Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition

The book opens with a few pages on security truisms, my favorite part of the book and a dazzling display of intellect! All the material after the truisms and up to chapter 9 is a quick tour of topics like Security Policy, Host-Based Security and Perimeter Security, Authentication, and all the Protocols in a couple paragraphs each.

Chapters 9 - 12 are where the book covers perimeters. Chapter 9 is dated material, Static Packet Filters, Network Topology, Application Gateways, and SOCKS. The book begins to improve in Chapter 10, remember, these authors really know their stuff and if you read closely there is wisdom here. The "Use the phone?" comment in the H.323 and SIP example firewall rule was a classic. Sadly, this whole critically important section got one thin paragraph.

In Chapter 13, there is a fascinating discussion about using routing tricks to protect a host, but it isn't clear to me you can implement this with the four sentences of information the authors provide. As you march on to Chapter 16, they have a few paragraphs on host security, name some types of IDSes and so forth.

Chapter 16 is from the original edition, An Evening with Berferd is a lovely read especially if you have a Unix background. Chapter 17, The Taking of Clark, another war story, was also fun.

The ending of the book is sad, the technical material concludes with three and a half pages titled: Where do we go from here? They briefly mention IPv6, but come to no conclusion as to its future. DNSsec gets two paragraphs, we do not even learn what it is, (a new resource record where the information that is stored can be signed).

In the final paragraph the authors conclude we are going backward not forward, that we cannot achieve the security level Multics had in the 1970s with modern operating systems. I sincerely hope that is not true; take a look at OpenBSD, one exploitable remote vulnerability in seven years. Think about the progress RedHat and Microsoft are making. Take a look at the work The Center for Internet Security is doing, take the Unix or Windows tracks at SANS, but never, ever give up.

Rating:
Summary: Excellent. Has a Unix Bias
Review: The book is excellent detailing obscure aspects of internet hacks. It lack views of other operating systems, but this work of Bellowin an Cheswick is Superb!!.

Rating:
Summary: Wow, a great read with actual supporting experience
Review: The title of this book doesn't really do it justice. It covers a lot more than just firewalls. The reader is greatly benefited by a quick read that's full of memorable facts.

Its well written, talking about topics that can, in isolation, appear as arcane. The arcane is framed nicely by a spy vs. spy story that's fascinating.

Ok, its not a Clifford Stoll novel, but its still great for those of us who want the nitty gritty details.

I can't tell you how many copies of this book I've bought.

Rating:
Summary: It's hard to be timeless in this field
Review: The words we wrote some nine years ago have a number of amusing anachronisms. This book is way overdue for an update, though the basic lessons are still valid.

Steve and I have been swamped with work, and the second edition needed nearly a full rewrite, so we brought Avi Rubin in to help us out. The technical reviews are coming in now, and the second edition should hit the streets mid-spring 2003.

That said, there are pieces unique to the first edition---the field is much bigger now---and I wonder if some of the bits in the first edition that didn't make it, like "A Look at the Logs", will remain interesting in the future.

The response to this by you, the reading public, has been more gratifying than a sea of "A"s in English papers! Thank you all!

ches

Rating:
Summary: We're working on it
Review: There's a lot to update, and we are working on it. It was almost easier to write the first edition from scratch. If you have suggested topics we should cover, we are open to suggestions, though we have plenty on our plates right now. ches

Rating:
Summary: No longer the only, but still the best, book on the topic.
Review: This book is not just about firewalls, although that is its
primary focus. Nor does it try to cover the entire field of
Internet security, although it does provide a fairly good survey
of that field along the way. A fair description would be that it
is about building a security strategy around a firewall, which is
the practical outcome with which most potential readers should be
concerned.

The first edition of this book was, for nearly a decade, pretty
much the only work on building firewalls. This edition is a
nearly complete rewrite, not so much because of the new
functionality needed of firewalls, but because system
administrators no longer write their own firewall software. In
some ways, this has given more attention to the services being
protected, reducing the emphasis on firewalls per se.

Some readers will undoubtedly consider parts of this book to
engage in Microsoft-bashing. I don't see it that way, for
reasons that the authors sum up in the introduction, in one of
their "security truisms": "Security is a tradeoff with
convenience." They do consider Windows hosts on their networks
to be insecure (and possibly unsecurable), but that has as much
to do with letting users install software on their own machines
as it does with the OS itself. Not only do the authors fully
intend the implication that there will be different tradeoffs to
be made for different situations, but they illustrate this in a
number of situations, where they describe implications of
tradeoffs that are driven by different end-user needs.

The book is quite complete, although the technology changes
quickly enough that this will be quite a bit less true by the
time a third edition might be written. The only issue that I
think deserved more attention was that of multi-homing.
Protecting a multihomed network is particularly difficult because
extra configuration is needed to identify packet spoofing, and
any filtering done by the upstream providers will make life even
more difficult. This problem deserves at least more recognition,
if not a full treatment of its own.

This book is not the ultimate reference on the topic that the
first edition was in its time. But it is not possible for any
one book to fill that role any more, and if it's no longer the
only book, it's still the most important. If you are after that
"ultimate reference," your best bet is probably the combination
of this book and Zwicky (et. al.), "Building Internet Firewalls".

