Date: 03 May 1994 00:00:18 -0700 (MST) From: RayK Subject: Debate interuption - New firewalls book Sender: bugtraq-owner@crimelab.COM To: bugtraq@crimelab.COM Cc: KAPLAN@bpa.arizona.EDU Content-transfer-encoding: 7BIT Precedence: bulk Cross post to RISKS (via mail submission), comp.security.announce and comp.protocols.tcp-ip news groups, and a few other various places. Sorry if you see this more than once. Re: Firewalls and Internet Security - Repelling the Wily Hacker. Ray Kaplan - May 2, 1994 Buy this book Gentle folk, Here is a risk reducer. With the wholesale rush to Internet connectivity, its about time someone sat down and wrote a good book about how to do this exercise safely! And, sure enough, Cheswick and Bellovin have done just that, Heaping superlatives on something of which you are enamored is always problematic - the possibility of overstatement looms large. Accordingly I`ll cut to the chase. Buy this book! I do not get any money for saying this - I just believe you are well justified in getting it on your reading list - today. In May of this year, Addison Wesley is releasing an excellent new book by Bill Cheswick and Steve Bellovin: Firewalls and Internet Security - Repelling the Wily Hacker. ISBN 0-201-63357-4. It will retail for $26.95. Bulk purchases: 800- 238-9682, individual orders: 800-824-7799 (FAX 617-944-7273). Email orders over the Internet from bexpress@aw.com (no they don`t take plastic via Email). For those that are net-challenged, U.S. snailmail orders from Addison-Wesley, c/o Arlene Morgan, 1 Jacob Way, Reading, MA 01867 USA. Rumors loom large that at least one of the authors (Ches?) will be at Interop with copious quantities of this work of art. As dues of superlative authorship that is destined to be popular, I hope they both get writer`s cramp autographing! Details While worthwhile, well written, pace-setting, technically astute works of art are rare - this is certainly one of them. I am always hard pressed to identify any one thing as unique in its decade (especially when the decade is still in progress). Suffice it to say that this work is the most complete treatment of firewall technology and experience that is available. The availability of this work is exciting news for security firewall builders - including Internet security firewall builders - and, for the great number of people that seem to be befuddled by the complexity and the general issues of interconnecting networks. The book While my review copy (well dog-eared, now) is a bit dated (March 7, 1994), I think you can expect that it is close to the book`s final form: a standard (w=7.5in, h=9in) Addison-Wesley Professional Computing Series book like the ones that should already dot your shelves. (I don`t get any money for my obvious favorable bias toward this series. My bias is born out of the fact that the series (Brian Kernighan is the consulting editor for it) contains great authors and titles like Radia Pealman`s Interconnections - Bridges and Routers and Richard Sevens` TCP/IP Illustrated, Volume I - The Protocols.) 305 pages in 14 chapters, appendices, a bibliography, a list of "bombs" (security holes) and an index. Out of the box, the authors set the tone for their work by quoting F.T. Gramp and R.H. Morris: "It is easy to run a secure computer system. You merely have to disconnect all dial-up connections and permit only direct-wired terminals, put the machine and the terminals in a shielded room, and post a guard at the door." This is followed by a detailed discussion of the art and science of building a firewall. There is so much good stuff here, that all I can do is list the book`s contents - lest I write a tome which distracts you from picking up a copy of it ASAP. Chapters and content - from the table of contents. Getting started Introduction - Why security? - Picking a security policy - Strategies for a secure network - The ethics of computer security - Warning Overview of TCP/IP - The different layers - Routers and routing protocols - The Domain name service - Standard services - RPC-based protocols - The "r" commands - Information services - The X-11 service - Patterns of trust Building your own firewall Firewalls and gateways - Firewall philosophy - Situating firewalls - Packet-filtering gateways - Application-level gateways - Circuit-level gateways - Supporting inbound services - Tunnels - good and bad - Joint Ventures - What firewalls can`t do How to build an application-level gateway - Policy - Hardware configuration options - Initial installation - Gateway tools - Installing services - Protecting the protectors - Gateway administration - Safety analysis - why our setup is secure and fail-safe - Performance - The TIS firewall toolkit - Evaluating firewalls - Living without a firewall Authentication - User authentication - Host-to-host authentication Gateway tools - Proxylib - Syslog - Watching the network: Tcpdump and friends - Adding logging to standard demons Traps, lures and honey pots - What to log - Dummy accounts - Tracing the connection The hacker`s workbench - Introduction - Discovery - Probing hosts - Connection tools - Routing games - network monitors - Metastasis - Tiger teams - Further reading A look back Classes of attacks - Stealing passwords - Social engineering - Bugs and backdoors - Authorization failures - Protocol failures - Information leakage - Denial-of-service An evening with Berferd - Introduction - Unfriendly acts - An evening with Berferd - The day after - The jail - Tracing Berferd - Berferd comes home Where the wild things are: a look at the logs - A year of hacking Proxy use - Attack sources - Noise on the line Odds and ends Legal considerations - Computer crime statutes - Log files as evidence - Is monitoring legal? - Tort liability considerations Secure communications over insecure networks - An introduction to cryptography - The Kerberos authentication system - Link-level encryption - Network- and transport-level encryption - Application-level encryption Where do we go from here? Appendices Useful free stuff - Building firewalls - Network management and monitoring tools - Auditing packages - Cryptographic software - Information sources TCP and UDP ports - Fixed ports - MBone usage Recommendations to vendors - Everyone - Hosts - Routers - Protocols - Firewalls Bibliography - List of bombs - Index I have criticisms, complaints and suggestions. However, considering that this is such a darn fine piece of work - I hasten to get my recommendation that you buy this book out ASAP. Meantime, to whet your appitite: - Index - (a well done, 26 pages worth - you can actually find pointers to what you want to know! What a concept. - TCP ports discussion - a Comprehensive list and reasonable advice on what to do with them. - Bombs - a summarized list of the 43 major security holes that they identify. - Bibliography - Ahhhh. 19 pages of the best firewalls-related bibliography that I`ve seen. - Where to from here - excellent advice for techies and managers who don`t want to keep working at the job of firewalling or who simply want to spend a bit of resources on it only once. Kudos to the authors - buy this book. Of course - these are my own views, and they don`t necessarily reflect those of anyone - including my employer. However, in this case, they probably do. ---------- Ray Kaplan CyberSAFE, Corporation rayk@ocsg.com Formerly Open Computing Securyt Group (OCSG) (206) 883-8721 FAX at (206) 883-6951 2443 152nd Ave NE Redmond, WA 98052 Better living through authentication ---------