Firewalls and Internet Security, Second Edition 96
| Firewalls and Internet Security, Second Edition. | |
| author | Cheswick-Bellovin-Rubin, 2003 |
| pages | 433 |
| publisher | Addison-Wesley |
| rating | AA++ |
| reviewer | D Bruce Curtis, Ceo, American Interconnect |
| ISBN | 020163466X |
| summary | Incorporating an Internet firewall from start to finish. |
The authors start with hacking and security needs analysis, progress thru strategies and techniques, and end with useful security formulas, hypotheses and real life examples. They draw upon their own experiences and observations about network security and host protection to give the reader a well-rounded view of the concepts of security as they apply today. The book is well written with simple examples and antecedents. They have taken great care to explain how hackers work and their methodology. The best thing about the book is that it does not go into great detail about unnecessary finite security specifics and shows what works best while adding value by allowing the reader the opportunity to think for themselves and address their own needs. They maintain the premise that: " Simple security is better than complex security: it is easier to understand, verify, and maintain."(Page 81) while covering the types of attacks not only by method, but also by class, ranging from the kiddie script up to the sophisticated tunneling and VPN methods.
FWAIS 2.0 is a comprehensive guide to the most common security problems while not wasting time on the insignificant. It includes a good set of general rules and the tool sets necessary to secure a network at any level. FAWAIS 2.0 covers current protocols and allows simple guidelines for flexibility in determining your own network needs. It describes the weaknesses in both hardware and software while addressing their relational aspects in easy to understand terms. Written with Freebsd in mind many of the techniques in this edition adapt well to other sources such as Linux, Os/X, Unix, NetBsd, and Solaris.
The entire premise of the book revolves around the concept that old style layered security is not as good as it may appear. And that internet security and firewalls are a holistic endeavor of system integration and design. The authors have taken care to show just how difficult it can be to keep up with large network topology and lend truth to the fact that there is no such thing as absolute security.
The concepts found in this book cover subjects such as :
- What firewalls can and cannot do, capabilities and weaknesses.
- What filtering services work best.
- What services and practices are overkill.
- Why firewalls are necessary, the risks to servers and the servers relationship to proper firewall installation.
- What the steps to hacking are and the methodology used to break into a host.
- The why, what and where of limiting services and the tools to secure the appropriate functions.
- Types of firewalls and best practices for implementing security while building and designing firewalls.
- Why building your own firewalls may be your best solution.
- Applying past experiences to your firewall design.
- Intrusion detection systems and their role as a network tool in firewall construction.
- Honey pot examples showing how the techniques have been used to thwart and frustrate potential adversaries.
The second edition is well documented and includes plenty of good link references, appendices and bibliography resources to help any professional keep current with the ever-changing environment of network defense.
Any organization evaluating current security needs should find the second edition helpful for determining their security goals and a comprehensive guide to help design, implement and deploy firewalls. The second edition is a definite must for any security library, certification-training program or public/private classroom situation.
I recommend Firewalls and Internet Security as the best starting point for anyone who might be considering any changes in company security structure or earning their security certifications.
You can purchase the Firewalls and Internet Security, Second Edition from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Great review - will be purchasing soon... (Score:2, Interesting)
Sounds like a really fun and informative read (i.e. not "secure your enterprise in 21 days"), will probably be on my reading list soon.
Thank!
Great review (Score:5, Interesting)
The real question is whether is goes into enough technical depth, I would say. I know reading overviews and general ideas is usually very useful and helpful in the short term (perhaps to sound knowledgable in a meeting?) but would this book really give you enough "technical prowess" to write your own firewall?
That's my only real concern, but a great review nonetheless.
Maybe you should actually read the book (Score:5, Interesting)
You should try actually reading the book before you speak in platitudes. I started Exodus's Managed Security Services group, which had thousands of firewalls under management when I left. Despite this book being published in 1994, it remained my #1 recommended reading on the topic of network security, right up until the end my time there in 2001. The principles are timeless, and for the discerning reader, they transcend firewall brands, configuration recommendations, or changes in protocols. It is a book about security principles, how layers of security interoperate, how human error and fallacy can wreck the best-designed security measures, and so on.
You'd be well advised to read it.
Trying to say that this book is not insightful because "security changes every day" is like trying to say that Knuth's Art of Computer Programming is not insightful because programming languages change all the time.
Re:Exceptional authors, but not an exceptional boo (Score:5, Interesting)
One of the commonly repeated security shiboleths is 'end to end' security. This is a good thing in the same way that it is a good idea to have a burglar alarm in your house. The problem is when people start claiming that you should ONLY have a burglar alarm and that locking your front door is a BAD IDEA.
Over ten years ago I was involved in a series of arguments over the need for shadow passwords in UNIX. Not only did most people not get that they were needed there was actual opposition to the idea, people would claim repeatedly that protecting the password file made a system less secure. This despite the fact that crack was already circulating and usually managed to break a sizable proportion of passwords.
I get rather worried by the way some network administrators seem to consider getting a firewall to be the end of their security issues. It is as if they think a firewall is a +5 amulet of invincibility. But I get equally woried when folk make the claim that firewalls are unnecessary, and there are some very expensive consultants who make that claim when their clients are not arround.
OpenBSD? (Score:3, Interesting)
No love for OpenBSD [openbsd.org]? It's arguably the best OS for security and firewalls.