REVIEW: "Practical Firewalls", Terry William Ogletree
- BKPRCFRW.RVW 20000823
"Practical Firewalls", Terry William Ogletree, 2000, 0-7897-2416-2,
%A Terry William Ogletree ogletree@... two@...
%C 201 W. 103rd Street, Indianapolis, IN 46290
%I Macmillan Computer Publishing (MCP)
%O U$34.99/C$52.95/UK#25.50 800-858-7674 www.mcp.com info@...
%P 491 p.
%T "Practical Firewalls"
Unfortunately, not much of this book is really practical. And a lot
of it is not about firewalls, either.
Part one presents the fundamentals of understanding firewalls and
security. Chapter one looks at firewall basics, mentioning many
topics but doing a poor job of explanation. Since the material is
very generic there is almost no detail. The TCP/IP content, in
chapter two, is also quite vague, with lots of irrelevant details like
DNS (Domain Name Service) record fieldnames, but little related to
security, and that of low quality. Security and the Internet gives a
general listing of threats, most not related to firewalls, in chapter
three. Chapter four has some good discussion of some aspects of
policy and design, but it is limited. There are rough outlines of
firewalls structures, but the material on pros and cons is poor. (As
the book progresses there are increasing amounts of repetitious text,
as this chapter amply demonstrates.) The review of packet filtering,
in chapter five, has some good points, but too much of the text relies
on "one size fits all" pronouncements. Again, there is a lot of
irrelevant detail on TCP/IP headers and not much on, say, filtering
rules. Because a bastion host is very highly secured itself, chapter
six is merely general security material, touching on too many
operating systems for good coverage. Some good points but limited
scope makes the proxy server topic weak in chapter seven. Chapter
eight does slightly better on auditing, by limiting itself to UNIX and
Part two looks at encryption, the relationship of which to firewalls
is problematic. Chapter nine does not really cover encryption
technology, being simply a set of definitions of basic terms. Since a
Virtual Private Network (VPN) is defined, in chapter ten, in terms of
tunneling, the material is necessarily restricted to that subsection
of the field. Chapter eleven does not really tell the reader how to
use PGP (the Pretty Good Privacy encryption program) but only deals
with some aspects of installation.
Part three touches on installation and configuration of a number of
products. Chapter twelve lists a number of firewall related tools,
for UNIX, that are available on the Internet. "Lists" is definitely
the operative word: so little information is given about the programs
that chapters thirteen through sixteen cover basic installation and
components of TCP Wrappers, TIS (Trusted Information Systems) Firewall
Toolkit, SOCKS, and SQUID. ipfwadm and ipchains (for Linux) are
described in chapter seventeen. Turning to Windows NT, chapter
eighteen recounts the installation of Microsoft Proxy Server and
nineteen does the same with the Elron CommandView firewall. Firewall
appliances, or standalone units are promoted in chapter twenty.
Chapter twenty one closes off with the same kind of vague generalities
given in part one.
The most valuable part of this book is part three: even though the
material is very limited, it is, at least, of some practical use.
Most of the other content is of questionable accuracy or completeness,
and therefore restricted in practicality. As noted, large sections of
the text aren't even about firewalls. This book definitely does not
compare with the classics like Cheswick and Bellovin's "Firewalls and
Internet Security" (cf. BKFRINSC.RVW) or Chapman and Zwicky's
"Building Internet Firewalls" (cf. BKBUINFI.RVW): a few suggestions
about installation of specific programs does not make up for a lack of
explanation of fundamental concepts, attacks, and defensive
copyright Robert M. Slade, 2000 BKPRCFRW.RVW 20000823
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
Belief is no substitute for arithmetic. - Henry Spencer.
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade