The Internet Protocol Journal - Volume 1, No. 3

Book Reviews

Internet Messaging
Internet Messaging: From the Desktop to the Enterprise, by Marshall T. Rose and David Strom ISBN 0-13-978610-4, Prentice-Hall PTR, 1998, http://www.prenhall.com

Very few Internet voices hold a status equivalent to E.F. Hutton's advertising campaign: "When they speak, we should listen." Marshall Rose and David Strom are two such voices, making any product of their combined efforts a serious matter, indeed. Rose has typically writ-ten about basic technology, Strom about the pragmatics of use, especially trials and tribulations of fitting networked pieces together. Internet Messaging is in the latter category, with a strong added intro-duction of e-mail and security technology. Anyone who has professional contact with e-mail should get a copy of this book. If com-mercial use of Internet mail were more advanced and stable, we probably would not need an effort like this. However, e-mail profes-sionals must constantly deal with problems in using interesting functions and in troubleshooting interoperability. Internet Messaging helps with the planning, use and debugging of complex, or otherwise "interesting," e-mail services.

Updated Information
The book provides a superb survey of the relevant technology, the pop-ular user mail software, and the rather interesting range of mail and messaging operations issues, including styles of use by organizations. The comparisons of different mail systems leave the reader with a solid understanding of functional and usage requirements for modern sys-tems, as well as the choices available at the time of publication. Mary Houten-Kemp's Web site at http://www.everythingemail.net is being used to provide updated information.

E-mail includes a wide range of technical and operations issues, and Internet Messaging touches all of them. Its introductions cover user environment, mail transfer, mailing list services, unsolicited bulk e-mail ("spam"), encryption-based security, remote user access, virtual private networks, and directory services. Providing a single discussion, which integrates the use of these disparate technologies, is enough to justify the book.

Organization
Internet Messaging attempts very regular organization and states that the goal is to permit use as a problem/solution reference work. It prima-rily distinguishes between sending and receiving functions and between desktop and enterprise requirements. This creates a two-by-two matrix, defining the core four chapters. The other chapters include philosophi-cal opening and closing discussions, a separate, very informative chapter on security, and another on general enterprise operations issues.

Most of the chapters are organized into Introduction, Problems, Stan-dards, and Solutions. Unfortunately that regularization is all that is shown in the Table of Contents, so the reader gets little help finding specifics by reading the Table. Similarly, the organization of the chap-ter contents did not seem compelling for use in problem solving. The additional "How Can I" matrix (on page 10) and its associated discus-sion text is intended as the primary means for locating relevant discussions.

Comparisons
User software comparisons are given throughout the book, for Microsoft Outlook 4.01, Netscape Messenger 4.04, Qualcomm Eudora Pro 4.0, Lotus cc:Mail 8.1, CompuServe WinCIM 3.02, and America Online 3.0. Specific mailing lists, security, remote access, and directory software and services are also reviewed. Oddly, the discussion of remote access mentions only global, single-provider services—and their favorite is currently having financial problems—but did not mention the "association" style of service that integrates many independent pro-viders, notably GRIC and iPass. (Full disclosure: iPass is a client.)

Most products are undergoing aggressive enhancement so that no printed text can be entirely up-to-date. Hence the Web site. For the software and services I know well, the book looked reasonable. Of course it is not entirely error free, but the errors are small and perfect detail is not required. I believe there are two major benefits to these comparisons. One is that the reader is given a very solid sense of the general capabilities and limitations of modern e-mail software. The sec-ond is to make a reasonable, first-pass filtering of candidate packages to be used in an organization. It would not be appropriate to attempt selecting among these packages according to subtle differences reported in the book.

Benefits
As one would expect of these authors, a very large, long-term benefit of their efforts is in their many excellent criticisms and suggestions. Unfor-tunately, many of them are in notes located at the end of each chapter. It's hard to imagine a less-convenient place to put them, since I found myself constantly shifting back and forth between the main text and the notes. It would not have been so irritating if the comments were less interesting; they should have been true footnotes, with easy access on each page. The stellar example of direct utility from these comments is Figure 2.1 on page 38. It shows a systems structure for user software processing of incoming mail. Every vendor should study this discussion carefully and implement it immediately. Please!

