Firewalls and Internet Security: Repelling The Wily Hacker (Addison-Wesley Professional Computing) [Paperback]

William R. Cheswick (Author), Steven M. Bellovin (Author)

Book Description

ISBN-10: 0201633574 | ISBN-13: 978-0201633573 | Publication Date: April 30, 1994

Written by two AT&T Bell Labs researchers who helped break the infamous "Berferd" hacker case, this book gives you invaluable advice and practical tools for protecting your organization's computers from the very real threat of a hacker attack through the Internet. The authors show you step-by-step how to set up a firewall gateway-a dedicated computer equipped with safeguards that acts as a single, more easily defended, Internet connection.

Editorial Reviews

Amazon.com Review

Essential information for anyone wanting to protect Internet-connected computers from unauthorized access. Includes:

• thorough discussion of security-related aspects of TCP/IP;
• step-by-step plans for setting up firewalls;
• hacking and monitoring tools the authors have built to rigorously test and maintain firewalls;
• pointers to public domain security tools on the net;
• first-hand step-by-step accounts of battles with the "Berferd" hackers; and
• practical discussions of the legal aspects of security.

Review

Firewalls and Internet Security: Repelling the Wily Hacker gives invaluable advice and practical tools for protecting our computers. You will learn how to plan and execute a security strategy that will thwart the most determined and sophisticated of hackers, while still allowing your company easy access to Internet services. In particular, the authors show step-by-step how to set up a "firewall" gateway - a dedicated computer equipped with safeguards that acts as a single, more easily defended, Internet connection. They even include a description of their most recent gateway, the tools they used to build it, and the hacker attacks they devised to test it. In addition, there is vital information on cryptography, a description of the tools used by hackers, and the legal implications of computer security. With Firewalls and Internet Security, anyone will be well equipped to provide their organization with effective protection from the wily Internet hacker. -- Midwest Book Review

See all Editorial Reviews

Product Details

• Paperback: 320 pages
• Publisher: Addison-Wesley Professional (April 30, 1994)
• Language: English
• ISBN-10: 0201633574
• ISBN-13: 978-0201633573
• Product Dimensions: 9.2 x 7.4 x 0.8 inches
• Shipping Weight: 1.4 pounds
• Average Customer Review: 4.4 out of 5 stars  See all reviews (22 customer reviews)
• Amazon Best Sellers Rank: #593,135 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

38 of 41 people found the following review helpful:

3.0 out of 5 stars A nice internet security overview, March 22, 2003

By 

Stephen Northcutt (Kauai, HI USA) - See all my reviews
(REAL NAME)   

This review is from: Firewalls and Internet Security: Repelling the Wily Hacker (2nd Edition) (Paperback)

My hope was that reading Firewalls and Internet Security - Second Edition would be a chance to sit at the feet of the masters, but I was disappointed. Part of the problem is the title, this is not a firewall book; this is an internet oriented security overview. The writing style is professional, but terse, you will learn the names of many important things, but you will not learn how to DO anything and you will not even learn ABOUT very much. However the book gives you the NAMES of many important topics that you can go research on your own and is valuable for that. It is well edited and has a flawless layout making it a fast easy read because the technical level is low and the book is short.

The book opens with a few pages on security truisms, my favorite part of the book and a dazzling display of intellect! All the material after the truisms and up to chapter 9 is a quick tour of topics like Security Policy, Host-Based Security and Perimeter Security, Authentication, and all the Protocols in a couple paragraphs each.

Chapters 9 - 12 are where the book covers perimeters. Chapter 9 is dated material, Static Packet Filters, Network Topology, Application Gateways, and SOCKS. The book begins to improve in Chapter 10, remember, these authors really know their stuff and if you read closely there is wisdom here. The "Use the phone?" comment in the H.323 and SIP example firewall rule was a classic. Sadly, this whole critically important section got one thin paragraph.

In Chapter 13, there is a fascinating discussion about using routing tricks to protect a host, but it isn't clear to me you can implement this with the four sentences of information the authors provide. As you march on to Chapter 16, they have a few paragraphs on host security, name some types of IDSes and so forth.

Chapter 16 is from the original edition, An Evening with Berferd is a lovely read especially if you have a Unix background. Chapter 17, The Taking of Clark, another war story, was also fun.

The ending of the book is sad, the technical material concludes with three and a half pages titled: Where do we go from here? They briefly mention IPv6, but come to no conclusion as to its future. DNSsec gets two paragraphs, we do not even learn what it is, (a new resource record where the information that is stored can be signed).

In the final paragraph the authors conclude we are going backward not forward, that we cannot achieve the security level Multics had in the 1970s with modern operating systems. I sincerely hope that is not true; take a look at OpenBSD, one exploitable remote vulnerability in seven years. Think about the progress RedHat and Microsoft are making. Take a look at the work The Center for Internet Security is doing, take the Unix or Windows tracks at SANS, but never, ever give up.

