Copyright © 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
Network Security: The Complete Reference
By Roberta Bragg, CISSP, Mark Rhodes-Oulsey, CISSP, and Keith Strassberg, CISSP, CPA
Reviewed by Kamal Parmar, CISA, ACCA, CCNA, MCP
I
nformation security was regarded as something of a black
art until about a decade ago. There had been a dearth of
information on security issues for specific technological
environments, and one would have been hard pressed to
find a single source of information on security for multiple
system platforms.
This general gap has been gradually filled, due to the advent
of knowledge sharing on the Internet and books like Network
Security: The Complete Reference.
This book covers a broad spectrum of security topics, to the
extent that one would want to classify it as a complete
reference guide on security, rather than just network security.
The major topics addressed include: return on security, security
strategy and risk analysis; security policy development and
security organisation; access control and physical security;
biometrics; e-mail; network architecture; firewalls and IDSs;
VPNs; wireless security; disaster recovery; Windows, Linux,
UNIX and Novell; application and database security; and
incident response.
This book will appeal roundly to security professionals and
IT administrators (e.g., for networks, applications, databases).
It will also attract software developers who seek to write
secure code, particularly if they are using the J2EE and .NET
platforms.
The book may be classified as intermediate to advanced; in
other words, it is appropriate for anyone who has been exposed
to any of the technologies listed above.
More importantly, the book is an excellent how-to on
securing corporate information assets. Unlike the genre of
Hacking Exposed and the like, this book stresses the how-to-
protect element more than the how-to-hack element.
While the book might be considered equally suitable for all
countries around the world, there may be regional biases in the
area of wireless networking, particularly with regard to
different standards adopted by the United States, Europe and
the rest of the world. Having said that, such differences are
minimal from the overall perspective of information security.
The book is well structured, organised into six principal
domains: network security foundations, access control,
network architecture, operating system security, application
security and response. It is written in a business-like language
and uses practical, real-life examples extensively where
appropriate. Bullet points and diagrams are used judiciously at
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2004
various points to break the monotony of
prose and to aid comprehension.
As evidence of the growing recognition
of COBIT as a best practice standard for
information technology governance, the
book briefly describes COBIT as a
standard for IT governance and is a
tribute to the global presence of ISACA as an influence on
governance issues with respect to technology.
Overall, the book is rich in detail; it is difficult to imagine
how the authors were able to squeeze so much content into
a book less than 1,000 pages in length. Contemporary
legal and regulatory issues, e.g., Sarbanes-Oxley, HIPAA,
are suitably covered.
An excellent 25-page security dictionary has also been
included, expounding definitions of contemporary technology
used in the security space today.
This is the first book the reviewer has seen using more than 20
coauthors. In light of this fact, the text is incredibly well-
organised, and a common theme and style underlies the entire
text. Roberta Bragg is a leading authority in the arena of Windows
security, having previously written in
this area and facilitated training on Windows security. Mark
Rhodes-Oulsey is a security professional with more than
10 years standing. He has advised, designed and installed security
infrastructures and policies for dozens of large and small
companies. Keith Strassberg is a security consultant with more
than seven years’ experience in various security technologies, such
as firewalls, IDSs, forensics, policy formulation and vulnerability
testing. While it is impossible to describe all contributors here, the
community of authors that contributed includes engineers,
accountants, lawyers and software developers, and this is a
testimony to the all-encompassing nature of the information
security field today.
This book is arguably the ultimate book on information
security. The sheer scope of the book represents an ambitious
undertaking.
Unlike other books on security, which tend to concentrate
largely on the technical aspects, the authors in this case have
struck a balance between the technical and nontechnical
aspects of security. For instance, part one of the text is
dedicated to the “soft” issues surrounding security, e.g., risk
analysis, security policy and security organisation.
 The text also has a sizeable section on wireless network Editor’s Note:
security, which is a timely inclusion, given the recent clamour Network Security: The Complete Reference is now
regarding wireless networks. available from the ISACA Bookstore. For information,
This is a valuable text for today’s information security see the ISACA Bookstore Supplement in this Journal, visit
professional, with logical and concise information, and a very www.isaca.org/bookstore, e-mail bookstore@isaca.org or
representative and deserving title. telephone +1.847.253.1545, ext. 401.

Kamal Parmar, CISA, ACCA, CCNA, MCP

is a senior consultant in Ernst & Young’s risk and technology
services practice in Melbourne, Australia. Over a six-year
period, he has performed IS audit, penetration testing, forensic
investigation and due diligence projects for multiple clients in
the financial services, aviation, telecommunications,
manufacturing and hospitality industries. He is a member of
ISACA’s Publications Committee and has previously written for
the Information Systems Control Journal.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.

© Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.

www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2004