According to the flyleaf, David Kahn (who wrote "The
Codebreakers") said of this book that "Steven Levy has written
cryptography's 'The Soul of a New Machine'". There may be some
truth to that, but mostly it implies a level of prose that is not
in evidence in this book. Steven Levy is no Tracy Kidder, aside
from an occasional tendency to let his prose override his
writing. What Levy is, however, is a pretty good technology
journalist, and the book is at its best when it trades on that
background. Indeed, Levy used a great deal of research in this
book which doesn't appear to have been used for his earlier
magazine articles. While the book is not footnoted, there is an
extensive "notes" section at the end. There is also a
bibiliography, and an index.

One thing that Levy fails to do is make his "characters" come
across as fascinating individuals. This is not for lack of
trying -- clearly he finds them fascinating himself. However,
his prose fails him, particularly when trying to raise what a
journalist would call "human interest."

The strength of the book is not in its revelations of fact
either. The events described are already well-known to anybody
with an interest in the subject (in a number of cases,
particularly for events over the last decade, this is due to
Levy's own journalism in "Wired" and elsewhere). Aside from
filling in the history for those previously unaware of it, Levy's
interviewing skills turn up new evidence of the answers to one of
the most frequently repeated questions in the history of open
cryptography: "what were they thinking?"

For me, that is both the most important and the most interesting
question that Levy needed to face, and he takes it head-on. In
particular, he adds considerable scope (although little depth) to
describing the history of the Clipper chip. What were the NSA
(and the politicians) thinking? Well, as Levy describes it, the
key was the conflict between the FBI and the NSA, and the
illogical government approach was largely driven by the resulting
schizophrenia. Conspiracy nuts won't like that conclusion, but
it makes more sense than believing that the government really
expected it could put the crypto genie back into its bottle.

For those who don't appreciate the importance of crypto in the
Internet-connected age, this book is the best education in that
area. There is room for a better one to replace it, but it

doesn't exist now, and likely won't be written.

This book is not just about firewalls, although that is its
primary focus. Nor does it try to cover the entire field of
Internet security, although it does provide a fairly good survey
of that field along the way. A fair description would be that it
is about building a security strategy around a firewall, which is
the practical outcome with which most potential readers should be
concerned.

The first edition of this book was, for nearly a decade, pretty
much the only work on building firewalls. This edition is a
nearly complete rewrite, not so much because of the new
functionality needed of firewalls, but because system
administrators no longer write their own firewall software. In
some ways, this has given more attention to the services being
protected, reducing the emphasis on firewalls per se.

Some readers will undoubtedly consider parts of this book to
engage in Microsoft-bashing. I don't see it that way, for
reasons that the authors sum up in the introduction, in one of
their "security truisms": "Security is a tradeoff with
convenience." They do consider Windows hosts on their networks
to be insecure (and possibly unsecurable), but that has as much
to do with letting users install software on their own machines
as it does with the OS itself. Not only do the authors fully
intend the implication that there will be different tradeoffs to
be made for different situations, but they illustrate this in a
number of situations, where they describe implications of
tradeoffs that are driven by different end-user needs.

The book is quite complete, although the technology changes
quickly enough that this will be quite a bit less true by the
time a third edition might be written. The only issue that I
think deserved more attention was that of multi-homing.
Protecting a multihomed network is particularly difficult because
extra configuration is needed to identify packet spoofing, and
any filtering done by the upstream providers will make life even
more difficult. This problem deserves at least more recognition,
if not a full treatment of its own.

This book is not the ultimate reference on the topic that the
first edition was in its time. But it is not possible for any
one book to fill that role any more, and if it's no longer the
only book, it's still the most important. If you are after that
"ultimate reference," your best bet is probably the combination
of this book and Zwicky (et. al.), "Building Internet Firewalls".