- Amazon Student members save an additional 10% on Textbooks with promo code TEXTBOOK10. Enter code TEXTBOOK10 at checkout. Here's how (restrictions apply)
Firewalls and Internet Security: Repelling the Wily Hacker (2nd Edition) Paperback – Feb 24 2003
Special Offers and Product Promotions
Customers Who Bought This Item Also Bought
No Kindle device required. Download one of the Free Kindle apps to start reading Kindle books on your smartphone, tablet, and computer.
To get the free app, enter your e-mail address or mobile phone number.
Essential information for anyone wanting to protect Internet-connected computers from unauthorised access. Includes:
- thorough discussion of security-related aspects of TCP/IP;
- step-by-step plans for setting up firewalls;
- hacking and monitoring tools the authors have built to rigorously test and maintain firewalls;
- pointers to public domain security tools on the net;
- first-hand step-by-step accounts of battles with the "Berferd" hackers; and
- practical discussions of the legal aspects of security.
--Jake Bond --This text refers to an alternate Paperback edition.
From the Inside Flap
But after a time, as Frodo did not show any sign of writing a book on the spot, the
hobbits returned to their questions about doings in the Shire.
Lord of the Rings
The first printing of the First Edition appeared at the Las Vegas Interop in May, 1994. At that same show appeared the first of many commercial firewall products. In many ways, the field has matured since then: You can buy a decent firewall off the shelf from many vendors.
The problem of deploying that firewall in a secure and useful manner remains. We have studied many Internet access arrangements in which the only secure component was the firewall itself—it was easily bypassed by attackers going after the “protected” inside machines. Before the trivestiture of AT&T/Lucent/NCR, there were over 300,000 hosts behind at least six firewalls, plus special access arrangements with some 200 business partners.
Our first edition did not discuss the massive sniffing attacks discovered in the spring of 1994. Sniffers had been running on important Internet Service Provider (ISP) machines for months—machines that had access to a major percentage of the ISP’s packet flow. By some estimates, these sniffers captured over a million host name/user name/password sets from passing telnet, ftp, and rlogin sessions. There were also reports of increased hacker activity on military sites. It’s obvious what must have happened: If you are a hacker with a million passwords in your pocket, you are going to look for the most interesting targets, and .mil certainly qualifies.
Since the First Edition, we have been slowly losing the Internet arms race. The hackers have developed and deployed tools for attacks we had been anticipating for years. IP spoofing Shimomura, 1996 and TCP hijacking are now quite common, according to the Computer Emergency Response Team (CERT). ISPs report that attacks on the Internet’s infrastructure are increasing.
There was one attack we chose not to include in the First Edition: the SYN-flooding denial-of- service attack that seemed to be unstoppable. Of course, the Bad Guys learned about the attack anyway, making us regret that we had deleted that paragraph in the first place. We still believe that it is better to disseminate this information, informing saints and sinners at the same time. The saints need all the help they can get, and the sinners have their own channels of communication.Crystal Ball or Bowling Ball?The first edition made a number of predictions, explicitly or implicitly. Was our foresight accurate?
Our biggest failure was neglecting to foresee how successful the Internet would become. We barely mentioned the Web and declined a suggestion to use some weird syntax when listing software resources. The syntax, of course, was the URL...
Concomitant with the growth of the Web, the patterns of Internet connectivity vastly increased. We assumed that a company would have only a few external connections—few enough that they’d be easy to keep track of, and to firewall. Today’s spaghetti topology was a surprise.
We didn’t realize that PCs would become Internet clients as soon as they did. We did, however, warn that as personal machines became more capable, they’d become more vulnerable. Experience has proved us very correct on that point.
We did anticipate high-speed home connections, though we spoke of ISDN, rather than cable modems or DSL. (We had high-speed connectivity even then, though it was slow by today’s standards.) We also warned of issues posed by home LANs, and we warned about the problems caused by roaming laptops.
We were overly optimistic about the deployment of IPv6 (which was called IPng back then, as the choice hadn’t been finalized). It still hasn’t been deployed, and its future is still somewhat uncertain.
We were correct, though, about the most fundamental point we made: Buggy host software is a major security issue. In fact, we called it the “fundamental theorem of firewalls”:
Most hosts cannot meet our requirements: they run too many programs that are too large. Therefore, the only solution is to isolate them behind a firewall if you wish to run any programs at all.
If anything, we were too conservative.Our ApproachThis book is nearly a complete rewrite of the first edition. The approach is different, and so are many of the technical details. Most people don’t build their own firewalls anymore. There are far more Internet users, and the economic stakes are higher. The Internet is a factor in warfare.
The field of study is also much larger—there is too much to cover in a single book. One reviewer suggested that Chapters 2 and 3 could be a six-volume set. (They were originally one mammoth chapter.) Our goal, as always, is to teach an approach to security. We took far too long to write this edition, but one of the reasons why the first edition survived as long as it did was that we concentrated on the concepts, rather than details specific to a particular product at a particular time. The right frame of mind goes a long way toward understanding security issues and making reasonable security decisions. We’ve tried to include anecdotes, stories, and comments to make our points.
