Customer Reviews

Firewalls and Internet Security: Repelling The Wily Hacker (Addison-Wesley Professional Computing)

5 star:		(13)
4 star:		(6)
3 star:		(2)
2 star:		(0)
1 star:		(1)

 

 

My hope was that reading Firewalls and Internet Security - Second Edition would be a chance to sit at the feet of the masters, but I was disappointed. Part of the problem is the title, this is not a firewall book; this is an internet oriented security overview. The writing style is professional, but terse, you will learn the names of many important things, but you will not learn how to DO anything and you will not even learn ABOUT very much. However the book gives you the NAMES of many important topics that you can go research on your own and is valuable for that. It is well edited and has a flawless layout making it a fast easy read because the technical level is low and the book is short.

The book opens with a few pages on security truisms, my favorite part of the book and a dazzling display of intellect! All the material after the truisms and up to chapter 9 is a quick tour of topics like Security Policy, Host-Based Security and Perimeter Security, Authentication, and all the Protocols in a couple paragraphs each.

Chapters 9 - 12 are where the book covers perimeters. Chapter 9 is dated material, Static Packet Filters, Network Topology, Application Gateways, and SOCKS. The book begins to improve in Chapter 10, remember, these authors really know their stuff and if you read closely there is wisdom here. The "Use the phone?" comment in the H.323 and SIP example firewall rule was a classic. Sadly, this whole critically important section got one thin paragraph.

In Chapter 13, there is a fascinating discussion about using routing tricks to protect a host, but it isn't clear to me you can implement this with the four sentences of information the authors provide. As you march on to Chapter 16, they have a few paragraphs on host security, name some types of IDSes and so forth.

Chapter 16 is from the original edition, An Evening with Berferd is a lovely read especially if you have a Unix background. Chapter 17, The Taking of Clark, another war story, was also fun.

The ending of the book is sad, the technical material concludes with three and a half pages titled: Where do we go from here? They briefly mention IPv6, but come to no conclusion as to its future. DNSsec gets two paragraphs, we do not even learn what it is, (a new resource record where the information that is stored can be signed).

In the final paragraph the authors conclude we are going backward not forward, that we cannot achieve the security level Multics had in the 1970s with modern operating systems. I sincerely hope that is not true; take a look at OpenBSD, one exploitable remote vulnerability in seven years. Think about the progress RedHat and Microsoft are making. Take a look at the work The Center for Internet Security is doing, take the Unix or Windows tracks at SANS, but never, ever give up.

Addison-Wesley in cooperation with William Cheskwick, Steven Bellovin and Aviel Rubin have produced yet another well-researched publication.

This book is all about Internet security, firewalls, VPNs and much more, all of which are hot topics and renowned buzzwords within today's IT industry.

In the first chapter, the authors express their view on network security and demonstrate the different methods an Administrator can use in order to secure their network(s). This is carried out by categorizing security into Host-Based and Perimeter security.

The second and third chapters are approximately 50 pages covering basic protocols, including IPv6, DNS, FTP, SNMP, NTP, RPC-based protocols and a several more like the famous NAT. The chapters are concluded with a summary on wireless security.

The next five chapters (chapter 4 to 8 inclusive), analyze various attacks used against networks and server operating systems in an attempt to exploit them. There is a wealth of information concerning hacking, allowing the reader to enter the mind of a hacker in terms of what they think and how they proceed to meet their goal.

One complete chapter is dedicated to various password tactics in which one can ensure that a hacker's life is made more difficult should they attempt to break into a few accounts using well-known methods related to password guessing. CHAP, PAP, Radius and PKI are also analyzed.

Chapter 9 to 12 are dedicated to Firewalls and VPNs which, in passing, happen to be my favourite chapters. They offer an in-depth analysis of the Firewall concept, packet filtering, application-level filtering and circuit level gateways. It proceeds with information about the filtering services, giving detailed examples on how one could use IPChains to create a simple or complex set of rules to efficiently block/permit packets entering in and out the network. This is perhaps the only downside to this informative book, where IPTables would have been beneficial to include, since people rarely use IPchains these days.

