Securing a network is a multilayer process. This book addresses network security from an operational viewpoint, providing pragmatic coverage of a comprehensive arsenal for defense against the most common attacks encountered in real-life situations.

The book is structured into three major logical sections. The first section includes background chapters on routing architectures (border gateway protocol (BGP)) and securing the domain name system (DNS) infrastructure, and an amazing discussion on Internet service provider (ISP) security practices. Chapter 2 separates fact from fiction, and highlights the huge gap between the security policies implicitly assumed to be deployed by an ISP and those that are actually deployed.

The core of the book is contained in the second section, which addresses advanced defense techniques for reliable connectivity, secure network architectures, intrusion detection, application-level filtering, and securing wireless networks. Some of the issues discussed in this section make this book unique and very valuable. For instance, chapter 4 covers reliable connectivity, and goes into advanced topics like BGP security, including best practices for its configuration and unicast routing. Another chapter that shines for its clarity and quality of presentation is chapter 6. This chapter addresses the design of demilitarized zones (DMZs). A DMZ can be seen as an intermediary network between the Internet and the internal network, exposing some services to the outside; potential vulnerabilities in its design can compromise the internal network or affect business-critical operations. The authors discuss the core architectural design patterns for DMZs, and operational defensive techniques.

Another chapter that I enjoyed reading was chapter 10, which covers routing-level manipulations to counter distributed denial of service attacks, or to support passive reconnaissance actions. The basic idea here is to route suspicious traffic to “darknet” (nonoperational networks, used only to capture and gather evidence data), or to hinder a denial of service attack by routing the corresponding traffic to a black hole.

Section 3 is mostly about security assessment and digital forensics. ENtire books could be written about each of these topics so high-level overview coverage in a more general network security book is not surprising. Professionals having to perform such operations might need to read additional materials to master these topics, but for readers interested in getting a general grasp of these issues, the book is very informative.

What makes this book a superb and thrilling reading experience is its mix of a highly pedagogical and clear writing style, with conceptual, and technology-agnostic, information. The authors do not go into technology or implementation details, keeping the presentation focused on the concepts and the required essentials. The second section of the book is a true jewel on its own, where highly effective defense techniques based on subtle routing plane manipulation are illustrated in several deployment scenarios, is a true jewel on its own. The authors also provide a Web site (http://www.extremeexploits.com), where readers can easily download the tools mentioned in the book. The book covers only open source tools, so readers interested in practicing can do so without additional costs.

I strongly recommend this book to any network administrator, technical manager, or security-minded reader. Written in a very reader-friendly way, it provides an excellent state-of-the-art overview and guide to concepts and defensive solutions for network-level security.