Firewalls and Internet Security: Repelling the Wily Hacker

Great book. Helped me a lot through my research paper.

This is an introductory text, that is entertainly written. I originally read the first edition of this book. While preparing a recent seminar I found that I wanted to reference it, but then realized that the material was somewhat dated. The second edition is from 2003, which is still 7 years old, but I find that the information is still very useful, the definition of a classic. More than a mere book on firewalls, this is a primer for the entire workings of the Internet Protocols. It has clear explanations of DNS, DHCP, TCP, UDP, ICMP, SSL, FTP and many other protocols without all the nitty gritty details that you'll find in a book like "TCP/IP Illustrated." <http://www.amazon.com/TCP-IP-Illustrated-Vol-Protocols/dp/0201633469>, which I recommend if you need more technical detail. The authors describe the risks associated with the protocols and strategies for protecting your systems. But, they go further, and explain other attacks and how they might circumvent the barriers that a sysadmin might erect. The exposition on Firewalls and VPNs (Virtual Private Networks) begins in Part IV. There are specific strategies given for protecting several protocols. No specifics on CISCO PIX, sorry guys, the examples use software generally available on Unix (FreeBSD). But, that's mainly a syntax issue, the principles are the same for the large comercial firewall systems. But, once again, if you need specifics, you'll need to read the manuals. This book will give you the foundation to understand what you read in the manuals. Firewall manuals are dry in comparison and generally lack strategic recommendations. The first appendix does a decent job of explaining public key cryptography. The second appendix is "dated" though in that it attempts to give "links" to other resources. After 7+ years, you can imagine the problems with that. Likewise the bibliography mainly cites texts from the 1990's; although there is one reference from 1872: "Through the Looking Glass", Lewis Carroll. Typical of the entertaining quotes throughout the book, "When I use a word. . .it means just what I choose it to mean, neither more nor less." And perhaps that's a fitting summary of this book's purpose, to familiarize you with the meanings of the "Carrollesque" words associated with Internet Security.

A timely and much needed update to the first edition, Fwais 2.0 is an excellent overview of the current landscape and psychology involving intranet, VPN and Internet host security while correctly addressing the positives and negatives of firewall / internet security and the techniques used by hackers. The authors start with hacking and security needs analysis, progress thru strategies and techniques, and end with useful security formulas, hypotheses and real life examples. They draw upon their own experiences and observations about network security and host protection to give the reader a well-rounded view of the concepts of security as they apply today. The book is well written with simple examples and antecedents. They have taken great care to explain how hackers work and their methodology. The best thing about the book is that it does not go into great detail about unnecessary finite security specifics and shows what works best while adding value by allowing the reader the opportunity to think for themselves and address their own needs. They maintain the premise that: " Simple security is better than complex security: it is easier to understand, verify, and maintain."(Page 81) while covering the types of attacks not only by method, but also by class, ranging from the kiddie script up to the sophisticated tunneling and VPN methods. FWAIS 2.0 is a comprehensive guide to the most common security problems while not wasting time on the insignificant. It includes a good set of general rules and the tool sets necessary to secure a network at any level. FAWAIS 2.0 covers current protocols and allows simple guidelines for flexibility in determining your own network needs. It describes the weaknesses in both hardware and software while addressing their relational aspects in easy to understand terms. Written with Freebsd in mind many of the techniques in this edition adapt well to other sources such as Linux, Os/X, Unix, NetBsd, and Solaris. The entire premise of the book revolves around the concept that old style layered security is not as good as it may appear. And that internet security and firewalls are a holistic endeavor of system integration and design. The authors have taken care to show just how difficult it can be to keep up with large network topology and lend truth to the fact that; "There is no such thing as absolute security." (Page 3) The concepts found in this book cover subjects such as : What firewalls can and cannot do, capabilities and weaknesses. What filtering services work best. What services and practices are overkill. Why firewalls are necessary, the risks to servers and the servers relationship to proper firewall installation. What the steps to hacking are and the methodology used to break into a host. The why, what and where of limiting services and the tools to secure the appropriate functions. Types of firewalls and best practices for implementing security while building and designing firewalls. Why building your own firewalls may be your best solution. Applying past experiences to your firewall design. Intrusion detection systems and their role as a network tool in firewall construction. Honey pot examples showing how the techniques have been used to thwart and frustrate potential adversaries. This is not a how to book written with step-by-step specific fill in the blanks, connect the dots, detailed mechanical guidelines, it addresses the real needs of the administrator in relation to actual daily situations. As they state on page 213 "-we don't think the hard part of firewall administration is data entry, it is knowing what the appropriate policies are." The second edition is well documented and includes plenty of good link references, appendices and bibliography resources to help any professional keep current with the ever-changing environment of network defense. Any organization evaluating current security needs should find the second edition helpful for determining their security goals and a comprehensive guide to help design, implement and deploy firewalls. The second edition is a definite must for any security library, certification-training program or public/private classroom situation. I recommend Firewalls and Internet Security as the best starting point for anyone who might be considering any changes in company security structure or earning their security certifications.

