Building Internet Firewalls and over one million other books are available for Amazon Kindle . Learn more

Buy New

or
Sign in to turn on 1-Click ordering.
or
Amazon Prime free trial required. Sign up when you check out. Learn more
Buy Used
Used - Good See details
Price: £2.80
Fulfilled by Amazon

or
Sign in to turn on 1-Click ordering.
 
   
More Buying Choices
Have one to sell? Sell yours here
or
Get a £0.25 Amazon.co.uk Gift Card
Building Internet Firewalls
 
 
Share your own customer images
Search inside this book
Start reading Building Internet Firewalls on your Kindle in under a minute.

Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

Building Internet Firewalls [Paperback]

Elizabeth D. Zwicky (Author), Simon Cooper (Author), D. Brent Chapman (Author)
4.4 out of 5 stars  See all reviews (5 customer reviews)
RRP: £38.50
Price: £25.02 & this item Delivered FREE in the UK with Super Saver Delivery. See details and conditions
You Save: £13.48 (35%)
o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o
In stock.
Dispatched from and sold by Amazon.co.uk. Gift-wrap available.
Only 1 left in stock--order soon (more on the way).
Want guaranteed delivery by Wednesday, May 30? Choose Express delivery at checkout. See Details
‹  Return to Product Overview

Product Description

Amazon.co.uk Review

In the vast and varied universe of computer books, a few stand out as the best of their subject areas. Building Internet Firewalls is one of these. It's deep, yet carefully focused, so that almost anything you might want to know about firewall strategies for protecting networks is here. Plus, there's a lot of information on the reasons we build firewalls in the first place, which is to say the security risks that come with Internet connectivity. You'll learn a great deal about Internet services and the protocols that provide them as you follow this book's recommendations for stifling attacks.

If there's a shortcoming to this book, it is its lack of coverage of the turnkey firewall products that are becoming popular among homes and small office users. Emphasis here is on more complicated network defences that require careful design and setup--both design and implementation are the order of the day here. The authors carefully enumerate the threats they see in various situations, go into some detail on how those threats manifest themselves, and explain what configuration changes you can make to your perimeter defences to repulse those threats. Plenty of illustrations make points about good and bad security strategies (you want to put the routers here and here, not here or here). You'll learn a lot, no matter how much experience you have, by reading this book cover to cover. --David Wall, Amazon.com

Topics covered: Means of protecting private networks from external security threats. The authors go into detail on attackers' means of exploiting security holes in common Internet services, and show how to plug those holes or at least limit the damage that can be done through them. With coverage of Unix, Linux, and Windows NT, the authors detail their philosophies of firewall design and general security policy.

OpenBSD Journal, January14, 2002

This is a book that is useful on many levels, and by many people within an organization.

Product Description

In the five years since the first edition of this classic book was published, Internet use has exploded. The commercial world has rushed headlong into doing business on the Web, often without integrating sound security technologies and policies into their products and methods. The security risks--and the need to protect both business and personal data--have never been greater. We've updated Building Internet Firewalls to address these newer risks.

What kinds of security threats does the Internet pose? Some, like password attacks and the exploiting of known security holes, have been around since the early days of networking. And others, like the distributed denial of service attacks that crippled Yahoo, E-Bay, and other major e-commerce sites in early 2000, are in current headlines.

Firewalls, critical components of today's computer networks, effectively protect a system from most Internet security threats. They keep damage on one part of the network--such as eavesdropping, a worm program, or file damage--from spreading to the rest of the network. Without firewalls, network security problems can rage out of control, dragging more and more systems down.

Like the bestselling and highly respected first edition, Building Internet Firewalls, 2nd Edition, is a practical and detailed step-by-step guide to designing and installing firewalls and configuring Internet services to work with a firewall. Much expanded to include Linux and Windows coverage, the second edition describes:

    • Firewall technologies: packet filtering, proxying, network address translation, virtual private networks
    • Architectures such as screening routers, dual-homed hosts, screened hosts, screened subnets, perimeter networks, internal firewalls
    • Issues involved in a variety of new Internet services and protocols through a firewall
    • Email and News
    • Web services and scripting languages (e.g., HTTP, Java, JavaScript, ActiveX, RealAudio, RealVideo)
    • File transfer and sharing services such as NFS, Samba
    • Remote access services such as Telnet, the BSD "r" commands, SSH, BackOrifice 2000
    • Real-time conferencing services such as ICQ and talk
    • Naming and directory services (e.g., DNS, NetBT, the Windows Browser)
    • Authentication and auditing services (e.g., PAM, Kerberos, RADIUS);
    • Administrative services (e.g., syslog, SNMP, SMS, RIP and other routing protocols, and ping and other network diagnostics)
    • Intermediary protocols (e.g., RPC, SMB, CORBA, IIOP)
    • Database protocols (e.g., ODBC, JDBC, and protocols for Oracle, Sybase, and Microsoft SQL Server)

    The book's complete list of resources includes the location of many publicly available firewall construction tools.

From the Publisher

Completely revised and much expanded, the new edition of the highly respected and bestselling Building Internet Firewalls now covers Unix, Linux, and Windows NT. This practical and detailed guide explains in step-by-step fashion how to design and install firewalls and configure Internet services to work with a firewall. It covers a wide range of services and protocols and offers a complete list of resources, including the location of many publicly available firewalls construction tools.

