Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firewalls and Internet Security, 2nd Ed.

Posted by timothy on from the yessir-the-jerks-are-still-out-there dept.

Eater writes "Over the last decade, we've seen an explosion in the area of books dealing with the subject of Internet security. Few have defined the genre as well as Firewalls and Internet Security: Repelling the Wily Hacker by Bill Cheswick and Steve Bellovin. Security gurus rejoice... the 2nd edition is finally here!" Eater compares this new version to the original in his review below. Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Ed. author William Cheswick, Steven Bellovin, Aviel Rubin pages 455 publisher Addison-Wesley rating 9 reviewer Eater ISBN 020163466X summary Long-awaited second edition of the security administrator's favorite classic.

Those familiar with this classic have undoubtedly recommended it to other hackers seeking a definitive text. Firewalls and Internet Security has provided a roadmap for security conscious sysadmins since its publication in 1994. It mixed sound policy recommendations with examples of UNIX-based implementations, all rooted in experience from working in AT&T corporate security.

Although many of the ideas laid out in the original edition are just as relevant in today's Internet, much has changed technically since 1994. Alas, this month Addison-Wesley has released a new second edition ... nearly complete rewrite (and 135 page expansion) of the original classic.

A glance at the new edition indeed reveals significant changes. Avi Rubin has been added as an author. The preface details some of the predictions made from the first edition... some of which came true, and others that didn't. Most sections have been vastly expanded, if not completely restructured.

Denial-of-services (DoS) attacks, infamous in the previous decade, are explored in greater depth. Replacements of deprecated tools have been given new sections (ssh is detailed following the chapter on the "r" commands, for example.) The myriad of enumeration tools available today are discussed (i.e., Nessus, hping, nmap).

Intrusion-detection tools, almost completely absent from the first edition, are given space in the new book, although not nearly as much as I would have liked. Much has been added on the subject of cryptography and authentication. Forthcoming standards like IPV6 and DNSsec are discussed.

Those who've read the original will recall the "Evening with Berferd." the chapter detailing a break-in the authors were able to watch and analyze in real-time. This inspired more than a few honeypot oriented projects. The second edition introduces a second real-world scenario, the "Taking of Clark," which illustrates forensic measures to be taken after after a host is compromised. Fans of Foundstone's Hacker's Challenge will find it familiar.

The defining thread across all of these topics is what makes this book a classic: the emphasis of the "why," not just the "how." Although the examples are mostly geared towards UNIX users, the guidance and policy suggestions are directly applicable to any platform where the reader is responsible for making security decisions.

Perhaps the greatest aspect of this book is its availability: it's on the web here. Those who are working in the security field, or those interested in it, will benefit from owning the hard-copy available from Addison-Wesley.

You can also purchase Firewalls and Internet Security, 2nd Edition from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

15 of 84 comments (clear)

  1. How does it stack up against... by ratbag · · Score: 4, Interesting

    O'Reilly's Building Internet Firewalls (Zwicky, Cooper & Chapman)?

    Rob. (In the spirit of complete disclosure, I used to work with Simon Cooper's mum)

    1. Re:How does it stack up against... by gmuslera · · Score: 4, Informative
      Or with Practical Unix and Internet Security, that in this month was released the 3rd edition.

      I know, this one could talk less about firewalls and windows and more about unix, but anyway, is good to see in what is better and in what not.

    2. Re:How does it stack up against... by REBloomfield · · Score: 5, Informative

      different league. This is about security from the ground up, such as choosing passwords, where holes lie, even how they traced a real live hacker ("berferd"). How services are installed, AT&T Research's real life setup etc etc... Read this one first, then get the O'Reilly one.

  2. Correction by arvindn · · Score: 4, Interesting

    The first edition is available online. Of the second edition, a couple of chapters are available (in pdf, one in html). It does not say if the remaining chapters will become available. Anyone has information on this?

    1. Re:Correction by ches · · Score: 4, Informative

      It took us about 8 years to put the full text of the first edition on line. It's a marketing call, which we mostly leave up to our publishers. I don't think we will be putting the full text of the second edition up for quite some time.

      ches

  3. well.. by REBloomfield · · Score: 5, Informative

    This is, without a doubt *the* bible for the subject. Got mine 2nd hand from a car boot years ago, and it lives on my desk permanently. I'd love to see how it's been updated, and whether there are any new additions similar to the Berferd tracing story. The short scripts for scanning subnets etc were great too. Well, well, worth reading.

  4. only 1st Ed available in full by rakerman · · Score: 4, Informative

    Only the first edition of the book is available on the web in full at http://www.wilyhacker.com/1e/

    The second edition appears to be only available in hard copy, for the full purchase price, although there are some chapter excerpts available for download.

  5. Intelligent IDS by MarauderJr · · Score: 5, Informative

    For anyone looking for more information on IDS's or Intelligent IDS's than is covered in the new book, take a look at the white paper on Intelligent IDS's at SecurityProfiling.

