Debate interuption - New firewalls book

[KAPLAN () bpa arizona edu (RayK)]

Cross post to RISKS (via mail submission), comp.security.announce and
comp.protocols.tcp-ip news groups, and a few other various places.  Sorry
if you see this more than once.

Re: Firewalls and Internet Security - Repelling the Wily Hacker.
Ray Kaplan - May 2, 1994

Buy this book

Gentle folk,

Here is a risk reducer.  With the wholesale rush to Internet connectivity, its
about time someone sat down and wrote a good book about how to do this
exercise safely!  And, sure enough, Cheswick and Bellovin have done just that,

Heaping superlatives on something of which you are enamored is always
problematic - the possibility of overstatement looms large.  Accordingly I`ll
cut to the chase.  Buy this book!  I do not get any money for saying this - I
just believe you are well justified in getting it on your reading list -
today. In May of this year, Addison Wesley is releasing an excellent new book
by Bill Cheswick and Steve Bellovin: Firewalls and Internet Security -
Repelling the Wily Hacker.  ISBN 0-201-63357-4.  It will retail for $26.95. 
Bulk purchases: 800- 238-9682, individual orders: 800-824-7799 (FAX
617-944-7273).  Email orders over the Internet from bexpress () aw com (no they
don`t take plastic via Email). For those that are net-challenged, U.S.
snailmail orders from Addison-Wesley, c/o Arlene Morgan, 1 Jacob Way, Reading,
MA  01867 USA. 

Rumors loom large that at least one of the authors (Ches?) will be at Interop
with copious quantities of this work of art.  As dues of superlative
authorship that is destined to be popular, I hope they both get writer`s cramp
autographing! 

Details 

While worthwhile, well written, pace-setting, technically astute works of art
are rare - this is certainly one of them.  I am always hard pressed to
identify any one thing as unique in its decade (especially when the decade is
still in progress). Suffice it to say that this work is the most complete
treatment of firewall technology and experience that is available.  The
availability of this work is exciting news for security firewall builders -
including Internet security firewall builders - and, for the great number of
people that seem to be befuddled by the complexity and the general issues of
interconnecting networks. 

The book 

While my review copy (well dog-eared, now) is a bit dated (March 7, 1994), I
think you can expect that it is close to the book`s final form: a standard
(w=7.5in, h=9in) Addison-Wesley Professional Computing Series book like the
ones that should already dot your shelves.  (I don`t get any money for my
obvious favorable bias toward this series.  My bias is born out of the fact
that the series (Brian Kernighan is the consulting editor for it) contains
great authors and titles like Radia Pealman`s Interconnections - Bridges and
Routers and Richard Sevens` TCP/IP Illustrated, Volume I - The Protocols.) 

305 pages in 14 chapters, appendices, a bibliography, a list of "bombs"
(security holes) and an index. 

Out of the box, the authors set the tone for their work by quoting F.T. Gramp
and R.H. Morris: "It is easy to run a secure computer system.  You merely
have to disconnect all dial-up connections and permit only direct-wired
terminals, put the machine and the terminals in a shielded room, and post a
guard at the door."  This is followed by a detailed discussion of the art
and science of building a firewall. There is so much good stuff here, that all
I can do is list the book`s contents - lest I write a tome which distracts you
from picking up a copy of it ASAP. 

Chapters and content - from the table of contents.

Getting started
Introduction
- Why security?
- Picking a security policy 
- Strategies for a secure network
- The ethics of computer security
- Warning
Overview of TCP/IP
- The different layers
- Routers and routing protocols
- The Domain name service
- Standard services
- RPC-based protocols
- The "r" commands
- Information services
- The X-11 service
- Patterns of trust

Building your own firewall
Firewalls and gateways
- Firewall philosophy
- Situating firewalls
- Packet-filtering gateways
- Application-level gateways
- Circuit-level gateways
- Supporting inbound services
- Tunnels - good and bad
- Joint Ventures
- What firewalls can`t do
How to build an application-level gateway
- Policy
- Hardware configuration options
- Initial installation
- Gateway tools
- Installing services
- Protecting the protectors
- Gateway administration
- Safety analysis - why our setup is secure and fail-safe
- Performance
- The TIS firewall toolkit
- Evaluating firewalls
- Living without a firewall
Authentication
- User authentication
- Host-to-host authentication
Gateway tools
- Proxylib
- Syslog
- Watching the network: Tcpdump and friends
- Adding logging to standard demons
Traps, lures and honey pots
- What to log
- Dummy accounts
- Tracing the connection
The hacker`s workbench
- Introduction
- Discovery
- Probing hosts
- Connection tools
- Routing games
- network monitors
- Metastasis
- Tiger teams
- Further reading

A look back
Classes of attacks
- Stealing passwords
- Social engineering
- Bugs and backdoors
- Authorization failures
- Protocol failures
- Information leakage
- Denial-of-service
An evening with Berferd
- Introduction
- Unfriendly acts
- An evening with Berferd
- The day after
- The jail
- Tracing Berferd
- Berferd comes home
Where the wild things are: a look at the logs
- A year of hacking
Proxy use
- Attack sources
- Noise on the line

Odds and ends
Legal considerations
- Computer crime statutes
- Log files as evidence
- Is monitoring legal?
- Tort liability considerations
Secure communications over insecure networks
- An introduction to cryptography
- The Kerberos authentication system
- Link-level encryption
- Network- and transport-level encryption
- Application-level encryption

Where do we go from here? 
Appendices

Useful free stuff 
- Building firewalls
- Network management and monitoring tools
- Auditing packages
- Cryptographic software
- Information sources

TCP and UDP ports - Fixed ports
- MBone usage

Recommendations to vendors
- Everyone
- Hosts
- Routers
- Protocols
- Firewalls

Bibliography - List of bombs - Index 

I have criticisms, complaints and suggestions.  However, considering that this
is such a darn fine piece of work - I hasten to get my recommendation that you
buy this book out ASAP. 

Meantime, to whet your appitite: 

- Index - (a well done, 26 pages worth - you can actually find pointers to
what you want to know!  What a concept. 

- TCP ports discussion - a Comprehensive list and reasonable advice on what to
do with them. 

- Bombs - a summarized list of the 43 major security holes that they identify.

- Bibliography - Ahhhh.  19 pages of the best firewalls-related bibliography
that I`ve seen. 

- Where to from here - excellent advice for techies and managers who don`t
want to keep working at the job of firewalling or who simply want to spend a
bit of resources on it only once. 

Kudos to the authors - buy this book. 

Of course - these are my own views, and they don`t necessarily reflect those
of anyone - including my employer.  However, in this case, they probably do. 

----------
Ray Kaplan             CyberSAFE, Corporation
rayk () ocsg com          Formerly Open Computing Securyt Group (OCSG)
                       (206) 883-8721
                       FAX at (206) 883-6951
                       2443 152nd Ave NE
                       Redmond, WA 98052

Better living through authentication
---------