Firewalls and Internet Security, 2nd Ed.

Eater writes "Over the last decade, we've seen an explosion in the area of books dealing with the subject of Internet security. Few have defined the genre as well as Firewalls and Internet Security: Repelling the Wily Hacker by Bill Cheswick and Steve Bellovin. Security gurus rejoice... the 2nd edition is finally here!" Eater compares this new version to the original in his review below. Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Ed. author William Cheswick, Steven Bellovin, Aviel Rubin pages 455 publisher Addison-Wesley rating 9 reviewer Eater ISBN 020163466X summary Long-awaited second edition of the security administrator's favorite classic.

Those familiar with this classic have undoubtedly recommended it to other hackers seeking a definitive text. Firewalls and Internet Security has provided a roadmap for security conscious sysadmins since its publication in 1994. It mixed sound policy recommendations with examples of UNIX-based implementations, all rooted in experience from working in AT&T corporate security.

Although many of the ideas laid out in the original edition are just as relevant in today's Internet, much has changed technically since 1994. Alas, this month Addison-Wesley has released a new second edition ... nearly complete rewrite (and 135 page expansion) of the original classic.

A glance at the new edition indeed reveals significant changes. Avi Rubin has been added as an author. The preface details some of the predictions made from the first edition... some of which came true, and others that didn't. Most sections have been vastly expanded, if not completely restructured.

Denial-of-services (DoS) attacks, infamous in the previous decade, are explored in greater depth. Replacements of deprecated tools have been given new sections (ssh is detailed following the chapter on the "r" commands, for example.) The myriad of enumeration tools available today are discussed (i.e., Nessus, hping, nmap).

Intrusion-detection tools, almost completely absent from the first edition, are given space in the new book, although not nearly as much as I would have liked. Much has been added on the subject of cryptography and authentication. Forthcoming standards like IPV6 and DNSsec are discussed.

Those who've read the original will recall the "Evening with Berferd." the chapter detailing a break-in the authors were able to watch and analyze in real-time. This inspired more than a few honeypot oriented projects. The second edition introduces a second real-world scenario, the "Taking of Clark," which illustrates forensic measures to be taken after after a host is compromised. Fans of Foundstone's Hacker's Challenge will find it familiar.

The defining thread across all of these topics is what makes this book a classic: the emphasis of the "why," not just the "how." Although the examples are mostly geared towards UNIX users, the guidance and policy suggestions are directly applicable to any platform where the reader is responsible for making security decisions.

Perhaps the greatest aspect of this book is its availability: it's on the web here. Those who are working in the security field, or those interested in it, will benefit from owning the hard-copy available from Addison-Wesley.

You can also purchase Firewalls and Internet Security, 2nd Edition from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

What about patched for human security holes?

[Limburgher]

Specifically, the one which makes lusers write their UserIDs and passwords on Post-It(c) notes on their monitors? You'd be amazed how many times I had to send people emails from themselves before they got the message. . .

Re:What about patched for human security holes?

[Zathrus]

That patch will be issued immediately after the patch that causes asshole sysadmins to stop requiring a new password every 30 days that doesn't match any of the previous 11 passwords, is at least 8 characters long containing mixed case, a number, and a non-alphanumeric character.

I've had to deal with such systems before and my passwords rapidly degraded from secure, non-dictionary crackable "phrases" to stupid crap like "Abcdef1", "aBcdef1", or "FuckYou2".

Of course, I've also known people that did just write their passwords down on a piece of paper, even if you didn't have to change them. The best one was a Unix sysadmin at a place I used to work. He was incompetent, so we would just get stuff done ourselves by going over to his cube and reading the appropriate root password off the bottom of his wrist rest.