Lastly, chapter 12 talks about VPNs, their encryption methods, and considers both their weaknesses and advantages.

In addition to this, the book continues with several more chapters covering general questions that may arise for the reader, such as intranet routing, administration security and intrusion detection systems.

Towards the end, the authors talk about their personal experiences with people trying to hack into their companies and, as a result, explain the step- by- step process of how they managed to fight them and secure their networks. These pages are simply a goldmine for anyone interested in this area.

In summary, I'd say that the book is well worth its money and would suggest it to anyone interested in network security and firewalls. I am certain they won't be disappointed simply because the book has a lot to offer...

I wish I could give "Firewalls and Internet Security, 2nd Edition" (FAIS:2E) more stars. I eagerly awaited the next edition of this security classic with the rest of the community. However, like many sequels, it fails to live up to expectations. Nine years ago the first edition was revolutionary. In 2003, despite the addition of skilled practitioner Avi Rubin, the authors make few original contributions to the security scene.

The book's strengths include sharing certain keen insights and summarizing key technical data. They repeat the conclusion that frequent password changes tend to decrease security, rather than improve it. They succinctly describe BGP and IPv6. They accurately explain that TCP sequence numbers count bytes of data, not packets -- unlike many other authors. Their case studies, while dating from the early 1990s, are the most enjoyable parts of FAIS:2E. Like Avi Rubin's "White Hat Security Arsenal" (a better book), they cite scholarly work. Attention is paid to the firewall software of my favorite OS, FreeBSD, in ch 11.

On the negative side, the book is a mix of simplistic and advanced material. In some areas the authors start with basics, while in others they use terms like "black-hole" (p. 249) with little regard for newbies. The book seems disorganized; readers will find it hard to separate key points from normal text. The "forensics" advice, admittedly labeled as "crude" in ch 17, gives incomplete recommendations which do not reflect best forensic live response practices. (The "best thing to do" is "run ps and netstat" and then "turn the computer off"?) The authors are also very negative about the Windows OS, saying on p. 255 "We do not know how to secure them, or even if it is possible." While Windows is admittedly difficult to configure and operate securely, this statement is a cop-out. Better to direct readers to "Securing Windows NT/2000 Servers for the Internet" by Stefan Norberg. Examples with IPChains in ch 11 should have been updated with IPTables, or at least IPTables should not have been dismissed as being the same except for syntax.

FAIS:2E does contain useful information. I just think books like O'Reilly's "Building Internet Firewalls, 2nd Edition" and New Riders' "Linux Firewalls, 2nd Edition" are more helpful. Addison-Wesley's "White Hat Security Arsenal" is more enlightening, as well. Review FAIS:2E in a store before you commit to buying it -- you might find it helpful.

This is a fabulous book for someone that wants to learn the theories of internet security.

It's written by two people that developed the firewall as we know it today.

They share their stories of actual security breaches, and how the tracked and resolved the problem.

To get the most out of this book you should have an understanding of TCP/IP, UDP, and other internet protocols.

The book takes you through why you need security and developing a security policy. It gives you an overview of TCP/IP.

The book does a good job of teaching you about the different types of firewalls available from firewall gateways, to application gateways.

This is a must have book for all system administrators, not just security folks.

This great security book is written by the three famous members of a
security community "old school". These people supposedly lived when
dinosaurs roamed the Earth, when firewalls were a novelty and
intrusion detection unheard of and TCP port 80 was referred to as
"this new web thing. :-)

The book starts with an unusually exciting section on "security
truisms", timeless principles that allowed the first edition (1994)
to survive until the present time as a useful security book. The

principles will come handy for both hardened security pros (as review)
and complete beginners (as a required mindset). "Keep it simple",
"there is no absolute security", "defense in depth", "fix the
weakest link" and many others still form the philosophical skeleton
of modern security. In the same initial section, the ever-present
mystery of a security policy is covered in a clear and comprehensive
fashion.

Many other great ideas (some of which are starting to be forgotten
such as "firewall is a gate, not a wall") are found in a book. For
example, the benefits and pitfalls of crypto are also analyzed.

