Home > Store

Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition

Register your product to gain access to bonus material or receive a coupon.

Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition

Book

  • Sorry, this book is no longer in print.
Not for Sale

About

Features

The classic, single best resource for understanding Internet security is back.

° This book is the bible of Internet security. Whatever else is in the market, this one is at the very top of the list. Notable for its engaging style, technical depth, and the clear real-world experiences of the authors.

° Nearly a complete rewrite of the first edition; reviewers say it's even better.

° First edition has sold more than 68,000 copies! (1/e was Y; 2/e is X.

Audio & Video

Video

Untitled Document

Author Bill Cheswick, security guru and best-selling security book author recently appeared on TechTV's "The Screen Savers". A paper and video highlights of his segment can be found at TechTV.

 

Description

  • Copyright 2003
  • Dimensions: 7-3/8" x 9-1/4"
  • Pages: 464
  • Edition: 2nd
  • Book
  • ISBN-10: 0-201-63466-X
  • ISBN-13: 978-0-201-63466-2

The best-selling first edition of Firewalls and Internet Security became the bible of Internet security by showing a generation of Internet security experts how to think about threats and solutions. This completely updated and expanded second edition defines the security problems companies face in today's Internet, identifies the weaknesses in the most popular security technologies, and illustrates the ins and outs of deploying an effective firewall. Readers will learn how to plan and execute a security strategy that allows easy access to Internet services while defeating even the wiliest of hackers.

Firewalls and Internet Security, Second Edition, draws upon the authors' experiences as researchers in the forefront of their field since the beginning of the Internet explosion.

The book begins with an introduction to their philosophy of Internet security. It progresses quickly to a dissection of possible attacks on hosts and networks and describes the tools and techniques used to perpetrate--and prevent--such attacks. The focus then shifts to firewalls and virtual private networks (VPNs), providing a step-by-step guide to firewall deployment. Readers are immersed in the real-world practices of Internet security through a critical examination of problems and practices on today's intranets, as well as discussions of the deployment of a hacking-resistant host and of intrusion detection systems (IDS). The authors scrutinize secure communications over insecure networks and conclude with their predictions about the future of firewalls and Internet security.

The book's appendixes provide an introduction to cryptography and a list of resources (also posted to the book's Web site) that readers can rely on for tracking further security developments.

Armed with the authors' hard-won knowledge of how to fight off hackers, readers of Firewalls and Internet Security, Second Edition, can make security decisions that will make the Internet--and their computers--safer.



020163466XB01302003

Extras

Related Articles

Marcus Ranum's Computer Security Book List

Mitigating the Security Risks of SSH

Author's Site

Click below for Web Resources related to this title:
Author's Web Site

Sample Content

Online Sample Chapters

A Security Review of Protocols: Lower Layers

Security Review of Protocols: The Upper Layers

Downloadable Sample Chapter

Click below for Sample Chapter(s) related to this title:
Sample Chapter 2
Sample Chapter 3

Table of Contents



Preface to the Second Edition.


Preface to the First Edition.

I. GETTING STARTED.

1. Introduction.

Security Truisms.

Picking a Security Policy.

Host-Based Security.

Perimeter Security.

Strategies for a Secure Network.

The Ethics of Computer Security.

WARNING.

2. A Security Review of Protocols: Lower Layers.

Basic Protocols.

Managing Addresses and Names.

IP Version 6.

Network Address Translators.

Wireless Security.

3. Security Review: The Upper Layers.

Messaging.

Internet Telephony.

RPC-Based Protocols.

File Transfer Protocols.

Remote Login.

Simple Network Management Protocol-SNMP.

The Network Time Protocol.

Information Services.

Proprietary protocols.

Peer-to-Peer Networking.

The X11 Window System.

The Small Services.

4. The Web: Threat or Menace?

The Web Protocols.

Risks to the Clients.

Risks to the Server.

Web Servers vs. Firewalls.

The Web and Databases.

Parting Thoughts.

II. THE THREATS.

5. Classes of Attacks.

Stealing Passwords.

Social Engineering.

Bugs and Backdoors.

Authentication Failures.

Protocol Failures.

Information Leakage.

Exponential Attacks-Viruses and Worms.

Denial-of-Service Attacks.

Botnets.

Active Attacks.

6. The Hacker's Workbench, and Other Munitions.

Introduction.

Hacking Goals.

Scanning a Network.

Breaking into the Host.

The Battle for the Host.

Covering Tracks.

Metastasis.

Hacking Tools.

Tiger Teams.

III. SAFER TOOLS AND SERVICES.

7. Authentication.

Remembering Passwords.

Time-Based One-Time Passwords.

Challenge/Response One-Time Passwords.

Lamport's One-Time Password Algorithm.

Smart Cards.

Biometrics.

RADIUS.

