Firewalls and Internet Security:
Repelling the Wily Hacker

William R. Cheswick, Steven M. Bellovin + Aviel D. Rubin

Addison-Wesley 2003
A book review by Danny Yee © 2003
The first edition of Firewalls and Internet Security (1994) was one of the very first books on firewalls to appear and became a classic, remaining in print for nearly a decade. Though rewritten almost completely, this second edition retains much of the flavour and focus of the first, which is both a strength and a weakness. It is idiosyncratic and somewhat scattered, trying to cover everything while still providing unique material. But where it is good it is very good, with the authors' wealth of experience showing in the "broad picture" integration of security into the real world. And it is just plain fun to read! There are now many other books on firewalls to compete with, but Firewalls and Internet Security still stands out from the crowd.

An introductory chapter offers some security truisms, hints on choosing a security policy, broad strategies for securing networks, and a note on ethics. This is followed by a security review of Internet protocols, from IP and routing and addressing, through FTP, the network time protocol, and others to the web. (A basic familiarity with these protocols is assumed, along with some Unix experience and a little cryptography, though an appendix offers a basic introduction to the last.)

Next comes a survey of the different classes of attacks — social engineering, bugs and back-doors, denial of service attacks, viruses and worms, protocol failures, etc. — and a look at some of the tools and techniques of the hacker.

There's a survey of authentication systems: one-time passwords, challenge-response passwords, smart cards, biometrics, RADIUS, SASL and PKI. And there are hints on how to secure particular Unix services — inetd, apache, POP, named, samba, and so forth — in which chroot jails feature prominently.

An overview of the different kinds of firewalls and filtering services is followed by some detailed tips on writing firewall rulesets, with an example using ipchains under Linux. And there's a chapter on VPNs, with a focus on minimising the security risks with employees working from home.

Of course many organisations are so big that perimeter defence is less effective. So there's also an overview of network layout issues, host security, and intrusion detection.

The first edition's case study "An Evening with Berferd", an example of keeping an intruder in a controlled "jail", is still there. And there's a new case study "The Taking of Clark", illustrating forensic analysis after a break-in.

Rather than trying to be systematic, Firewalls and Internet Security is more of a personal account, describing some of the things the authors have done and some of the things they've found useful. A page on securing Samba, for example, describes a limited — no printer support! — experimental system for Windows users on a home network: each user is directed to a different TCP port, on which runs a jailed smbd process specific to that user. The approach also reflects the authors' backgrounds — as they mention themselves in their introduction, they have an academic computer science perspective and are heavily Unix-oriented.

It's not a reference, and it may not one of the first books an Internet security professional would put on their shelves, but the experts may find some new ideas or approaches in Firewalls and Internet Security. And it's not an introductory book either, but for those of us on the edge of the field — computer science students and Unix system administrators in particular — it's an entertaining, chatty, and informative read.

August 2003

External links:
- buy from or
- information from the authors
Related reviews:
- books about the Internet
- books about networking
- books published by Addison-Wesley
%T Firewalls and Internet Security
%S Repelling the Wily Hacker
%A Cheswick, William R.
%A Bellovin, Steven M.
%A Rubin, Aviel D.
%I Addison-Wesley
%D 2003
%O paperback, 2nd edition, bibliography, index
%G ISBN 020163466X
%P xx,433pp