An interesting argument is provided on how graphical interfaces (GUIs)
actually measurably decrease firewall security. While some might think
that "easy to use equals more likely to be used right", authors hold
a different opinion.

While much of the content is timeless, the book is fully up to date
with material on DoS (and DDoS) attacks, VPNs and web security. Even
the debates on hiring hackers and eternal patching cycles find their
place in the book insets.

Firewalls are present in the book title, thus they get all the
deserved coverage with many examples of practical firewall
configuration (Linux, BSD). Linux ipchains coverage is a bit dated,
but can be used for the most part for the modern iptables
configuration as well. IDS are only mentioned, since the authors
apparently don't like them that much.

The book is understandably focused on defense. However, some novel
(are they really - surely authors have a reference somewhere to a 1985
paper where they were first covered? :-) ) attacks on routing are
discussed. Honeypots (in the form of a classic "An Evening with
Berferd" paper updated with more analysis) are also discussed. A
couple more fun incident cases (such as "The Taking of Clark" where
an unknown attacker had a point at getting through to one of the
authors) are also presented.

It does inherit the properties of the first edition (now freely
available) and have everything to look forward to the long and
successful future. The book is strongly recommended for any security
professional.

The book also boasts many amazing references to security
resources. What made some of them surprising is their age. How about a
paper on limitation of password authentication - from 1984?

Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major
information security company. His areas of infosec expertise include
intrusion detection, UNIX security, forensics, honeypots, etc. In his
spare time, he maintains his security portal info-secure.org

The words we wrote some nine years ago have a number of amusing anachronisms. This book is way overdue for an update, though the basic lessons are still valid.

Steve and I have been swamped with work, and the second edition needed nearly a full rewrite, so we brought Avi Rubin in to help us out. The technical reviews are coming in now, and the second edition should hit the streets mid-spring 2003.

That said, there are pieces unique to the first edition---the field is much bigger now---and I wonder if some of the bits in the first edition that didn't make it, like "A Look at the Logs", will remain interesting in the future.

The response to this by you, the reading public, has been more gratifying than a sea of "A"s in English papers! Thank you all!

ches

(I reviewed the manuscript before publication for the publisher, but
here I'm speaking for myself.)

The first edition of this book became known as the must-have boook
about firewalls, and rightly so. It defined how to build a firewall
for a couple of generations of Internet security managers. Since that
time, firewalls have become ubiquitous for corporate networks, and
they're even common in some form for many home networks.

In a world where firewalls are conveniently built into network
appliances, do we need a book about how to build them? In this case,
the answer is clearly "yes," but perhaps not for the obvious reasons.
What Cheswick, Bellovin, and Rubin have done is given us a guide to
thinking about securing networks, not just building firewalls. In a
sense, the importance of the second edition of "Firewalls and Internet
Security" has shifted to "Internet Security". The authors provide a
way of thinking about the problems of Internet security, not a basic
guide to operating firewall products on the market today.

It is this way of thinking about Internet security that provides
lasting value for the reader as well. The book explains critical
features (and problems) of the Internet architecture and its protocols,
giving the reader the context to understand how various attacks work
and how they can be prevented. By emphasizing fundamentals, the
authors provide valuable insight for the future as well as for today.
Yet the book is relentlessly pragmatic--it is focused on securing real
systems on real networks.

It's also fun to read. The writing is both witty and wise, and it
doesn't take an expert to understand it. However, the experienced
reader will still find much insight and will undoubtedly learn a few
things along the way.

A timely and much needed update to the first edition, Fwais 2.0 is an excellent overview of the current landscape and psychology involving intranet, VPN and Internet host security while correctly addressing the positives and negatives of firewall / internet security and the techniques used by hackers.

