Slashdot Mirror
Firewalls and Internet Security, Second Edition
The authors start with hacking and security needs analysis, progress thru strategies and techniques, and end with useful security formulas, hypotheses and real life examples. They draw upon their own experiences and observations about network security and host protection to give the reader a well-rounded view of the concepts of security as they apply today. The book is well written with simple examples and antecedents. They have taken great care to explain how hackers work and their methodology. The best thing about the book is that it does not go into great detail about unnecessary finite security specifics and shows what works best while adding value by allowing the reader the opportunity to think for themselves and address their own needs. They maintain the premise that: " Simple security is better than complex security: it is easier to understand, verify, and maintain."(Page 81) while covering the types of attacks not only by method, but also by class, ranging from the kiddie script up to the sophisticated tunneling and VPN methods.
FWAIS 2.0 is a comprehensive guide to the most common security problems while not wasting time on the insignificant. It includes a good set of general rules and the tool sets necessary to secure a network at any level. FAWAIS 2.0 covers current protocols and allows simple guidelines for flexibility in determining your own network needs. It describes the weaknesses in both hardware and software while addressing their relational aspects in easy to understand terms. Written with Freebsd in mind many of the techniques in this edition adapt well to other sources such as Linux, Os/X, Unix, NetBsd, and Solaris.
The entire premise of the book revolves around the concept that old style layered security is not as good as it may appear. And that internet security and firewalls are a holistic endeavor of system integration and design. The authors have taken care to show just how difficult it can be to keep up with large network topology and lend truth to the fact that there is no such thing as absolute security.
The concepts found in this book cover subjects such as :
- What firewalls can and cannot do, capabilities and weaknesses.
- What filtering services work best.
- What services and practices are overkill.
- Why firewalls are necessary, the risks to servers and the servers relationship to proper firewall installation.
- What the steps to hacking are and the methodology used to break into a host.
- The why, what and where of limiting services and the tools to secure the appropriate functions.
- Types of firewalls and best practices for implementing security while building and designing firewalls.
- Why building your own firewalls may be your best solution.
- Applying past experiences to your firewall design.
- Intrusion detection systems and their role as a network tool in firewall construction.
- Honey pot examples showing how the techniques have been used to thwart and frustrate potential adversaries.
The second edition is well documented and includes plenty of good link references, appendices and bibliography resources to help any professional keep current with the ever-changing environment of network defense.
Any organization evaluating current security needs should find the second edition helpful for determining their security goals and a comprehensive guide to help design, implement and deploy firewalls. The second edition is a definite must for any security library, certification-training program or public/private classroom situation.
I recommend Firewalls and Internet Security as the best starting point for anyone who might be considering any changes in company security structure or earning their security certifications.
You can purchase the Firewalls and Internet Security, Second Edition from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
For those who want a more thorough background in the crypto-related topics found in Fwais2 (VPNs, tunneling, TLS, etc.), check out: http://www.youdzone.com/cryptobooks.html
There are now 147 cryptography and cryptography-related books (90 reviewed). 29 of the books have on-line errata links, and 7 of the books are free to download in their entirety.
I put the 'fun' in fundamentalism
At last a review that does not give you the classic "here is the index", and "the book has 3 parts, the 1st...".
Sounds like a really fun and informative read (i.e. not "secure your enterprise in 21 days"), will probably be on my reading list soon.
Thank!
I get the joke finally! Internet Security
That's rich! : p
I assert that my comment is only my opinion, not that of any employer, past, present or future.
amazon has it with free shipping or cheaper via the marketplace sellers
The book's strengths include sharing certain keen insights and summarizing key technical data. They repeat the conclusion that frequent password changes tend to decrease security, rather than improve it. They succinctly describe BGP and IPv6. They accurately explain that TCP sequence numbers count bytes of data, not packets -- unlike many other authors. Their case studies, while dating from the early 1990s, are the most enjoyable parts of FAWAIS 2.0. Like Avi Rubin's "White Hat Security Arsenal" (a better book), they cite scholarly work. Attention is paid to the firewall software of my favorite OS, FreeBSD, in ch 11.
On the negative side, the book is a mix of simplistic and advanced material. In some areas the authors start with basics, while in others they use terms like "black-hole" (p. 249) with little regard for newbies. The book seems disorganized; readers will find it hard to separate key points from normal text. The "forensics" advice, admittedly labeled as "crude" in ch 17, gives incomplete recommendations which do not reflect best forensic live response practices. (The "best thing to do" is "run ps and netstat" and then "turn the computer off"?) The authors are also very negative about the Windows OS, saying on p. 255 "We do not know how to secure them, or even if it is possible." While Windows is admittedly difficult to configure and operate securely, this statement is a cop-out. Better to direct readers to "Securing Windows NT/2000 Servers for the Internet" by Stefan Norberg. Examples with IPChains in ch 11 should have been updated with IPTables, or at least IPTables should not have been dismissed as being the same except for syntax.
