This is an HTML rendering of a working paper draft that led to a publication. The publication should always be cited in preference to this draft using the following reference: BibTeX format. Find the publication on Google Scholar This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder. Diomidis Spinellis Publications
University of the Aegean
Vacca, John R.
Charles River Media, Inc. Rockland, MA, 1997,
506 pp., $49.95, ISBN 1-886801-56-8
The title of the book is misleading. The book covers generic system security issues with the word "intranet" liberally sprinkled through the contents in order to justify its title. As a security book it covers a broad area. The book contains chapters ranging from risk analysis and human aspects of security, to polymorphic viruses and relational database security. However, the book's organisation is lacking. Chapter and section headings are often as misleading as the book's title. As an example the chapter titled "designing and implementing intranet security policies" contains neither an outline nor an example of a security policy document. Even more confusingly the important subject of the upcoming IP layer security standards (IPSEC) is discussed is an chapter titled "a secure mobile intranet system" full of references to "intranet-layer [sic] security (IPSEC)". The final chapter "future trends in intranet security" contains sections on "intranet security basics", and "intranet security planning".
The book's coverage of security is extremely uneven. There is an index entry for water damage, but no mention of electronic watermarks. Two chapters are devoted to the discussion of viruses, pages are filled with marketing details of home banking and the discussion of float in electronic bill payments, while PGP, certificate authorities, and firewalls are barely covered. Six pages describe the xswatch log monitoring tool, while the ssh, COPS, and tripwire tools are only mentioned in passing. The glossary at the end of the book is similarly unbalanced. It contains entries for "flame", "GUI", "CIA", and "RS-232", but not for "Certificate Authority", "SSL", "SSH", and "LDAP". The book contains numerous interesting anecdotes, facts, and stories. However, the reader would be better served if these were substantiated by appropriate references. The few references that appear are set as footnotes making it difficult to use them as a starting place for further reading.
The book's graphic design and presentation could also be improved. Most diagrams and figures appear to be rendered or scanned in disturbingly low resolution; a grey line on the page headings crossing out chapter titles and page numbers is more annoying than cute.
I would find it hard to recommend this book - even
as a system security book - to its intended audience: IT managers
and system administrators. The technical aspects of Internet security
are better covered in  and , while the non-technical aspects
of system security are well covered in .