The authors start with hacking and security needs analysis, progress thru strategies and techniques, and end with useful security formulas, hypotheses and real life examples. They draw upon their own experiences and observations about network security and host protection to give the reader a well-rounded view of the concepts of security as they apply today. The book is well written with simple examples and antecedents. They have taken great care to explain how hackers work and their methodology. The best thing about the book is that it does not go into great detail about unnecessary finite security specifics and shows what works best while adding value by allowing the reader the opportunity to think for themselves and address their own needs. They maintain the premise that: " Simple security is better than complex security: it is easier to understand, verify, and maintain."(Page 81) while covering the types of attacks not only by method, but also by class, ranging from the kiddie script up to the sophisticated tunneling and VPN methods.

FWAIS 2.0 is a comprehensive guide to the most common security problems while not wasting time on the insignificant. It includes a good set of general rules and the tool sets necessary to secure a network at any level. FAWAIS 2.0 covers current protocols and allows simple guidelines for flexibility in determining your own network needs. It describes the weaknesses in both hardware and software while addressing their relational aspects in easy to understand terms. Written with Freebsd in mind many of the techniques in this edition adapt well to other sources such as Linux, Os/X, Unix, NetBsd, and Solaris.

The entire premise of the book revolves around the concept that old style layered security is not as good as it may appear. And that internet security and firewalls are a holistic endeavor of system integration and design. The authors have taken care to show just how difficult it can be to keep up with large network topology and lend truth to the fact that;
"There is no such thing as absolute security." (Page 3)

The concepts found in this book cover subjects such as :

What firewalls can and cannot do, capabilities and weaknesses.
What filtering services work best.
What services and practices are overkill.
Why firewalls are necessary, the risks to servers and the servers relationship to proper firewall installation.
What the steps to hacking are and the methodology used to break into a host.
The why, what and where of limiting services and the tools to secure the appropriate functions.
Types of firewalls and best practices for implementing security while building and designing firewalls.
Why building your own firewalls may be your best solution.
Applying past experiences to your firewall design.
Intrusion detection systems and their role as a network tool in firewall construction.
Honey pot examples showing how the techniques have been used to thwart and frustrate potential adversaries.

This is not a how to book written with step-by-step specific fill in the blanks, connect the dots, detailed mechanical guidelines, it addresses the real needs of the administrator in relation to actual daily situations. As they state on page 213 "-we don't think the hard part of firewall administration is data entry, it is knowing what the appropriate policies are."

The second edition is well documented and includes plenty of good link references, appendices and bibliography resources to help any professional keep current with the ever-changing environment of network defense.

Any organization evaluating current security needs should find the second edition helpful for determining their security goals and a comprehensive guide to help design, implement and deploy firewalls. The second edition is a definite must for any security library, certification-training program or public/private classroom situation.

I recommend Firewalls and Internet Security as the best starting point for anyone who might be considering any changes in company security structure or earning their security certifications.

(I had the pleasure of doing a pre-release review for the publisher. My wife and I enjoyed the meal they paid for. However this posting is done on my own.)

When the book first came out, it defined an Internet specialty. The Internet is now a bigger, and sometimes more dangerous, place. "Firewalls and Internet Security" won't guarantee your network's safety, but failure ignorance of the material in this book will guarantee its compromise.

The book provides an extraordinary combination of theory and practise, framework and procedure, technology and operations. The depth of the authors' knowledge and the pragmatic tone throughout the book make it unrivaled.

The writing is unusually accessible; it neither suffers from excessively obscure technical language nor does it pander to the reader with facile, superficial discussion. The humor is nicely spaced, and martini-dry.

A section on protocols is not simply one-more cursory review of what they do. Instead it provides a unique and thorough analysis of their security considerations, so that designers and network administrators can understand the strengths and weakness of the Internet's core technologies.

If you run a network and care about its safety, you won't be able to do your job well enough without reading this book. If you develop Internet technology, then remember that security is almost always impossible to design-in later. If you haven't read this book, you are not likely to get the design right.

/d

The title of this book doesn't really do it justice. It covers a lot more than just firewalls. The reader is greatly benefited by a quick read that's full of memorable facts.

Its well written, talking about topics that can, in isolation, appear as arcane. The arcane is framed nicely by a spy vs. spy story that's fascinating.

Ok, its not a Clifford Stoll novel, but its still great for those of us who want the nitty gritty details.

I can't tell you how many copies of this book I've bought.