Addison-Wesley in cooperation with William Cheskwick, Steven Bellovin and Aviel Rubin have produced yet another well-researched publication. This book is all about Internet security, firewalls, VPNs and much more, all of which are hot topics and renowned buzzwords within today's IT industry. In the first chapter, the authors express their view on network security and demonstrate the different methods an Administrator can use in order to secure their network(s). This is carried out by categorizing security into Host-Based and Perimeter security. The second and third chapters are approximately 50 pages covering basic protocols, including IPv6, DNS, FTP, SNMP, NTP, RPC-based protocols and a several more like the famous NAT. The chapters are concluded with a summary on wireless security. The next five chapters (chapter 4 to 8 inclusive), analyze various attacks used against networks and server operating systems in an attempt to exploit them. There is a wealth of information concerning hacking, allowing the reader to enter the mind of a hacker in terms of what they think and how they proceed to meet their goal. One complete chapter is dedicated to various password tactics in which one can ensure that a hacker's life is made more difficult should they attempt to break into a few accounts using well-known methods related to password guessing. CHAP, PAP, Radius and PKI are also analyzed. Chapter 9 to 12 are dedicated to Firewalls and VPNs which, in passing, happen to be my favourite chapters. They offer an in-depth analysis of the Firewall concept, packet filtering, application-level filtering and circuit level gateways. It proceeds with information about the filtering services, giving detailed examples on how one could use IPChains to create a simple or complex set of rules to efficiently block/permit packets entering in and out the network. This is perhaps the only downside to this informative book, where IPTables would have been beneficial to include, since people rarely use IPchains these days. Lastly, chapter 12 talks about VPNs, their encryption methods, and considers both their weaknesses and advantages. In addition to this, the book continues with several more chapters covering general questions that may arise for the reader, such as intranet routing, administration security and intrusion detection systems. Towards the end, the authors talk about their personal experiences with people trying to hack into their companies and, as a result, explain the step- by- step process of how they managed to fight them and secure their networks. These pages are simply a goldmine for anyone interested in this area. In summary, I'd say that the book is well worth its money and would suggest it to anyone interested in network security and firewalls. I am certain they won't be disappointed simply because the book has a lot to offer...

No problems, good experience.

First let me start by saying I'm new to firewalls, but have been a computer systems builder for years and configuring Windows operating systems for the past 5 years. I was looking for a primer book.. The book covers fundamentals and the authors give in-depth examples for UNIX systems. About a third of the way through the book it remarked about the Windows 95 and their new NT technology (which has been around since about 2000). i finished reading the book, allot about UNIX and non existent on Microsoft products. Not a total waste of money but I finished the book feeling like i sat down for a dinner and was only served a side salad. Back to Amazon book list for me!

This book is not just about firewalls, although that is its primary focus. Nor does it try to cover the entire field of Internet security, although it does provide a fairly good survey of that field along the way. A fair description would be that it is about building a security strategy around a firewall, which is the practical outcome with which most potential readers should be concerned. The first edition of this book was, for nearly a decade, pretty much the only work on building firewalls. This edition is a nearly complete rewrite, not so much because of the new functionality needed of firewalls, but because system administrators no longer write their own firewall software. In some ways, this has given more attention to the services being protected, reducing the emphasis on firewalls per se. Some readers will undoubtedly consider parts of this book to engage in Microsoft-bashing. I don't see it that way, for reasons that the authors sum up in the introduction, in one of their "security truisms": "Security is a tradeoff with convenience." They do consider Windows hosts on their networks to be insecure (and possibly unsecurable), but that has as much to do with letting users install software on their own machines as it does with the OS itself. Not only do the authors fully intend the implication that there will be different tradeoffs to be made for different situations, but they illustrate this in a number of situations, where they describe implications of tradeoffs that are driven by different end-user needs. The book is quite complete, although the technology changes quickly enough that this will be quite a bit less true by the time a third edition might be written. The only issue that I think deserved more attention was that of multi-homing. Protecting a multihomed network is particularly difficult because extra configuration is needed to identify packet spoofing, and any filtering done by the upstream providers will make life even more difficult. This problem deserves at least more recognition, if not a full treatment of its own. This book is not the ultimate reference on the topic that the first edition was in its time. But it is not possible for any one book to fill that role any more, and if it's no longer the only book, it's still the most important. If you are after that "ultimate reference," your best bet is probably the combination of this book and Zwicky (et. al.), "Building Internet Firewalls".

(I reviewed the manuscript before publication for the publisher, but here I'm speaking for myself.) The first edition of this book became known as the must-have boook about firewalls, and rightly so. It defined how to build a firewall for a couple of generations of Internet security managers. Since that time, firewalls have become ubiquitous for corporate networks, and they're even common in some form for many home networks. In a world where firewalls are conveniently built into network appliances, do we need a book about how to build them? In this case, the answer is clearly "yes," but perhaps not for the obvious reasons. What Cheswick, Bellovin, and Rubin have done is given us a guide to thinking about securing networks, not just building firewalls. In a sense, the importance of the second edition of "Firewalls and Internet Security" has shifted to "Internet Security". The authors provide a way of thinking about the problems of Internet security, not a basic guide to operating firewall products on the market today. It is this way of thinking about Internet security that provides lasting value for the reader as well. The book explains critical features (and problems) of the Internet architecture and its protocols, giving the reader the context to understand how various attacks work and how they can be prevented. By emphasizing fundamentals, the authors provide valuable insight for the future as well as for today. Yet the book is relentlessly pragmatic--it is focused on securing real systems on real networks. It's also fun to read. The writing is both witty and wise, and it doesn't take an expert to understand it. However, the experienced reader will still find much insight and will undoubtedly learn a few things along the way.