SASL: An Authentication Framework.

Host-to-Host Authentication.

PKI.

8. Using Some Tools and Services.

Inetd-Network Services.

Ssh-Terminal and File Access.

Syslog.

Network Administration Tools.

Chroot-Caging Suspect Software.

Jailing the Apache Web Server.

Aftpd-A Simple Anonymous FTP Daemon.

Mail Transfer Agents.

POP3 and IMAP.

Samba: An SMB Implementation.

Taming Named.

Adding SSL Support with sslwrap.

IV. FIREWALLS AND VPNS.

9. Kinds of Firewalls.

Packet Filters.

Application-Level Filtering.

Circuit-Level Gateways.

Dynamic Packet Filters.

Distributed Firewalls.

What Firewalls Cannot Do.

10. Filtering Services.

Reasonable Services to Filter.

Digging for Worms.

Services We Don't Like.

Other Services.

Something New.

11. Firewall Engineering.

Rulesets.

Proxies.

Building a Firewall from Scratch.

Firewall Problems.

Testing Firewalls.

12. Tunneling and VPNs.

Tunnels.

Virtual Private Networks (VPNs).

Software vs. Hardware.

V. PROTECTING AN ORGANIZATION.

13. Network Layout.

Intranet Explorations.

Intranet Routing Tricks.

In Host We Trust.

Belt and Suspenders.

Placement Classes.

14. Safe Hosts in a Hostile Environment.

What Do We Mean by “Secure”?

Properties of Secure Hosts.

Hardware Configuration.

Field Stripping a Host.

Loading New Software.

Administering a Secure Host.

Skinny-Dipping: Life Without a Firewall.

15. Intrusion Detection.

Where to Monitor.

Types of IDS.

Administering an IDS.

IDS Tools.

VI. LESSONS LEARNED.

16. Une Soirie avec Berferd.

Introduction.

Unfriendly Acts.

An Evening with Berferd.

The Day After.

The Jail.

Tracing Berferd.

Berferd Comes Home.

17. The Taking of Clark.

Prelude.

Clark.

Crude Forensics.

Examining Clark.

The Password File.

How Did They Get In?

Better Forensics.

Lessons Learned.

18. Secure Communications over Insecure Networks.

An Introduction to Cryptography.

The Kerberos Authentication System.

Link-Level Encryption.

Network-Level Encryption.

Application-Level Encryption.

19. Where Do We Go from Here?

IPv6.

DNSsec.

Internet Ubiquity.

Internet Security.

Conclusion.

A. An Introduction to Cryptography.

Introduction.

B. Keeping up.
Bibliography.
List of Bombs.
List of Acronyms.
Index. 020163466XT01082003

Preface

But after a time, as Frodo did not show any sign of writing a book on the spot, the hobbits returned to their questions about doings in the Shire.

Lord of the Rings—J.R.R. Tolkien

The first printing of the first edition appeared at the Las Vegas Interop in May, 1994. At that same show appeared the first of many commercial firewall products. In many ways, the field has matured since then: You can buy a decent firewall off the shelf from many vendors.

The problem of deploying that firewall in a secure and useful manner remains. We have studied many Internet access arrangements in which the only secure component was the firewall itself—it was easily bypassed by attackers going after the “protected” inside machines. Before the trivestiture of AT&T/Lucent/NCR, there were over 300,000 hosts behind at least six firewalls, plus special access arrangements with some 200 business partners.

Our first edition did not discuss the massive sniffing attacks discovered in the spring of 1994. Sniffers had been running on important Internet Service Provider (ISP) hosts for months—machines that had access to a major percentage of the ISP’s packet flow. By some estimates, these sniffers captured over a million host name/user name/password sets from passing telnet, ftp, and rlogin sessions. There were also reports of increased hacker activity on military sites. It’s obvious what must have happened: If you are a hacker with a million passwords in your pocket, you are going to look for the most interesting targets, and .mil certainly qualifies.

Since the first edition, we have been slowly losing the Internet arms race. The hackers have developed and deployed tools for attacks we had been anticipating for years. IP spoofing Shimora, 1996 and TCP hijacking are now quite common, according to the Computer Emergency Response Team (CERT). ISPs report that attacks on the Internet’s infrastructure are increasing.

There was one attack we chose not to include in the first edition: the SYN-flooding denial-of-service attack that seemed to be unstoppable. Of course, the Bad Guys learned about the attack anyway, making us regret that we had deleted that paragraph in the first place. We still believe that it is better to disseminate this information, informing saints and sinners at the same time. The saints need all the help they can get, and the sinners have their own channels of communication.

Crystal Ball or Bowling Ball?

The first edition made a number of predictions, explicitly or implicitly. Was our foresight accurate?

