Firewalls and Internet Security, Second Edition

dbc15 writes "A timely and much needed update to the first edition, Fwais 2.0 is an excellent overview of the current landscape and psychology involving intranet, vpn and Internet host security while correctly addressing the positives and negatives of firewall / internet security and the techniques used by hackers."

Firewalls and Internet Security, Second Edition.
author	Cheswick-Bellovin-Rubin, 2003
pages	433
publisher	Addison-Wesley
rating	AA++
reviewer	D Bruce Curtis, Ceo, American Interconnect
ISBN	020163466X
summary	Incorporating an Internet firewall from start to finish.

The authors start with hacking and security needs analysis, progress thru strategies and techniques, and end with useful security formulas, hypotheses and real life examples. They draw upon their own experiences and observations about network security and host protection to give the reader a well-rounded view of the concepts of security as they apply today. The book is well written with simple examples and antecedents. They have taken great care to explain how hackers work and their methodology. The best thing about the book is that it does not go into great detail about unnecessary finite security specifics and shows what works best while adding value by allowing the reader the opportunity to think for themselves and address their own needs. They maintain the premise that: " Simple security is better than complex security: it is easier to understand, verify, and maintain."(Page 81) while covering the types of attacks not only by method, but also by class, ranging from the kiddie script up to the sophisticated tunneling and VPN methods.

FWAIS 2.0 is a comprehensive guide to the most common security problems while not wasting time on the insignificant. It includes a good set of general rules and the tool sets necessary to secure a network at any level. FAWAIS 2.0 covers current protocols and allows simple guidelines for flexibility in determining your own network needs. It describes the weaknesses in both hardware and software while addressing their relational aspects in easy to understand terms. Written with Freebsd in mind many of the techniques in this edition adapt well to other sources such as Linux, Os/X, Unix, NetBsd, and Solaris.

The entire premise of the book revolves around the concept that old style layered security is not as good as it may appear. And that internet security and firewalls are a holistic endeavor of system integration and design. The authors have taken care to show just how difficult it can be to keep up with large network topology and lend truth to the fact that there is no such thing as absolute security.

The concepts found in this book cover subjects such as :

• What firewalls can and cannot do, capabilities and weaknesses.
• What filtering services work best.
• What services and practices are overkill.
• Why firewalls are necessary, the risks to servers and the servers relationship to proper firewall installation.
• What the steps to hacking are and the methodology used to break into a host.
• The why, what and where of limiting services and the tools to secure the appropriate functions.
• Types of firewalls and best practices for implementing security while building and designing firewalls.
• Why building your own firewalls may be your best solution.
• Applying past experiences to your firewall design.
• Intrusion detection systems and their role as a network tool in firewall construction.
• Honey pot examples showing how the techniques have been used to thwart and frustrate potential adversaries.

This is not a how to book written with step-by-step specific fill-in-the-blanks, connect-the-dots, detailed mechanical guidelines; it addresses the real needs of the administrator in relation to actual daily situations. As they state on page 213 "-we don't think the hard part of firewall administration is data entry, it is knowing what the appropriate policies are."

The second edition is well documented and includes plenty of good link references, appendices and bibliography resources to help any professional keep current with the ever-changing environment of network defense.

Any organization evaluating current security needs should find the second edition helpful for determining their security goals and a comprehensive guide to help design, implement and deploy firewalls. The second edition is a definite must for any security library, certification-training program or public/private classroom situation.

I recommend Firewalls and Internet Security as the best starting point for anyone who might be considering any changes in company security structure or earning their security certifications.

---

You can purchase the Firewalls and Internet Security, Second Edition from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Anybody Else Think..

[Anonymous Coward]

that timothy writes worse "reviews", than a high schooler writes a book report?

This is the high quality slashdot content worth paying for?

No thanks.

AA++

[SweetAndSourJesus]

It's hard not to be skeptical when you see a rating like that. I would think that a rating so high would be reserved for classics like "Applied Cryptography" and "The Art of Computer Programming". Is this book really of that caliber?

Maybe I'm just a little more stingy with my praise.

Firewalls

[Anonymous Coward]

Fact of the matter is (and I manage firewalls for a living) is that you can read all the books and white papers that you can find, but in the real world, nothing works like they say in books. Every firewall installation is different because every customer has different requirements. The book only serve as a general overview and in some cases, a how-to. But as I said, every VPN implementation and every rulebase is different. Until you get the trial by fire by working with firewalls yourself, no book can begin to tell you the absolute truth about how to implement anything. Firewalls, unfortunately are a very dynamic piece of the network puzzle and they require changes almost all of the time. Open up a port here, new VPN tunnel there, blcok this and allow that. Not to emtion that they have to play well with myriad other network devices like routers (ARP cache hell) and concentrators.
The books about this are all good and very well meaning, but to actually DO this stuff requires being there and being able to see exactly how things work. I've yet to pick up a book on firewalls that has really assisted me with anything beyond understanding the theory behind the digital curtain. Security is an ever changing business and it changes EVERY SINGLE DAY. By the time some of these books are publsihed, what held true with VPNs of one kind no longer holds true.
Read with an open mind, but unless the book is published by the firewall company itself, there is not alot there that will truly prepare you for the real world of firewall management.

HOWTOs languishing

[SuperBanana]

You know, I've noticed that as linux grows more popular, the HOWTOs and mini-HOWTOs are in a pitiful state...yet books on Linux and networking are exploding on the market. When I first started with Linux, the HOWTOs were great sources of information- current, relevant...often funny, too.

Nowadays, they're languishing. Outdated to the point of near uselessness. Just today someone asked me if the Software RAID HOWTO was up to date or not- it was dated 5/8/2002 and referred only to kernel 2.2!

The networking howtos are worse- documentation for iptables/ipchains, and especially the QoS stuff, is SEVERELY out of date, incomplete, or just plain wrong. Dozens of kernel options or features have ZERO documentation, not even a help message.

Folks, if you find a howto that's really out of date, try to contact the author. If they're not interested in continuing to develop it, work with the Linux Documentation Project to see if you can take it over or if they have someone that can. At the very least, give the current author some 'patches'(if anything, if they don't make corrections, that's a good argument for finding a new maintainer.)

Re:Great review

[chef_raekwon]

what i've found in the past is very similar to tevenson: techincal depth is lacking...all of the "concept" in the world won't help you build your own firewall...however, sample script files usually do...

if only the books would include samples, if nothing else, of an iptables based firewall, or even ipchains....some go indepth to talk about what the rules mean, but leave the rest for the reader to decipher -- and by this, i mean why the types of rules are being implemented, and why...

hopefully this rejuvenated title will help in this regard.

Re:Firewalls

[swb]

These books should also come with a political section. At least once a month I get queries (often thinly-veiled demands from more senior executives) to make some network application "work through the firewall", when the applications in question are programs running on desktops or a milieu of non-business related functions (including one guy who wanted to run a game server "only over lunch").

From a technical perspective it's trivial to deny these requests, but from a political perspective it can get more challenging, particularly when the application has some kind of business application but needs either particular security scrutiny that hinders "ease of use" or is just a plain bad idea (ie, anonymous writable ftp site inside of a firewall).

Explaining the security implications in terms that non-technical users can understand is often impossible, particularly when the users are pre-convinced you just want to be a BOFH; they seem to only hear "blahblah you're stupid, blahblah I'm the boss and you can't have it".

Some, of course, are better than others and we're able to implement what they want to do in a way that satisfies security and functionality, but too often it just turns into political football.