Joel
Pippin
INLS 187-300
10.24.04
Book Review
William Cheswick and Steven Bellovin are back, along with Aviel Rubin, for this second edition of what was considerd the book about firewalls and Internet security for many years -- a book that remains a popular title in the field of Information Security. Truly ahead of their time in 1994 when the first edition of this book was published, Cheswick and Bellovin discussed honeypots, biometric access, and showed disdain for "security by obscurity" years before others did. Time will tell if this edition holds the same value as the first. I just recently found out about and purchased this edition, which was released in April of 2003. My copy of the first edition has been skimmed and scanned over the past years and was one of the first books I bought -- at the hest of my former boss and mentor -- as I gained interest in computer networks and the security of them.
This review does not intend to compare the two editions. It's worth mention, however, that the authors include the preface from the first edition following the new preface, and they make note of some of the things they overlooked a decade ago, including the then recent occurrences of sniffing attacks and their lack of anticipation of the rapid growth of clients attached directly to the Internet. They also mention here and later in the book, with some regret, their choice not to publish information about SYN flooding because it appeared so unstoppable at the time and they did not wish to increase the problem by publishing details. The authors state that the latest edition is a complete rewrite and that the approach is different, although their goal remains to "teach an approach to security."
In fact, in the first chapter of the book, the authors provide a list of "security truisms." 1
:::
-There is no such thing as absolute security.
-Security is always a question of economics.
-Keep the level of all your defenses about the same height.
-An attacker doesn't go through security, but around it.
-Put your defenses in layers.
-It's a bad idea to rely on "security through obscurity."
-Keep it simple.
-Don't give a person or program any more privileges than those necessary to do the job.
-Programming is hard.
-Security should be an integral part of the design.
-If you do not run a program, it does not matter if it has security holes.
-A program or protocol is insecure until proven secure.
-A chain is only as strong as its weakest link.
-Security is a trade-off with convenience.
-Don't underestimate the value of your assets.
:::
I won't go through them all point by point and regurgitate what the authors say, but I will point out a few things... First, I immediately checked the back of the book and yes, many works by Bruce Schneier are cited. I first saw "A chain is only as strong as its weakest link," and something similar to "An attacker doesn't go through security, but around it." in Schneier's Secrets and Lies. Then again, these notions have become so commonplace in security that I'm not sure who's the chicken and who's the egg -- perhaps these two points were mentioned in the first edition and I've forgotten. Anyway, almost all of the above points are important and valid. I say almost because I'm not sure that "If you do not run a program, it does not matter if it has security holes" is a truism as much as just a good point. "Programming is hard" should probably be "Secure programming is hard," but the authors' mention secure programming in the details, so perhaps I'm too fussy. As someone familiar with and regularly exposed to such truisms, I was happy to see "Keep the level of all your defenses about the same height" on the list. It's a good truism about which I haven't read or seen discussion often enough.
This book is targeted to the network and systems administrator -- perhaps more as a reference as much as a full text read, and to anyone who wants to learn more about network security... including protocol issues, policy stance, best practices including layering and avoidance of homogeneity, various web issues, and risks at the client and server levels, among other concerns. The authors give brief overviews of the lower layer protocols -- IP, ARP, TCP, UDP, ICMP, SCTP or Stream Control Transmission Protocol, a promising new transport protocol.2 When they discuss addressing and names, they even mention DNSsec.3 Apparently the authors intend to stay on the bleeding edge with this version as well. Conversely, they may just be scrambling the same way that movie sequels do -- to recapture the success of the first one (and we all know that only one sequel has even been better than the original --The Godfather II). Regardless, at a mere 10 pages, the scope of coverage of the protocols is not comprehensive by any measure -- it's a quick review and should include more coverage from a security angle. Steven's TCP/IP Illustrated, Comer's Computer Networks and Intranets, or Kurose and Ross's Computer Networking are much better for insight and understanding of the security issues surrounding these protocols. But I digress...
I suppose that this the scope of this book is not considered "basic," but it is a foundational reference, and although I found it immensely interesting in chunks, it was somewhat repetitive of information of which I am either already aware or need more information than the bits and pieces provided. That said, I did learn new information. The authors lump spyware and adware with "foistware," which they do not define but is self-evident if you know what foist means.4 I learned that SQL*Net, which I've been using recently, uses a secret and proprietary protocol that requests random ports.5 I particularly enjoyed the treatment of Denial-of-Service attacks (of course including DDOS). Section 5.8.4 -- you have to love the geeky logic of hierarchical numbering -- is entitled "What to Do About a Denial-of-Service Attack."6 Online circumlocutory explanations written by victims such as grc.com's Steve Gibson aside, the authors provide a 4 step plan, with the disclaimer that there are no absolutes:
1. Find a way to filter out the bad packets.2. Improve the processing of the incoming data somehow.3. Hunt down and shut down the attacking sites.4. Add hardware and network capacity to handle your normal load plus the attack.
They provide good detail about each step, and finish with a discussion of backscatter, explaining to the reader that these attacks should be expected as an ongoing fact of life on the Internet.7
I recommend this book to anyone in computer security. It's not the sort of book I would read front to back, and in doing this review, I certainly did not read all 400+ pages. When I found the authors using ipchains to build a personal firewall in a later chapter, I skipped the section and moved on to still current information. The discussion of VPNs in chapter 12 is an excellent primer for the uninitiated and a good review for anyone else. An especially good point is the fact that home LAN security is extremely difficult to police -- no pun intended by the authors as I read it. A child using a computer that also makes a secure VPN connection for a parent, or the fact that an insecure family machine and a more secure work machine share the same address space may put a company at risk. More interesting is the authors' aside -- that a married couple had two machines connected their respective companies. The routing information propagated across the links, and the routers at the two companies started routing packets through the home network. The book is full of jewels like this, and it makes technical information easier to digest and enables some of us to more completely "get our brain around."8
One more shortcoming of the book not previously mentioned is that intrusion detection deserves more than 4.5 pages. However, the next two chapters almost make up for this concern by following the logs through two attacks and the forensics of those attacks.
This follow-up to an important book in networking and security is excellent -- even if it is too short at 434 pages. The original was 306 pages 9 years prior. The authors state in the preface that there is too much information for a single book, but then they try to make room for everything regardless. More detail would have helped this book surpass its predecessor. 4.5 stars out of 5 because it should have been 800 pages.
Bibliography:
Cheswick, W., Bellovin, S., and Rubin, A. Firewalls and Internet Security
2nd Edition: Repelling the Wily Hacker. Addison Wesley, AT&T
and Lumeta Corporation, 2003.
footnotes:
1 Chadwick et al., pp.3-6.
2 19-28.
3 33.
4 69.
5 68.
6 107-116.
7 116.
8 241.