About the Author

Simon Cooper is a computer professional currently working in Silicon Valley. He has worked in different computer-related fields ranging from hardware through operating systems and device drivers to application software and systems support in both commercial and educational environments. He has an interest in the activities of the Internet Engineering Task Force (IETF) and USENIX, is a member of the British Computer Conservation Society, and is a founding member of the Computer Museum History Center. Simon has released a small number of his own open source programs and has contributed time and code to the XFree86 project. In his spare time, Simon likes to play ice hockey, solve puzzles of a mathematical nature, and tinker with Linux.

Excerpted from Building Internet Firewalls by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman. Copyright © 2000. Reprinted by permission. All rights reserved.

Chapter 13 - Internet Services and Firewalls

This chapter gives an overview of the issues involved in using Internet services through a firewall, including the risks involved in providing services and the attacks against them, ways of evaluating implementations, and ways of analyzing services that are not detailed in this book.

The remaining chapters in Part III describe the major Internet services: how they work, what their packet filtering and proxying characteristics are, what their security implications are with respect to firewalls, and how to make them work with a firewall. The purpose of these chapters is to give you the information that will help you decide which services to offer at your site and to help you configure these services so they are as safe and as functional as possible in your firewall environment. We occasionally mention things that are not, in fact, Internet services but are related protocols, languages, or APIs that are often used in the Internet context or confused with genuine Internet services.

These chapters are intended primarily as a reference; they're not necessarily intended to be read in depth from start to finish, though you might learn a lot of interesting stuff by skimming this whole part of the book.

At this point, we assume that you are familiar with what the various Internet services are used for, and we concentrate on explaining how to provide those services through a firewall. For introductory information about what particular services are used for, see Chapter 2, Internet Services.

Where we discuss the packet filtering characteristics of particular services, we use the same abstract tabular form we used to show filtering rules in Chapter 8, Packet Filtering. You'll need to translate various abstractions like "internal", "external", and so on to appropriate values for your own configuration. See Chapter 8 for an explanation of how you can translate abstract rules to rules for particular products and packages, as well as more information on packet filtering in general.

Where we discuss the proxy characteristics of particular services, we rely on concepts and terminology discussed in Chapter 9, Proxy Systems.

Throughout the chapters in Part III, we'll show how each service's packets flow through a firewall. The following figures show the basic packet flow: when a service runs directly (Figure 13-1) and when a proxy service is used (Figure 13-2). The other figures in these chapters show variations of these figures for individual services. If there are no specific figures for a particular service, you can assume that these generic figures are appropriate for that service.
TIP:

We frequently characterize client port numbers as "a random port number above 1023". Some protocols specify this as a requirement, and on others, it is merely a convention (spread to other platforms from Unix, where ports below 1024 cannot be opened by regular users). Although it is theoretically allowable for clients to use ports below 1024 on non-Unix platforms, it is extraordinarily rare: rare enough that many firewalls, including ones on major public sites that handle clients of all types, rely on this distinction and report never having rejected a connection because of it.

Attacks Against Internet Services
As we discuss Internet services and their configuration, certain concepts are going to come up repeatedly. These reflect the process of evaluating exactly what risks a given service poses. These risks can be roughly divided into two categories--first, attacks that involve making allowed connections between a client and a server, including:

Command-channel attacks

Data-driven attacks

Third-party attacks

False authentication of clients

and second, those attacks that get around the need to make connections, including:

Hijacking

Packet sniffing

Data injection and modification

Replay

Denial of service

Command-Channel Attacks
A command-channel attack is one that directly attacks a particular service's server by sending it commands in the same way it regularly receives them (down its command channel). There are two basic types of command-channel attacks; attacks that exploit valid commands to do undesirable things, and attacks that send invalid commands and exploit server bugs in dealing with invalid input.

If it's possible to use valid commands to do undesirable things, that is the fault of the person who decided what commands there should be. If it's possible to use invalid commands to do undesirable things, that is the fault of the programmer(s) who implemented the protocol. These are two separate issues and need to be evaluated separately, but you are equally unsafe in either case.

The original headline-making Internet problem, the 1988 Morris worm, exploited two kinds of command-channel attacks. It attacked Sendmail by using a valid debugging command that many machines had left enabled and unsecured, and it attacked finger by giving it an overlength command, causing a buffer overflow.

Data-Driven Attacks
A data-driven attack is one that involves the data transferred by a protocol, instead of the server that implements it. Once again, there are two types of data-driven attacks; attacks that involve evil data, and attacks that compromise good data. Viruses transmitted in electronic mail messages are data-driven attacks that involve evil data. Attacks that steal credit card numbers in transit are data-driven attacks that compromise good data.

Third-Party Attacks
A third-party attack is one that doesn't involve the service you're intending to support at all but that uses the provisions you've made to support one service in order to attack a completely different one. For instance, if you allow inbound TCP connections to any port above 1024 in order to support some protocol, you are opening up a large number of opportunities for third-party attacks as people make inbound connections to completely different servers.

‹  Return to Product Overview

Amazon.co.uk Privacy Statement Amazon.co.uk Delivery Information Amazon.co.uk Returns & Exchanges