This is an HTML rendering of a working paper draft that led to a publication. The publication should always be cited in preference to this draft using the following reference:

The document's metadata is available in BibTeX format.

Find the publication on Google Scholar

This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.

Diomidis Spinellis Publications

Copyright © 1998 by the Association for Computing Machinery, Inc. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept, ACM Inc., fax +1 (212) 869-0481, or

Book review: Intranet security

Diomidis Spinellis
University of the Aegean

Intranet security
Vacca, John R.
Charles River Media, Inc. Rockland, MA, 1997,
506 pp., $49.95, ISBN 1-886801-56-8

The title of the book is misleading. The book covers generic system security issues with the word "intranet" liberally sprinkled through the contents in order to justify its title. As a security book it covers a broad area. The book contains chapters ranging from risk analysis and human aspects of security, to polymorphic viruses and relational database security. However, the book's organisation is lacking. Chapter and section headings are often as misleading as the book's title. As an example the chapter titled "designing and implementing intranet security policies" contains neither an outline nor an example of a security policy document. Even more confusingly the important subject of the upcoming IP layer security standards (IPSEC) is discussed is an chapter titled "a secure mobile intranet system" full of references to "intranet-layer [sic] security (IPSEC)". The final chapter "future trends in intranet security" contains sections on "intranet security basics", and "intranet security planning".

The book's coverage of security is extremely uneven. There is an index entry for water damage, but no mention of electronic watermarks. Two chapters are devoted to the discussion of viruses, pages are filled with marketing details of home banking and the discussion of float in electronic bill payments, while PGP, certificate authorities, and firewalls are barely covered. Six pages describe the xswatch log monitoring tool, while the ssh, COPS, and tripwire tools are only mentioned in passing. The glossary at the end of the book is similarly unbalanced. It contains entries for "flame", "GUI", "CIA", and "RS-232", but not for "Certificate Authority", "SSL", "SSH", and "LDAP". The book contains numerous interesting anecdotes, facts, and stories. However, the reader would be better served if these were substantiated by appropriate references. The few references that appear are set as footnotes making it difficult to use them as a starting place for further reading.

The technical treatment of important and interesting security issues is sometimes annoyingly shallow or misleading. Although the book contains more than 35 pages on viruses, the 8 pages devoted to NT viruses mostly examine boot sector viruses which are not really NT-specific and are the least likely to spread in an intranet environment. The author refers to Java applets as "Java scripts" potentially confusing them in the mind of the reader with JavaScript - a language not related to Java. For a subject changing as rapidly as the Internet technologies the book appears to be outdated in several places: on p. 468 we learn that "486 machines are cheap now (with prices dropping all the time)", while the examination of browser security problems covers only Netscape Navigator 3 and JDK 1.0. There are references to - the never released - Windows-97 as an existing product, but no mention of ActiveX and the Microsoft Internet Explorer.

The book's graphic design and presentation could also be improved. Most diagrams and figures appear to be rendered or scanned in disturbingly low resolution; a grey line on the page headings crossing out chapter titles and page numbers is more annoying than cute.

I would find it hard to recommend this book - even as a system security book - to its intended audience: IT managers and system administrators. The technical aspects of Internet security are better covered in [1] and [2], while the non-technical aspects of system security are well covered in [3].


  1. Simson Garfinkel and Gene Spafford. Web Security and Commerce. O'Reilly and Associates, Sebastopol, CA, USA, 1997.
  2. Aviel D. Rubin, Daniel Geer, and Marcus J. Ranum. Web Security Sourcebook. John Wiley Sons, 1997.
  3. David L. Oppenheimer, David A. Wagner, and Michele D. Crabb. System Security: A Management Perspective. USENIX Association, Berkeley, CA, USA, 1997.