    1. Re:Intelligent IDS by MarauderJr · · Score: 4, Interesting
      I have had the chance to play with it some over the past month. I am planning on putting in an Intelligent IDS on a new networking project that I am currently working on. Mainly for these reasons:

      • I will not be onsite. I do not want to drive for a couple of hours every time there is a potential problem such as, "I think someone has hacked our network!"
      • SecurityProfiling's Intelligent IDS and SysUpdate work on most major OS's (Windows, Linux variants, Irix, Apple's OS's).
      • The intelligent IDS solution will be able to watch all incoming traffic on the network for me and e-mail me if it catches any potentially malicious activity.
      • The Intelligent IDS will be able to check all the systems on the network if an attack is occuring against known security flaw and check to see if all systems have the proper patches in place to make the the attack unsuccessful against known security flaw.
      • If a system is not patched against known security flaw, the Intelligent IDS will go out and get the security patch and install it on all systems that are not already patched.
      • The Intelligent IDS will report less false positives and less false negitaves than current IDS's.

      Overall, I believe that the Intelligent IDS can be a wonderful solution for almost any type of network. I'm setting up one for my office and my apt.

      Alexander Harrison
      Nocturn Designs

  6. Re:One of the reference books for tcpip today... by REBloomfield · · Score: 5, Informative

    Personally, i think it's one of those books that grows with you. I got when i was just starting network administration, and things like the Berferd story, and what DMZ's were, etc, though just out of my grasp, interested me enough to find out what terms meant, and it's certainly easy enough to skip sections as you go along. The shell script examples are easy enough to follow, and should be fairly simple to modify for a beginner. Take the plunge, i promise you won't regret it. (it also has one of the clearest explanations of public key crypography too...)

  7. Re:What about patched for human security holes? by Zathrus · · Score: 4, Insightful

    That patch will be issued immediately after the patch that causes asshole sysadmins to stop requiring a new password every 30 days that doesn't match any of the previous 11 passwords, is at least 8 characters long containing mixed case, a number, and a non-alphanumeric character.

    I've had to deal with such systems before and my passwords rapidly degraded from secure, non-dictionary crackable "phrases" to stupid crap like "Abcdef1", "aBcdef1", or "FuckYou2".

    Of course, I've also known people that did just write their passwords down on a piece of paper, even if you didn't have to change them. The best one was a Unix sysadmin at a place I used to work. He was incompetent, so we would just get stuff done ourselves by going over to his cube and reading the appropriate root password off the bottom of his wrist rest.

  8. Alas? by sulli · · Score: 4, Funny
    Alas, this month Addison-Wesley has released a new second edition ... nearly complete rewrite (and 135 page expansion) of the original classic.

    Is the author really lamenting the release of the new book? (Perhaps Eater is actually a Wily Hacker?)

    --

    sulli
    RTFJ.
  9. Re:What about patched for human security holes? by Wee · · Score: 4, Interesting
    That patch will be issued immediately after the patch that causes asshole sysadmins to stop requiring a new password every 30 days that doesn't match any of the previous 11 passwords, is at least 8 characters long containing mixed case, a number, and a non-alphanumeric character.

    I just did a web-based auth system at work. We have a new web site structure, and we wanted to protect an area for faculty and staff only (I work at a university, in the CS department). I had to come up with a scheme to "force" good passwords for use with the web site (since there will be stuff in that private area that students should never be able to see). It's harder to do than you might think. There's a very fine line between pissing people off with strong passwords and letting them slide by using things like "qwerty".

    In the end, I came up with this:

    • >=6 characters
    • At least one non-alphanumeric character
    • Cannot be based on username (forward or backward)
    That's it. Pretty easy going, right? Not really. I've had a couple people complain already (it's been two days since we went live). I even removed the "Cannot be based on a dictionary word" requirement. We also removed the "Cannot be the same as your Unix system password" requirement (over my loud protestations).

    I actually had a professor (a computer science professor, mind you) ask that I make it more lenient. He lamented to me that because he had to choose a "strange" password (since his "normal" password didn't pass my tests), he had already forgotten what he had chosen. He then asked me to email him and let him know what his password is. After I got done laughing, I prepared a carefully-worded LARTish email explaining to him what a one-way hash is and why I wasn't able to tell him what his word was, even if I wanted to send it to him in email. I also threw in a little bit of "weak passwords are the #1 security hole" boilerplate and explained that I was glad that his normal system password wasn't able to be used on the web site.

    I haven't sent the email yet; I thought it might be too harsh so I decided to sit on it overnight. I think on one hand that anyone clueless enough to use a password that can't pass even my lame scheme deserves to be cut down a notch or two. Then I think that he's a tenured prefessor, and I should be more respectful. Then I think that he's a tenured professor, and yet is a complete idiot, and I go back to #1. I've always wanted to give a prof what-for.

    -B

    --

    Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.

  10. A Zen story (Re:Security Gurus?) by slouie · · Score: 4, Funny

    After ten years of apprenticeship, Tenno achieved the rank of Zen teacher. One rainy day, he went to visit the famous master Nan-in. When he walked in, the master greeted him with a question, "Did you leave your wooden clogs and umbrella on the porch?"

    "Yes," Tenno replied.

    "Tell me," the master continued, "did you place your umbrella to the left of your shoes, or to the right?"

    Tenno did not know the answer, and realized that he had not yet attained full awareness. So he became Nan-in's apprentice and studied under him for ten more years.

    That is why gurus rejoice a good security book.

    --

    "I may be Love's bitch, but at least I'm man enough to admit it."
  11. Cheswick lates talk by XenoBOFH · · Score: 4, Informative

    I had the pleasure of attending LinuxForum 2003 (in danish) this weekend, where Cheswick talked about internet security. His slides can be found here and his entire talk is here. I must say that he is a very funny and interesting person.