11 of 12 people found the following review helpful:

5.0 out of 5 stars Yet another worthwhile book for us all in the IT industry!, October 10, 2003

By 

Christos Partsenidis (Thessaloniki, Greece - www.Firewall.cx) - See all my reviews
(REAL NAME)   

This review is from: Firewalls and Internet Security: Repelling the Wily Hacker (2nd Edition) (Paperback)

Addison-Wesley in cooperation with William Cheskwick, Steven Bellovin and Aviel Rubin have produced yet another well-researched publication.

This book is all about Internet security, firewalls, VPNs and much more, all of which are hot topics and renowned buzzwords within today's IT industry.

In the first chapter, the authors express their view on network security and demonstrate the different methods an Administrator can use in order to secure their network(s). This is carried out by categorizing security into Host-Based and Perimeter security.

The second and third chapters are approximately 50 pages covering basic protocols, including IPv6, DNS, FTP, SNMP, NTP, RPC-based protocols and a several more like the famous NAT. The chapters are concluded with a summary on wireless security.

The next five chapters (chapter 4 to 8 inclusive), analyze various attacks used against networks and server operating systems in an attempt to exploit them. There is a wealth of information concerning hacking, allowing the reader to enter the mind of a hacker in terms of what they think and how they proceed to meet their goal.

One complete chapter is dedicated to various password tactics in which one can ensure that a hacker's life is made more difficult should they attempt to break into a few accounts using well-known methods related to password guessing. CHAP, PAP, Radius and PKI are also analyzed.

Chapter 9 to 12 are dedicated to Firewalls and VPNs which, in passing, happen to be my favourite chapters. They offer an in-depth analysis of the Firewall concept, packet filtering, application-level filtering and circuit level gateways. It proceeds with information about the filtering services, giving detailed examples on how one could use IPChains to create a simple or complex set of rules to efficiently block/permit packets entering in and out the network. This is perhaps the only downside to this informative book, where IPTables would have been beneficial to include, since people rarely use IPchains these days.

Lastly, chapter 12 talks about VPNs, their encryption methods, and considers both their weaknesses and advantages.

In addition to this, the book continues with several more chapters covering general questions that may arise for the reader, such as intranet routing, administration security and intrusion detection systems.

Towards the end, the authors talk about their personal experiences with people trying to hack into their companies and, as a result, explain the step- by- step process of how they managed to fight them and secure their networks. These pages are simply a goldmine for anyone interested in this area.

In summary, I'd say that the book is well worth its money and would suggest it to anyone interested in network security and firewalls. I am certain they won't be disappointed simply because the book has a lot to offer...

10 of 11 people found the following review helpful:

3.0 out of 5 stars Exceptional authors, but not an exceptional book, March 16, 2003

By 

Richard Bejtlich "TaoSecurity" (Metro Washington, DC) - See all my reviews
(REAL NAME)   

This review is from: Firewalls and Internet Security: Repelling the Wily Hacker (2nd Edition) (Paperback)

I wish I could give "Firewalls and Internet Security, 2nd Edition" (FAIS:2E) more stars. I eagerly awaited the next edition of this security classic with the rest of the community. However, like many sequels, it fails to live up to expectations. Nine years ago the first edition was revolutionary. In 2003, despite the addition of skilled practitioner Avi Rubin, the authors make few original contributions to the security scene.

The book's strengths include sharing certain keen insights and summarizing key technical data. They repeat the conclusion that frequent password changes tend to decrease security, rather than improve it. They succinctly describe BGP and IPv6. They accurately explain that TCP sequence numbers count bytes of data, not packets -- unlike many other authors. Their case studies, while dating from the early 1990s, are the most enjoyable parts of FAIS:2E. Like Avi Rubin's "White Hat Security Arsenal" (a better book), they cite scholarly work. Attention is paid to the firewall software of my favorite OS, FreeBSD, in ch 11.

On the negative side, the book is a mix of simplistic and advanced material. In some areas the authors start with basics, while in others they use terms like "black-hole" (p. 249) with little regard for newbies. The book seems disorganized; readers will find it hard to separate key points from normal text. The "forensics" advice, admittedly labeled as "crude" in ch 17, gives incomplete recommendations which do not reflect best forensic live response practices. (The "best thing to do" is "run ps and netstat" and then "turn the computer off"?) The authors are also very negative about the Windows OS, saying on p. 255 "We do not know how to secure them, or even if it is possible." While Windows is admittedly difficult to configure and operate securely, this statement is a cop-out. Better to direct readers to "Securing Windows NT/2000 Servers for the Internet" by Stefan Norberg. Examples with IPChains in ch 11 should have been updated with IPTables, or at least IPTables should not have been dismissed as being the same except for syntax.

FAIS:2E does contain useful information. I just think books like O'Reilly's "Building Internet Firewalls, 2nd Edition" and New Riders' "Linux Firewalls, 2nd Edition" are more helpful. Addison-Wesley's "White Hat Security Arsenal" is more enlightening, as well. Review FAIS:2E in a store before you commit to buying it -- you might find it helpful.