprisingly detailed for an "IT Professional" book. Highly recommended.

Edwards, Mark Joseph. Internet Security with Windows NT. Loveland, CO: Duke Press, 1998. The book is outdated now and covers an old version of Microsoft Internet Information Server. The good news: it is available on line at www.ntsecurity.net, and what it lacks in depth it makes up for in breadth.

Jumes, James G., et al. Microsoft Windows NT 4.0 Security, Audit, and Control. Redmond, WA: Microsoft Press, 1999. A reasonable checklist for configuring and administering a Windows NT 4 enterprise. It suffers from being outdated because so much has changed with Windows 2000 in the area of security and administration.

Microsoft Corporation. Microsoft Windows 2000 Server Resource Kit. Redmond, WA: Microsoft Press, 2000. An invaluable resource covering all aspects of Windows 2000, including security, Active Directory, host integration, deployment, TCP/IP networking, clustering, Internet Information Services, Microsoft Internet Explorer, and much more. At over 7000 pages, it's a massive and worthy reference.

Okuntseff, Nik. Windows NT Security; Programming Easy-to-Use Security Options. Gilroy, CA: R&D Books, 1997. This is the best reference available on using the Windows NT security APIs. It's written for Windows NT 4, but much of the information is pertinent to Windows 2000.

Rutstein, Charles B. Windows NT Security: A Practical Guide to Securing Windows NT Servers and Workstations. New York: McGraw-Hill, 1997. This book was cosponsored by the National Computer Security Association and is a reasonably complete look at security in Windows NT. It's somewhat out of date, but its principles are still valid. It's also very well written and easy to understand.

Windows NT Magazine Administrator's Survival Guide: System Management and Security. Edited by John Enck. Loveland, CO: Duke Press, 1998. A unique book made up of a collection of articles from back issues of Windows NT Magazine, all relating to systems management and security. Even if security is not your focus, you should consider purchasing this book because it covers many common administrative pitfalls and explains some of the esoteric aspects of Windows NT authentication.

TCP/IP Networking

Comer, Douglas E., and David L. Stevens. Internetworking with TCP/IP: Vol. I. 2d ed. Englewood Cliffs, NJ: Prentice Hall, 1994.

———. Internetworking with TCP/IP: Vol. II. 2d ed. Upper Saddle Hill, NJ: Prentice Hall, 1994.

———. Internetworking with TCP/IP: Vol. III. 2d ed. Upper Saddle Hill, NJ: Prentice Hall, 1994. These three books are all classics and well worth reading because many Denial of Service attacks utilize handcrafted IP packets and defending against such attacks requires an understanding of the TCP/IP protocol suite.

———. Internetworking with TCP/IP: Vol. I-Windows Sockets Version. 2d ed. Upper Saddle Hill, NJ: Prentice Hall, 1997. This is the same book as Internetworking with TCP/IP: Vol. I. 2d ed., but the samples use WinSock rather than Berkeley sockets.



Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 138

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net