Rating:
Summary: No longer the only, but still the best, book on the topic.
Review: This book is not just about firewalls, although that is its
primary focus. Nor does it try to cover the entire field of
Internet security, although it does provide a fairly good survey
of that field along the way. A fair description would be that it
is about building a security strategy around a firewall, which is
the practical outcome with which most potential readers should be
concerned.

The first edition of this book was, for nearly a decade, pretty
much the only work on building firewalls. This edition is a
nearly complete rewrite, not so much because of the new
functionality needed of firewalls, but because system
administrators no longer write their own firewall software. In
some ways, this has given more attention to the services being
protected, reducing the emphasis on firewalls per se.

Some readers will undoubtedly consider parts of this book to
engage in Microsoft-bashing. I don't see it that way, for
reasons that the authors sum up in the introduction, in one of
their "security truisms": "Security is a tradeoff with
convenience." They do consider Windows hosts on their networks
to be insecure (and possibly unsecurable), but that has as much
to do with letting users install software on their own machines
as it does with the OS itself. Not only do the authors fully
intend the implication that there will be different tradeoffs to
be made for different situations, but they illustrate this in a
number of situations, where they describe implications of
tradeoffs that are driven by different end-user needs.

The book is quite complete, although the technology changes
quickly enough that this will be quite a bit less true by the
time a third edition might be written. The only issue that I
think deserved more attention was that of multi-homing.
Protecting a multihomed network is particularly difficult because
extra configuration is needed to identify packet spoofing, and
any filtering done by the upstream providers will make life even
more difficult. This problem deserves at least more recognition,
if not a full treatment of its own.

This book is not the ultimate reference on the topic that the
first edition was in its time. But it is not possible for any
one book to fill that role any more, and if it's no longer the
only book, it's still the most important. If you are after that
"ultimate reference," your best bet is probably the combination
of this book and Zwicky (et. al.), "Building Internet Firewalls".

Rating:
Summary: Clearly the single best resource for understanding Firewalls
Review: This book is standard for understanding firewall theory, written by the men who created some of the first firewalls as we know them. It serves as the basis for making sound decsions about when and how to use firewalls.

Written in clear language, this is a technical book. If you don't know what TCP, UDP, and "application protocol" mean, learn them,and then read this book. The better you understand basic networking and security the more usefull this book is. However don't let me lead you to believe it's not usefull if you don't understand these terms. Read the book, read other books like "Internetworking with TCP/IP Vol. I: Principles, Protocols, and Architecture" by Douglas Comer.

This book happens to be the first Information security I've read, although I've read dozens in the 6 years or so, since I first read this book.

If you consider yourself knowledgeable about information security this is a classic that you need to read. If your in need of network security knowledge this is a great place to start, and it contains great references.

Rating:
Summary: An outstanding, well reading guide to understanding security
Review: This book reads like a good novel. It's informative, and easy to read. It gives a good feel about the "true system administrator" and the issues and goals he/she faces. Eventhough the book needs a newer edition, I'd quickly recommend it to anyone who needs a good book on internet security.

Rating:
Summary: Fun and useful read
Review: This great security book is written by the three famous members of a
security community "old school". These people supposedly lived when
dinosaurs roamed the Earth, when firewalls were a novelty and
intrusion detection unheard of and TCP port 80 was referred to as
"this new web thing. :-)

The book starts with an unusually exciting section on "security
truisms", timeless principles that allowed the first edition (1994)
to survive until the present time as a useful security book. The

principles will come handy for both hardened security pros (as review)
and complete beginners (as a required mindset). "Keep it simple",
"there is no absolute security", "defense in depth", "fix the
weakest link" and many others still form the philosophical skeleton
of modern security. In the same initial section, the ever-present
mystery of a security policy is covered in a clear and comprehensive
fashion.

Many other great ideas (some of which are starting to be forgotten
such as "firewall is a gate, not a wall") are found in a book. For
example, the benefits and pitfalls of crypto are also analyzed.

An interesting argument is provided on how graphical interfaces (GUIs)
actually measurably decrease firewall security. While some might think
that "easy to use equals more likely to be used right", authors hold
a different opinion.

While much of the content is timeless, the book is fully up to date
with material on DoS (and DDoS) attacks, VPNs and web security. Even
the debates on hiring hackers and eternal patching cycles find their
place in the book insets.

Firewalls are present in the book title, thus they get all the
deserved coverage with many examples of practical firewall
configuration (Linux, BSD). Linux ipchains coverage is a bit dated,
but can be used for the most part for the modern iptables
configuration as well. IDS are only mentioned, since the authors
apparently don't like them that much.

The book is understandably focused on defense. However, some novel
(are they really - surely authors have a reference somewhere to a 1985
paper where they were first covered? :-) ) attacks on routing are
discussed. Honeypots (in the form of a classic "An Evening with
Berferd" paper updated with more analysis) are also discussed. A
couple more fun incident cases (such as "The Taking of Clark" where
an unknown attacker had a point at getting through to one of the
authors) are also presented.

It does inherit the properties of the first edition (now freely
available) and have everything to look forward to the long and
successful future. The book is strongly recommended for any security
professional.

The book also boasts many amazing references to security
resources. What made some of them surprising is their age. How about a
paper on limitation of password authentication - from 1984?

Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major
information security company. His areas of infosec expertise include
intrusion detection, UNIX security, forensics, honeypots, etc. In his
spare time, he maintains his security portal info-secure.org