Social eng beats firewall, you need log analysis

[GringoGoiano]

Firewalls are great when you can trust all your insiders. That's rarely the case. Real-time intrusion detection systems also help out, but fail when:

• attacks are diffuse, slow and patient, and seemingly random -- there's no way a real-time detection system will connect the activity
• insiders do the job -- they're not "intruding"

To really address security of corporate data you need to:

• log all activity on all servers and hardware surrounding your vital data
• store that log data in a centralized location
• periodically analyze that data for abnormal patterns of activity within or across logged systems
• some analysis will be boilerplate, other analysis will be highly customized to a specific site's data architecture

This log analysis approach complements the others, and will catch more insidious, long term, and more damaging violations of critical data. Most corporations have the firewall angle covered well, but can't address social engineering or misbehaving insiders.

Of course, the big problem here is storing all that log data. Security analysis companies have been around but either can't perform analysis at the detail required, or charge too much (that log data is huge and Oracle isn't cheap).

Addamark Technologies has a security event logging and analysis tool that seems to address this problem though. They sell a product that uses a cluster of cheap Linux PCs to store all that data, and a SQL/Perl query interface (for those that want to query data directly without web-UI tools), some good web-UI tools. Data loading performance and query performance is out of this world. They've got a great customer list, too.

Re:Intelligent IDS

[gid-goo]

It seems like an interesting product. Doesn't seem overly useful for environments where folks are installing lots of new stuff. But for a production server environment where stuff doesn't change without multiple levels of approval it seems like a cool product. I don't believe the "virtually eliminates false positives" stuff, but I haven't used the product. Just a lot of other IDS' and they all claim to reduce false positives.

It appears to still have the fundamental problem with all IDS' (see this). In summary, without the IDS being aware of minutae of the protocol stack of the target machine, it can't actually detect intrusions, not to mention IDS' can easily be overwhelmed. IMHO IDS' are dangerous, IT folks develop a sense of invulnerability. While they're useful for the run of the mill crap that most kids spew, someone who's committed can open a can and the IDS will just stand around and look dumb. If you're the IT guy who told everyone that they could sleep at night because the IDS was taking care of business, then you look dumb.

Re:What my parents thought

[alienmole]

If my mother thought I was studying it so I could become 31337, imagine what John Ashcroft might think.

You have a good point. I'd like to add to that, that you're doing 2600 a bit of a disservice by characterizing it or its contributors so glibly as "bad guys". There's plenty of questionable stuff in 2600, but the point of it all is to encourage curiosity about, and understanding of, actual systems in the world - things you won't necessarily ever learn about in school etc. Since it's targeted mainly towards a young audience (afaict), this naturally gets bound up in a certain amount of rebelliousness and so on. But a thinking adult can see past this.

There's a really fundamental point here, which is that if you're surrounded by black boxes that you don't understand, you become a helpless consumer, unable to understand or effectively deal with the world around you except in a second-class citizen sort of way. That's what many corporations would like to be the case, of course, and it's the direction that consumer culture naturally gravitates towards - but not everybody buys into that, and wanting to find out more about the world around you, and the technology on which so much depends, is not a crime.

Silly

[grub]

Security gurus rejoice... the 2nd edition is finally here!"

If the readers were "security gurus" they'd already know this stuff, silly!

Re:How does it stack up against...

[ThirdEdition]

I don't think any one book is a good way to have an overall picture of security. Just like you need defense in depth, you need investigation/learning in depth.

This second edition super does a job of updating the original, and it's about time. For unix security people I'd suggest you also read Hacking Linux Exposed because it has very in depth coverage of everything from a Linux standpoint. (Unix really, but they focus on Linux for their answers about how you fix things. Pathnames may differ for other Unix systems, like BSD.)

O'Reilly's BIF is good, but I'd suggest a Linux-specific firewall book too, like Linux Firewalls, Second Edition.

For those people not familiar with Hacker's Challenge (1st and 2nd editions) it's a book chock full of real-world (presumably sanitized) cracking examples where they tell you what happened, copies of of log data, and you try to figure out what happened. Very good book.

I'd also like to note that Hacker's Challenge (and Hacking Linux Exposed, for that matter) are not Foundstone books. Hacker's Challenge's lead author is Mike Schiffman, director of security at @stake, which is definately not Foundstone. Foundstone is doing poorly, going so far as to patent port scanning.