FAWAIS 2.0 does contain useful information. I just think books like O'Reilly's "Building Internet Firewalls, 2nd Edition" and New Riders' "Linux Firewalls, 2nd Edition" are more helpful. Addison-Wesley's "White Hat Security Arsenal" is more enlightening, as well. Review FAWAIS 2.0 in a store before you commit to buying it -- you might find it helpful.
I've bought a few other similar books before, but this is the only one that I've continued reading. The authors have balanced opinions, and don't feel the need to proselyte.
;-)
Actually, I gave away the book to a relative of my wife when in Romania, so I've got to buy a new one
that timothy writes worse "reviews", than a high schooler writes a book report?
This is the high quality slashdot content worth paying for?
Actually, they don't even generate content. They let their readers do that and supposedly proof-read them and decide when / what to post. Whether it would be worse if they wrote them or simply performed editor functions, with all the mistakes, dupes, etc, is left as an exercise ot the reader.
You ass clown, Timothy didn't write the review. He simply posted it. The review was written by D Bruce Curtis, Ceo, American Interconnect. Whoever the hell that is.
I loved the review and agree that it wasn't the normal run of the mill "here's the TOC and index" deal that we see far to often on Slashdot.
The real question is whether is goes into enough technical depth, I would say. I know reading overviews and general ideas is usually very useful and helpful in the short term (perhaps to sound knowledgable in a meeting?) but would this book really give you enough "technical prowess" to write your own firewall?
That's my only real concern, but a great review nonetheless.
Damn, I was thinking about buying this book, but it only got a AA++ rating.
I don't buy any books that don't get at least a AAAAAAAAAAAAAAA+++++++++++++ rating.
Use Python
This one is a great addition to the book shelf, I know how to do certain things with firewalls by using the ipchains docs etc., but this book clarifies nicely why you are actually doing it and provides better ways of doing things that might not occur to you. Also, it introduces nice security concepts in a clear and easy way which even IT professionals might not have come across before.
It's hard not to be skeptical when you see a rating like that. I would think that a rating so high would be reserved for classics like "Applied Cryptography" and "The Art of Computer Programming". Is this book really of that caliber?
Maybe I'm just a little more stingy with my praise.
--
the strongest word is still the word "free"
Fact of the matter is (and I manage firewalls for a living) is that you can read all the books and white papers that you can find, but in the real world, nothing works like they say in books. Every firewall installation is different because every customer has different requirements. The book only serve as a general overview and in some cases, a how-to. But as I said, every VPN implementation and every rulebase is different. Until you get the trial by fire by working with firewalls yourself, no book can begin to tell you the absolute truth about how to implement anything. Firewalls, unfortunately are a very dynamic piece of the network puzzle and they require changes almost all of the time. Open up a port here, new VPN tunnel there, blcok this and allow that. Not to emtion that they have to play well with myriad other network devices like routers (ARP cache hell) and concentrators.
The books about this are all good and very well meaning, but to actually DO this stuff requires being there and being able to see exactly how things work. I've yet to pick up a book on firewalls that has really assisted me with anything beyond understanding the theory behind the digital curtain. Security is an ever changing business and it changes EVERY SINGLE DAY. By the time some of these books are publsihed, what held true with VPNs of one kind no longer holds true.
Read with an open mind, but unless the book is published by the firewall company itself, there is not alot there that will truly prepare you for the real world of firewall management.
(not often do we see dupe book reviews .. then again, I suppose it's fine to have multiple opinions on the subject.)
Also, note that this is identical to a review (third one down, by the same guy it seems) on amazon. So it's a double-dupe!
sulli
RTFJ.
Did Timothy even check if he is, in fact, a CEO of this alleged company? Doing a quick google, I find a D Bruce Curtis that goes to high school in Florida (complete with lame-ass wannabe hacker website on geocities), but no CEOs.
What about a point-by-point, layer-on-layer, inch-by-inch, over-the-meadow-and-through-the woods, up-the-flagpole-and-see-if-anyone-salutes, nose-to-the-grindstone, pedal-to-the-metal, gun-crazed-kill-spree sort of a guideline? Would that apply?
There are another couple of fairly decent reviews for this book here:
Security Forums Review
All in all not a bad book, perhaps a little disorganised, trying to fit too much in at once.
Obligatory amazon.com plagiarism link
Fast Wide Area Internet Search?