Dave Crocker
Brandenburg Consulting
dcrocker@brandenburg.com



Web Security
Web Security: A Step-by-Step Reference Guide, by Lincoln D. Stein, ISBN 0-201-63489-9, Addison-Wesley, December 1997, http://www.awl.com/cseng/titles/0-201-63489-9

Whenever the topic of the World Wide Web comes up, you can be sure that some mention of "security" will soon follow. Web users, Web cre-ators, and even Web technology developers are all keenly aware of the security concerns. But what do we mean by "security?" The safety to use a credit card? Keeping a Web site safe from breakins? Keeping the kids away from online erotica? And whose security are we concerned with, the user's or the Web site operator's?

This book covers most of what we might expect to find under the umbrella of security. In addition to dealing with the broad scope of Web security, the author also tries to cover the topic with sufficient simplicity for the novice and enough detail for the engineer. The good news is that this book succeeds in delivering a single volume that cov-ers all we could possibly expect on the topic, and at levels suited for a broad audience range.

Organization
The author begins by making the distinction between security for the browser, the Web site, and the network between them. This division of the topic forms the basis for the organization of the book. Moving through each of the three parts, the author proceeds from the simple to the complex in a logical, additive order. He discusses topics introduced early in the book from a functional standpoint—how they affect the user. He may cover the same technology in later chapters, but in greater depth, detailing server and network configuration and discussing the underlying technology.

In the first part of the book, the author covers document confidential-ity, including standard "text" documents as well as electronic commerce. A major theme in this section is cryptography. The author presents symmetric and public key encryption technologies from a functional standpoint. He presents various encryption standards, with a discussion of their strengths and weaknesses. In another chapter he pro-vides a good primer on the Secure Electronic Transaction (SET) protocol handling, as well as other options (Common Gateway Inter-face [CGI] scripts and Secure Sockets Layer [SSL]) for credit card order processing.

In Part 2 we are introduced to issues of client-side security. The author devotes a full chapter to an in-depth explanation of SSL services. He also looks at issues associated with active content, and presents technol-ogies such as Java, ActiveX, and other options, along with notes on their respective security implications. Finally, he covers issues of privacy—in this case, the personal privacy of the user. Throughout these chapters, the author emphasizes user-controllable settings such as browser configuration options.

Whereas the author focuses on user involvement in the first two parts, with an appropriate level of technical content, in part 3, targeted to Web masters and system administrators, he introduces the engineering side with an in-depth coverage of server-side security. He covers the two prominent Web-serving operating systems: UNIX and Windows NT, with good attention to various versions of each. Topics include basic system security, access control, and activity monitoring. Other chapters include an excellent discussion of encryption and certificate technology, safe CGI scripting, remote authoring of Web data, and firewalls.

Presentation and Style
The author illustrates his points with good examples. He also presents appropriate sidebar discussions and illustrations, which not only clar-ify the information, but also provide interest and variety in what could be a very dry volume. Each chapter ends with a listing of resources, both print and "online." Where appropriate, the author includes check-lists to help the reader apply the material just covered.

As a result of the practical, well-grounded presentation of material, we are continually able to see practical applicability to our own situation. For example, the author presents us with information about dangers to our privacy, and why that might be important to us. This is immedi-ately followed by clear instruction on changing privacy-affecting settings in various versions of both Netscape and Internet Explorer. The author uses this technique throughout the book, and it is as useful with password management, CGI scripting, or firewall configuration as it is with privacy.

Recommended
Although experts in encryption and other specific security-related tech-nologies will find this book too simple for their personal area of expertise, the strength of the book is not in its coverage of any one area, but in its well-integrated and cohesive coverage of a broad range of interrelated topics. The ability for any reader, first-time surfer or Web guru, to find practical, easily applied information makes this book a required item on any webmaster's bookshelf, and a must-read for anyone who spends any serious time on the Web.

Richard Perlman
Berkeley Internet Group
perl@berkinet.com



Internet Cryptography
Internet Cryptography, by Richard E. Smith, ISBN 0-201-92480-3, Addison-Wesley, 1998, www.awl.com/cseng/titles/0-201-92480-3 The 1990s might easily be known as the decade of the Internet. The Internet came into the mainstream during this decade, a global frontier with frontier problems and rules. Seemingly overnight, everyone from government agencies to Chinese restaurants had a Web presence. Young children exchanged e-mail with their grandparents and friends, a big change from just a few years ago when it was the domain of tech-nologies and a place where everybody knew your name.