Our biggest failure was neglecting to foresee how successful the Internet would become. We barely mentioned the Web and declined a suggestion to use some weird syntax when listing software resources. The syntax, of course, was the URL...

Concomitant with the growth of the Web, the patterns of Internet connectivity vastly increased. We assumed that a company would have only a few external connections—few enough that they’d be easy to keep track of, and to firewall. Today’s spaghetti topology was a surprise.

We didn’t realize that PCs would become Internet clients as soon as they did. We did, however, warn that as personal machines became more capable, they’d become more vulnerable. Experience has proved us very correct on that point.

We did anticipate high-speed home connections, though we spoke of ISDN, rather than cable modems or DSL. (We had high-speed connectivity even then, though it was slow by today’s standards.) We also warned of issues posed by home LANs, and we warned about the problems caused by roaming laptops.

We were overly optimistic about the deployment of IPv6 (which was called IPng back then, as the name hadn’t been finalized). It still hasn’t been deployed, and its future is still somewhat uncertain.

We were correct, though, about the most fundamental point we made: Buggy host software is a major security issue. In fact, we called it the “fundamental theorem of firewalls”:

Most hosts cannot meet our requirements: they run too many programs that are too large. Therefore, the only solution is to isolate them behind a firewall if you wish to run any programs at all.

If anything, we were too conservative.

Our Approach

This book is nearly a complete rewrite of the first edition. The approach is different, and so are many of the technical details. Most people don’t build their own firewalls anymore. There are far more Internet users, and the economic stakes are higher. The Internet is a factor in warfare.

The field of study is also much larger—there is too much to cover in a single book. One reviewer suggested that Chapters 2 and 3 could be a six-volume set. (They were originally one mammoth chapter.) Our goal, as always, is to teach an approach to security. We took far too long to write this edition, but one of the reasons why the first edition survived as long as it did was that we concentrated on the concepts, rather than details specific to a particular product at a particular time. The right frame of mind goes a long way toward understanding security issues and making reasonable security decisions. We’ve tried to include anecdotes, stories, and comments to make our points.

Some complain that our approach is too academic, or too UNIX-centric, that we are too idealistic, and don’t describe many of the most common computing tools. We are trying to teach attitudes here more than specific bits and bytes. Most people have hideously poor computing habits and network hygiene. We try to use a safer world ourselves, and are trying to convey how we think it should be.

The chapter outline follows, but we want to emphasize the following:

It is OK to skip the hard parts.

If we dive into detail that is not useful to you, feel free to move on.

The introduction covers the overall philosophy of security, with a variety of time-tested maxims. As in the first edition, Chapter 2 discusses most of the important protocols, from a security point of view. We moved material about higher-layer protocols to Chapter 3. The Web merits a chapter of its own.

The next part discusses the threats we are dealing with: the kinds of attacks in Chapter 5, and some of the tools and techniques used to attack hosts and networks in 6.

Part III covers some of the tools and techniques we can use to make our networking world safer. We cover authentication tools in Chapter 7, and safer network servicing software in Chapter 8

Part IV covers firewalls and virtual private networks (VPNs). Chapter 9 introduces various types of firewalls and filtering techniques, and Chapter 10 summarizes some reasonable policies for filtering some of the more essential services discussed in Chapter 2. If you don’t find advice about filtering a service you like, we probably think it is too dangerous (refer to Chapter 2).

Chapter 11 covers a lot of the deep details of firewalls, including their configuration, administration, and design. It is certainly not a complete discussion of the subject, but should give readers a good start. VPN tunnels, including holes through firewalls, are briefly covered in some detail in Chapter 12. There is more detail in Chapter 18.

In Part V, we apply these tools and lessons to organizations. Chapter 13 examines the problems and practices on modern intranets. See Chapter 14 for information about deploying a hacking-resistant host, which is useful in any part of an intranet. Though we don’t especially like intrusion detection systems (IDSs) very much, they do play a role in security, and are discussed in Chapter 15.

The last part offers a couple of stories and some further details. The Berferd chapter is largely unchanged, and we have added “The Taking of Clark,” a real-life story about a minor break-in that taught useful lessons.

Chapter 18 discusses secure communications over insecure networks, in quite some detail. For even further detail, Appendix A has a short introduction to cryptography.

The conclusion offers some predictions by the authors, with justifications. If the predictions are wrong, perhaps the justifications will be instructive. (We don’t have a great track record as prophets.) Appendix B provides a number of resources for keeping up in this rapidly changing field.

Errata and Updates

The “official” Web site for this book is http://www.wilyhacker.com. We’ll post an errata list there; we’ll also keep an up-to-date list of other useful Web resources. If you find any errors—we hope there aren’t many—please let us know via e-mail at firewall-book@wilyhacker.com.



020163466XP01092003

Index

Click below to download the Index file related to this title:
Index

Updates

Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020