(Okay, so maybe I'm a bit old school.)
You know, I've noticed that as linux grows more popular, the HOWTOs and mini-HOWTOs are in a pitiful state...yet books on Linux and networking are exploding on the market. When I first started with Linux, the HOWTOs were great sources of information- current, relevant...often funny, too.
Nowadays, they're languishing. Outdated to the point of near uselessness. Just today someone asked me if the Software RAID HOWTO was up to date or not- it was dated 5/8/2002 and referred only to kernel 2.2!
The networking howtos are worse- documentation for iptables/ipchains, and especially the QoS stuff, is SEVERELY out of date, incomplete, or just plain wrong. Dozens of kernel options or features have ZERO documentation, not even a help message.
Folks, if you find a howto that's really out of date, try to contact the author. If they're not interested in continuing to develop it, work with the Linux Documentation Project to see if you can take it over or if they have someone that can. At the very least, give the current author some 'patches'(if anything, if they don't make corrections, that's a good argument for finding a new maintainer.)
Please help metamoderate.
Would anyone recommend this as an "I know sweet FA about firewalls" learning/info book. I have some cursory (fundamental) knowledge, bu I would love to get my hands on a good implementation beginners guide. Any other recommendations would be appreciated.
This one is the "Second Edition", with a rating of "AA++", whereas the one you refer to is the "2nd Ed.", with a rating of "9".
"Ask not what your country can do for you." --John F. Kennedy
Please moderate accordingly!
Perhaps because the slashdot review was also copy & pasted from Amazon (compare the /. one to the third review at Amazon)?
zonealarm ?
-1, Clueless.
You should try actually reading the book before you speak in platitudes. I started Exodus's Managed Security Services group, which had thousands of firewalls under management when I left. Despite this book being published in 1994, it remained my #1 recommended reading on the topic of network security, right up until the end my time there in 2001. The principles are timeless, and for the discerning reader, they transcend firewall brands, configuration recommendations, or changes in protocols. It is a book about security principles, how layers of security interoperate, how human error and fallacy can wreck the best-designed security measures, and so on.
You'd be well advised to read it.
Trying to say that this book is not insightful because "security changes every day" is like trying to say that Knuth's Art of Computer Programming is not insightful because programming languages change all the time.
One of the commonly repeated security shiboleths is 'end to end' security. This is a good thing in the same way that it is a good idea to have a burglar alarm in your house. The problem is when people start claiming that you should ONLY have a burglar alarm and that locking your front door is a BAD IDEA.
Over ten years ago I was involved in a series of arguments over the need for shadow passwords in UNIX. Not only did most people not get that they were needed there was actual opposition to the idea, people would claim repeatedly that protecting the password file made a system less secure. This despite the fact that crack was already circulating and usually managed to break a sizable proportion of passwords.
I get rather worried by the way some network administrators seem to consider getting a firewall to be the end of their security issues. It is as if they think a firewall is a +5 amulet of invincibility. But I get equally woried when folk make the claim that firewalls are unnecessary, and there are some very expensive consultants who make that claim when their clients are not arround.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Maybe this has changed?
I totally agree about the kernel. ESR's project was actually cleaning this mess up. Pity some others can't be bothered with a few words on what their kernel option code actually does. Shame.
...and people who don't build to code are all idiots.
It's interesting, but this really applies to both computers and buildings. Except that building codes are analogous to program specs. And program code is analogous to built structures.
i am the poster on the amazon site, you insensitive clod.
Questioning a superlative, that's a Troll.
All I'm saying is that someone who uses a rating like "AA++" is likely given to exaggeration.
--
the strongest word is still the word "free"
No love for OpenBSD? It's arguably the best OS for security and firewalls.
Actually the Amazon reviewer is also D Bruce Curtis from AICS,Phoenix,Az-USA. So I think the same guy submitted it to both Amazon and slashdot. Not quite the same as a pure troll (if it's a real troll, where's the goatse redirect?).
sulli
RTFJ.
That is so wonderful! We're all proud of you! Keep up the great work. Allah be praised!
Many understood, few found it funny, none laughed.
I think the reviewer is one of the same people that left me some feedback on eBay.
"Great seller, would use again, AAAAAAAAAAAAAAAAAAAAAAAA+++++++++++++++++++++++"
Not that using all the extra A's and plusses cheapens the use of A's and plusses. Just makes the user look like Mr. Dumas.
-- There is no sig line, only Zuul.
Never let an untrained poster go near the submit button. I hope that we've all learned a valuable lesson from this.
Yours humbly,
Ta bù shì dà yú
XML is like violence. If it doesn't solve the problem, use more.