Firewalls and Internet Security

But much has happened since that book became an instant classic in 1994. Unfortunately, the "good guys" have been gradually losing the Internet arms race. "The hackers have developed and deployed tools for attacks we had been anticipating for years. IP spoofing and TCP hijacking are now quite common...ISPs report that attacks on the Internet's infrastructure are increasing."

Well, it's taken nine years, but the Second Edition has arrived -- and not a moment too soon.

Above all, this book teaches the right attitude about security. With the right frame of mind, you're far more likely to make reasonable security decisions when new challenges arise. To that end, the authors waste no time, presenting the no-nonsense principles of Internet security right up front.

Keep the level of all your defenses at about the same height. (You wouldn't fit a bank vault with a screen door on the back, yet many people do the same thing with Internet security.) An attacker doesn't go through security, but around it. They're looking for your weakest link.

Put your defenses in layers. Some of the layers will be physical, some conceptual, but together, they're far more effective than any of them would be alone. (This is, incidentally, how your immune system works.) Keep it simple. Complex systems are difficult to understand, audit, explain, and troubleshoot, and virtually impossible to perfect.

Also: Don't hand out more privileges than someone needs to do the job. Security should be integral to the original design, not bolted on later. Programs are insecure until proven secure. But: If you don't run a program, who cares if it's secure? Most folks have heard at least some of these, but few people take them sufficiently to heart. The rest of this book is about translating these common-sense security maxims into safer systems.

In Chapters 2 and 3, the authors move on to discussing key Internet protocols from the viewpoint of security. They start at the lowest levels, with IP packets, ARP, and TCP-based virtual circuits, then systematically review routing protocols like BGP; DNS and DHCP; network address translation, and more.

When you really understand how TCP opens a connection, you can see how SYN flood attacks attempt to flood a host with "half-open connections." When you understand how UDP works, you can see why it's so easy to spoof UDP packets -- and why you'd better be careful about using the source addresses they present.

Along the way, the authors utterly massacre WEP, the standard wireless security protocol for WiFi networks. (When you read what they have to say, you have to shake your head and wonder about how this protocol was designed.)

Oh, and speaking of wireless: "[J]ust because you cannot access your wireless network with a PCMCIA card from the parking lot, it does not mean that someone with an inexpensive high gain antenna cannot reach it from a mile (or twenty miles!) away. In fact, we have demonstrated that a standard access point inside a building is easily reachable from that distance." Ouch.

The definitive coverage of protocols represents only one-fourth of this outstanding book. It's equally strong on assessing today's diverse classes of attacks; implementing safer tools and services; and designing and deploying secure firewalls and VPNs. The authors show how to improve security by optimizing your network's layout; present intelligent overviews of intrusion detection and encryption; and finally, preview some emerging innovations in Internet security.

While we hope we won't have to wait nine years for the next edition, this one should hold us in good stead for a very long time. Bill Camarda

Bill Camarda is a consultant, writer, and web/multimedia content developer. His 15 books include Special Edition Using Word 2000 and Upgrading & Fixing Networks For Dummies®, Second Edition.