Firewalls and Internet Security: Repelling the Wily Hacker [Paperback]

This book is all about Internet security, firewalls, VPNs and much more, all of which are hot topics and renowned buzzwords within today's IT industry.

In the first chapter, the authors express their view on network security and demonstrate the different methods an Administrator can use in order to secure their network(s). This is carried out by categorizing security into Host-Based and Perimeter security.

The second and third chapters are approximately 50 pages covering basic protocols, including IPv6, DNS, FTP, SNMP, NTP, RPC-based protocols and a several more like the famous NAT. The chapters are concluded with a summary on wireless security.

The next five chapters (chapter 4 to 8 inclusive), analyze various attacks used against networks and server operating systems in an attempt to exploit them. There is a wealth of information concerning hacking, allowing the reader to enter the mind of a hacker in terms of what they think and how they proceed to meet their goal.

One complete chapter is dedicated to various password tactics in which one can ensure that a hacker's life is made more difficult should they attempt to break into a few accounts using well-known methods related to password guessing. CHAP, PAP, Radius and PKI are also analyzed.

Chapter 9 to 12 are dedicated to Firewalls and VPNs which, in passing, happen to be my favourite chapters. They offer an in-depth analysis of the Firewall concept, packet filtering, application-level filtering and circuit level gateways. It proceeds with information about the filtering services, giving detailed examples on how one could use IPChains to create a simple or complex set of rules to efficiently block/permit packets entering in and out the network. This is perhaps the only downside to this informative book, where IPTables would have been beneficial to include, since people rarely use IPchains these days.

Lastly, chapter 12 talks about VPNs, their encryption methods, and considers both their weaknesses and advantages.

In addition to this, the book continues with several more chapters covering general questions that may arise for the reader, such as intranet routing, administration security and intrusion detection systems.

Towards the end, the authors talk about their personal experiences with people trying to hack into their companies and, as a result, explain the step- by- step process of how they managed to fight them and secure their networks. These pages are simply a goldmine for anyone interested in this area.

In summary, I'd say that the book is well worth its money and would suggest it to anyone interested in network security and firewalls. I am certain they won't be disappointed simply because the book has a lot to offer...

The first edition of this book was, for nearly a decade, pretty
much the only work on building firewalls. This edition is a
nearly complete rewrite, not so much because of the new
functionality needed of firewalls, but because system
administrators no longer write their own firewall software. In
some ways, this has given more attention to the services being
protected, reducing the emphasis on firewalls per se.

Some readers will undoubtedly consider parts of this book to
engage in Microsoft-bashing. I don't see it that way, for
reasons that the authors sum up in the introduction, in one of
their "security truisms": "Security is a tradeoff with
convenience." They do consider Windows hosts on their networks
to be insecure (and possibly unsecurable), but that has as much
to do with letting users install software on their own machines
as it does with the OS itself. Not only do the authors fully
intend the implication that there will be different tradeoffs to
be made for different situations, but they illustrate this in a
number of situations, where they describe implications of
tradeoffs that are driven by different end-user needs.

The book is quite complete, although the technology changes
quickly enough that this will be quite a bit less true by the
time a third edition might be written. The only issue that I
think deserved more attention was that of multi-homing.
Protecting a multihomed network is particularly difficult because
extra configuration is needed to identify packet spoofing, and
any filtering done by the upstream providers will make life even
more difficult. This problem deserves at least more recognition,
if not a full treatment of its own.

This book is not the ultimate reference on the topic that the
first edition was in its time. But it is not possible for any
one book to fill that role any more, and if it's no longer the
only book, it's still the most important. If you are after that
"ultimate reference," your best bet is probably the combination
of this book and Zwicky (et. al.), "Building Internet Firewalls".