Some complain that our approach is too academic, or too UNIX-centric, that we are too idealistic, and don’t describe many of the most common computing tools. We are trying to teach attitudes here more than specific bits and bytes. Most people have hideously poor computing habits and network hygiene. We try to use a safer world ourselves, and are trying to convey how we think it should be.
The chapter outline follows, but we want to emphasize the following:
It is OK to skip the hard parts.
If we dive into detail that is not useful to you, feel free to move on.
The introduction covers the overall philosophy of security, with a variety of time-tested maxims. As in the first edition, Chapter 2 discusses most of the important protocols, from a security point of view. We moved material about higher-layer protocols to Chapter 3. The Web merits a chapter of its own.
The next part discusses the threats we are dealing with: the kinds of attacks in Chapter 5, and some of the tools and techniques used to attack hosts and networks in Chapter 6. Part III covers some of the tools and techniques we can use to make our networking world safer. We cover authentication tools in Chapter 7, and safer network servicing software in Chapter 8.
Part IV covers firewalls and virtual private networks (VPNs). Chapter 9 introduces various types of firewalls and filtering techniques, and Chapter 10 summarizes some reasonable policies for filtering some of the more essential services discussed in Chapter 2. If you don’t find advice about filtering a service you like, we probably think it is too dangerous (refer to Chapter 2).
Chapter 11 covers a lot of the deep details of firewalls, including their configuration, administration, and design. It is certainly not a complete discussion of the subject, but should give readers a good start. VPN tunnels, including holes through firewalls, are covered in some detail in Chapter 12. There is more detail in Chapter 18.
In Part V, we apply these tools and lessons to organizations. Chapter 13 examines the problems and practices on modern intranets. See Chapter 15 for information about deploying a hacking-resistant host, which is useful in any part of an intranet. Though we don’t especially like intrusion detection systems (IDSs) very much, they do play a role in security, and are discussed in Chapter 15.
The last part offers a couple of stories and some further details. The Berferd chapter is largely unchanged, and we have added “The Taking of Clark,” a real-life story about a minor break-in that taught useful lessons.
Chapter 18 discusses secure communications over insecure networks, in quite some detail. For even further detail, Appendix A has a short introduction to cryptography.
The conclusion offers some predictions by the authors, with justifications. If the predictions are wrong, perhaps the justifications will be instructive. (We don’t have a great track record as prophets.) Appendix B provides a number of resources for keeping up in this rapidly changing field.Errata and UpdatesEveryone and every thing seems to have a Web site these days; this book is no exception.We’ll post an errata list there; we’ll also keep an up-to-date list of other useful Web resources. If you find any errors—we hope there aren’t many—please let us know via e-mail at firstname.lastname@example.org.AcknowledgmentsFor many kindnesses, we’d like to thank Joe Bigler, Steve “Hollywood” Branigan, Hal Burch, Brian Clapper, David Crocker, Tom Dow, Phil Edwards and the Internet Public Library, Anja Feldmann, Karen Gettman, Brian Kernighan, David Korman, Tom Limoncelli, Norma Loquendi, Cat Okita, Robert Oliver, Vern Paxson, Marcus Ranum, Eric Rescorla, Guido van Rooij, Luann Rouff (a most excellent copy editor), Abba Rubin, Peter Salus, Glenn Sieb, Karl Siil (we’ll always have Boston), Irina Strizhevskaya, Rob Thomas, Win Treese, Dan Wallach, Avishai Wool, Karen Yannetta, and Michal Zalewski, among many others.
Inside This Book(Learn More)
Top Customer Reviews
This book is all about Internet security, firewalls, VPNs and much more, all of which are hot topics and renowned buzzwords within today's IT industry.
In the first chapter, the authors express their view on network security and demonstrate the different methods an Administrator can use in order to secure their network(s). This is carried out by categorizing security into Host-Based and Perimeter security.
The second and third chapters are approximately 50 pages covering basic protocols, including IPv6, DNS, FTP, SNMP, NTP, RPC-based protocols and a several more like the famous NAT. The chapters are concluded with a summary on wireless security.
The next five chapters (chapter 4 to 8 inclusive), analyze various attacks used against networks and server operating systems in an attempt to exploit them. There is a wealth of information concerning hacking, allowing the reader to enter the mind of a hacker in terms of what they think and how they proceed to meet their goal.
One complete chapter is dedicated to various password tactics in which one can ensure that a hacker's life is made more difficult should they attempt to break into a few accounts using well-known methods related to password guessing. CHAP, PAP, Radius and PKI are also analyzed.
