"Designing and Building Enterprise DMZs", Ido Dubrawsky et al, 2006,
%E Ido Dubrawsky
%C 800 Hingham Street, Rockland, MA 02370
%I Syngress Media, Inc.
%O U$59.95/C$77.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 714 p.
%T "Designing and Building Enterprise DMZs"
Chapter one does outline some basic DMZ (DeMilitarized Zone) concepts
and design, but is vague and verbose, with many large (in page size)
and simplistic (in terms of information content) illustrations with
little detail and minimal differences between them. (Figures 1.5 and
1.6 are, in fact, identical, even though they purport to show
different topologies.) Windows DMZ design, in chapter two, is both
too broad (it discusses very general aspects of planning for a DMZ
setup) and too detailed (the text almost immediately jumps into the
specifics of particular outside hardware to be purchased for an
isolated example) to be of practical use. Much the same is true of
chapter three, which is based on Sun's Solaris operating system.
Chapter four lists wireless network attacks and some security
technologies, but doesn't really deal with DMZ aspects, and chapter
five, purportedly about implementing wireless DMZs, just has lots of
screenshots for installing various products.
Chapter six starts a section of the book cataloguing various firewall
products. In this case it is Cisco's PIX and ASA systems, and
discusses unit specifications, licensing, and some Cisco commands.
Chapters seven through ten, respectively about Checkpoint,
SecurePlatform and Nokia, NetScreen, and ISA Server 2005, basically
contain screenshots for installation and configuration.
Chapter eleven, entitled "DMZ Router and Switch Security," would have
been a good place to deliberate on security considerations of the
different routing protocols, but only suggests hardening routers and
switches. VPN (Virtual Private Network) topologies and products are
noted in chapter twelve, with almost no mention of DMZs at all. The
standard advice for building MS Windows bastion hosts is in chapter
thirteen. We are told to remove unnecessary services (without being
told which are necessary), to rename the administrator account
(although nobody mentions that the renamed account can still be
determined), and the text recommends using Terminal Services (even
though this service is widely considered to be a security risk). Most
of the material is about how to use the configuration utilities,
rather than suggestions on the settings themselves. Much the same
type and level of advice is given in chapter fourteen, in regard to
Ultimately, while there is content in the work that can be helpful in
terms of security, there is relatively little that actually relates to
DMZ concepts, design, use, or protection.
copyright Robert M. Slade, 2006 BKDBEDMZ.RVW 20061223
====================== (quote inserted randomly by Pegasus Mailer)
firstname.lastname@example.org email@example.com firstname.lastname@example.org
Be very glad that your PC is insecure--it means that after you
buy it, you can break into it and install whatever software you
want. What YOU want, not what [content providers] want.
- John Gilmore
Dictionary of Information Security www.syngress.com/catalog/?pid=4150