The 1990s could also be known as the decade when cryptography became mainstream. Perhaps because of the change in the Internet com-munity, people became more aware of the need to protect the privacy of internetwork communications. Certainly, the U.S. government's attempt to push government control of cryptographic keys in the Clipper contro-versy helped to move cryptography and its related issues from science journals to the front pages of our newspapers. Today, while not main-stream, terms such as Virtual Private Networks (VPNs), Secure Sockets Layer (SSL), IP Security (IPSec), Pretty Good Privacy (PGP), Secure Multipurpose Internet Mail Extensions (S/MIME), and related technolo-gies are known among IT professionals, and cryptography is no longer a tool used only by spies and military communication officers.

The Author
Richard E. Smith is well-known to members of various security-related forums on the Internet, as well as to security conference attendees. A security consultant with Secure Computing Corporation, Smith's background is in military-grade security. His experience on the lecture circuit, explaining issues of firewalls, cryptography, and other computer and network security topics, has directly contributed to production of a book on a lofty subject that is reachable by the nonscientist.

Organization
The chapters of this book fall into three groupings: an introduction to the basics of cryptography, its terms, methods, and mechanisms; network encryption and a discussion of VPNs, focusing on IPSec; and finally public key cryptography as it is used with message and file encryption and "Web" transactions.

The discussion in the opening chapter on basics may scare some off; Smith tends to oscillate between various levels of complexity. Consequently, some members of the intended audience of (quoting from the Preface) "people who know very little about cryptography but need to make technical decisions about cryptographic security," may, for example, zone out during the discussion of IP protocols. My suggestion would be to press on, and not worry about the random item that might go over your head. Everything there has a purpose, and the important information will fall into place by the end of each chapter.

If this book ended with Chapter 4, it would still be a useful book. The complex basics of cryptography and the issues that should be of con-cern to an information security officer are clearly presented and explained. The only area that is given less than adequate coverage is that of key recovery. Smith makes no mention of legitimate business reasons for the recovery of encrypted data if the originator is unavailable (the proverbial question, "What if you got hit by a truck?"), nor does he mention any mechanism other than the escrow of secret keys, although there are other, safer, methods. Of particular use are Smith's explanations of the various cryptographic algorithms and his discus-sions of safe key lengths and risks.

In the sections on VPNs and IPSec, Smith covers everything from mobile users and remote access, to point-to-point encryption, and the issues of key distribution, exchange, and the mechanisms used to automate encrypted communication. Everyone seems to know that IPSec will save the world and is the answer to all our security problems (and I have my tongue firmly planted in my cheek), but few know what IPSec really does, from a "features and benefits" point of view. Of particular use and interest are the sections labeled "Deployment Example." These are small case studies that show the technology in action and discuss some of the decisions and processes that came before deployment.

The section covering public key cryptography along with file and message encryption is perhaps shorter than it should be, although much of the groundwork is done earlier in the book. Missing is a "how to" on setting up a public key infrastructure (PKI) for a corporation to use. There are "Product Examples" in this section, but not "Deployment Examples." Perhaps those will have to wait for a second edition, for although this is a lack in the book, there are not many real-life examples from which to choose. Although discussed in theory for years, this is still "leading edge" in the real world. The chapter on Web servers should prove informative and useful to any organization thinking of deploying (or having already deployed) a Web server.

In the chapter entitled "Secure Electronic Mail," the fact that Smith covers Privacy Enhanced Mail (PEM) as a technology more than he covers S/MIME is puzzling, but the basics of PEM are useful for discussion, even if PEM as a technology seems to be dead.

Cryptography Is Necessary
The advertisement on the back of the book (not written by the author, of course) states "Here, in one comprehensive, soup-to-nuts book, is the soution for Internet security: modern-day cryptography." Obviously the claim that cryptography is the solution for Internet security is way overinflated; modern-day cryptography is not the solution, but, cryptography is an important part of a "balanced" security solution. Smith does an admirable job of making this heretofore...well, cryptic... subject, understandable, interesting, and even enjoyable.

Frederick M. Avolio
Avolio Consulting
fred@avolio.com