Chapter 9 to 12 are dedicated to Firewalls and VPNs which, in passing, happen to be my favourite chapters. They offer an in-depth analysis of the Firewall concept, packet filtering, application-level filtering and circuit level gateways.Read more ›
primary focus. Nor does it try to cover the entire field of
Internet security, although it does provide a fairly good survey
of that field along the way. A fair description would be that it
is about building a security strategy around a firewall, which is
the practical outcome with which most potential readers should be
The first edition of this book was, for nearly a decade, pretty
much the only work on building firewalls. This edition is a
nearly complete rewrite, not so much because of the new
functionality needed of firewalls, but because system
administrators no longer write their own firewall software. In
some ways, this has given more attention to the services being
protected, reducing the emphasis on firewalls per se.
Some readers will undoubtedly consider parts of this book to
engage in Microsoft-bashing. I don't see it that way, for
reasons that the authors sum up in the introduction, in one of
their "security truisms": "Security is a tradeoff with
convenience." They do consider Windows hosts on their networks
to be insecure (and possibly unsecurable), but that has as much
to do with letting users install software on their own machines
as it does with the OS itself. Not only do the authors fully
intend the implication that there will be different tradeoffs to
be made for different situations, but they illustrate this in a
number of situations, where they describe implications of
tradeoffs that are driven by different end-user needs.Read more ›
here I'm speaking for myself.)
The first edition of this book became known as the must-have boook
about firewalls, and rightly so. It defined how to build a firewall
for a couple of generations of Internet security managers. Since that
time, firewalls have become ubiquitous for corporate networks, and
they're even common in some form for many home networks.
In a world where firewalls are conveniently built into network
appliances, do we need a book about how to build them? In this case,
the answer is clearly "yes," but perhaps not for the obvious reasons.
What Cheswick, Bellovin, and Rubin have done is given us a guide to
thinking about securing networks, not just building firewalls. In a
sense, the importance of the second edition of "Firewalls and Internet
Security" has shifted to "Internet Security". The authors provide a
way of thinking about the problems of Internet security, not a basic
guide to operating firewall products on the market today.
It is this way of thinking about Internet security that provides
lasting value for the reader as well. The book explains critical
features (and problems) of the Internet architecture and its protocols,
giving the reader the context to understand how various attacks work
and how they can be prevented. By emphasizing fundamentals, the
authors provide valuable insight for the future as well as for today.
Yet the book is relentlessly pragmatic--it is focused on securing real
systems on real networks.
It's also fun to read. The writing is both witty and wise, and it
doesn't take an expert to understand it. However, the experienced
reader will still find much insight and will undoubtedly learn a few
things along the way.
Most recent customer reviews
This second edition has all the qualities the first edition had 10 years ago: Their writing is clear, they provide a sober assessment of the costs & benefits of various... Read morePublished on April 5 2004 by Amazon Customer
This is THE book on firewalls.
If you want information from the authoritative sources, this is the book to get.
If you can tolerate the anti-Microsoft aspect, read on!
A timely and much needed update to the first edition, Fwais 2.0 is an excellent overview of the current landscape and psychology involving intranet, VPN and Internet host security... Read morePublished on July 3 2003 by D Bruce Curtis
This great security book is written by the three famous members of a
security community "old school". Read more
(I had the pleasure of doing a pre-release review for the publisher. My wife and I enjoyed the meal they paid for. However this posting is done on my own. Read morePublished on May 20 2003 by Dave Crocker
My hope was that reading Firewalls and Internet Security - Second Edition would be a chance to sit at the feet of the masters, but I was disappointed. Read morePublished on March 22 2003 by Stephen Northcutt
I wish I could give "Firewalls and Internet Security, 2nd Edition" (FAIS:2E) more stars. I eagerly awaited the next edition of this security classic with the rest of the... Read morePublished on March 16 2003 by Richard Bejtlich
While written in 1994 (with a second edition coming soon), I feel that this book is nevertheless a must read for people who are first getting into Unix network security. Read morePublished on Nov. 19 2002 by Doug M
The words we wrote some nine years ago have a number of amusing anachronisms. This book is way overdue for an update, though the basic lessons are still valid. Read morePublished on Nov. 13 2002 by William R. Cheswick
Look for similar items by category
- Books > Business & Investing > Industries & Professions > E-commerce
- Books > Computers & Technology > Certification Central > Exams > Security+
- Books > Computers & Technology > Computer Science
- Books > Computers & Technology > History & Culture > Privacy
- Books > Computers & Technology > History & Culture > Security
- Books > Computers & Technology > Internet & Social Media > Hacking
- Books > Computers & Technology > Networking & Cloud Computing > Internet, Groupware, & Telecommunications
- Books > Computers & Technology > Networking & Cloud Computing > Network Security
- Books > Computers & Technology > Networking & Cloud Computing > Networks, Protocols & APIs
- Books > Computers & Technology > Programming
- Books > Computers & Technology > Security & Encryption > Firewalls
- Books > Computers & Technology > Software
- Books > Computers & Technology > Web Development > Security & Encryption > Encryption
- Books > Qualifying Textbooks - Fall 2007 > Business & Investing
- Books > Qualifying Textbooks - Fall 2007 > Computers & Internet
- Books > Textbooks > Computer Science & Information Systems > Computer Science
- Books > Textbooks > Computer Science & Information Systems > Networking