REVIEW: "Building Internet Firewalls", Elizabeth D. Zwicky/Simon
- BKBUINFI.RVW 20010105
"Building Internet Firewalls", Elizabeth D. Zwicky/Simon Cooper/D.
Brent Chapman, 2000, 1-56592-871-7, U$44.95/C$65.95
%A Elizabeth Zwicky
%A Simon Cooper
%A D. Brent Chapman
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%I O'Reilly & Associates, Inc.
%O U$44.95/C$65.95 707-829-0515 fax: 707-829-0104 nuts@...
%P 869 p.
%T "Building Internet Firewalls, Second Edition"
Cheswick and Bellovin's "Firewalls and Internet Security" (cf.
BKFRINSC.RVW) has been, and probably will continue to be, seen as the
classic reference with the seriously technical crowd. Chapman and
Zwicky, however, created the first reference for the more normal run
of system administrators: those whose lives do not revolve around
hacking the UNIX kernel. This expanded edition fulfills the same
task, and maintains the same reasonable stance. It is refreshing, for
example, to find a work that, even if it doesn't know much about
viruses, admits that firewalls can do very little to protect against
There is now a more general and introductory part one, discussing the
basic concepts before getting deeply into technical details. Three
chapters look at a rationale for firewall usage, Internet services and
requirements, and universal security strategies.
Part two (part one in the original edition) is an introduction to
firewall technology and structure. It could easily stand as a
separate book, itself, clearly explaining the operation of, and
reasoning behind, functions that other firewall books merely mention.
More, it is a very down-to-earth and practical guide to evaluating
security needs and planning for security systems and practices. The
writing is completely clear, and the explanations first-rate. Two
chapters look at the packet structures of Internet protocols and basic
firewall technologies. Chapter six, on firewall architectures, is a
perfect introduction for the manager who, while not having a technical
background, must lead or administer a security project, and is
followed by a short but useful outline for a design process. The
detailed chapter on packet filtering is the longest in the book, but
there is also solid coverage of proxy systems and bastion hosts. The
section concludes with valuable particulars of tools for securing UNIX
(and Linux) and Windows (NT and 2000) systems.
Part three reviews various Internet services, the reasons for having
them, risks associated with them, and details that can be used to
secure them. There is an introduction to the subject, and then
coverage of intermediary protocols, the World Wide Web, email and
news, file and print transfer and sharing, remote access, and real
time conferencing systems. Each chapter also deals with related
issues and technologies, such as the various specific mail protocols
and active content for Web pages. As well, the topics of naming and
directory services, authentication, administrative services, and
databases and games are examined. Two sample firewall configurations,
using the previous material, close off the division.
Part four provides quick but decent guidance on general security
issues. There is a look at security policies, firewall maintenance,
and responding to security incidents.
The appendices are useful, outlining resourcs for further information,
tools, and a brief but reliable explanation of cryptography. The
resource list, unlike the usual table of titles and URLs, contains
quality works, and is annotated.
This was the first book to truly explain, to the non-specialist, the
various factors and functions involved in firewall choice and
construction. I still have not found another of similar quality.
This new edition is not just an update, but a valuable extension and
expansion. For those building their own and for those evaluating
vendor proposals, this book is a must.
copyright Robert M. Slade, 1995, 2001 BKBUINFI.RVW 20010105
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
They know enough who know how to learn. - Henry Adams
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade