i used to install firewalls as a consultant, and i spent a lot of time looking at varius configurations. in the intervening years, i've had the chance to keep current and examine a number of firewall devices for new features, configurations, and also look at some of the changes new technologies (ie WiFi) have brought. all in all, i think i was was pretty well prepared to look at "Designing and Building Enterprise Dmzs" from the angle of someone who's a moderate level firewall user.
i think it's fair to say that i'm disappointed in this new volume from Syngress, for numerous reasons. but before i get to the nits and complaints, i'll start with what i did like.
the book is large, nearly 700 pages of text covering a number of major commercial firewall products, such as checkpoint, nokia, microsoft, cisco, juniper netscreen, and sun. i like th fact that the authors were ambitious (more on that later), you do wind up with a lot of information in a single volume. if you've read firewalls books before, like the canon from oreilly, then you know a lot about firewalls, but you've probably understood that things are changing. new technologies require new solutions, and new offerings have hit the market. firewalls are now more abundant, more feature filled, and this book does a good job of tackling these products with, often, a good attempt at key coverage.
what i also like about this book is that it's not only about technologies, it's about management and about network layouts. this book doesn't pretend that there's one network, but instead shows how various approaches for various needs can be applied. the authors try to show you how each product's features can support those requirements, and what technologies can be used to guard access or secure hosts in a DMZ. this isn't just a book about firewalls and products.
ok, on to the complaints. you know a book is bad when you spot errors such as a bad CIDR specification for RFC 1918 address space (table 1.4), lots of port lists, and a brief primer on "servers" an services buried deep in a chapter on security cisco routers (chapter 11, page 540). i suspect the last point is due to the numerous authors in the book and a failure to find a cohesive structure, but that's a major failing of the book. it doesn't find a consistent voice and doesn't provide consistent coverage of the topics.
some chapters spend more time reviewing marketing materials for products (ie the chapter on juniper netscreen devices, chapter 9) than on getting down to a real feature comparison. this is a real failure of this book. the authors have a chance to cover all major commercial firewalls out there in a clear and unified way, taking an approach that can unify solutions across all, and haven't done so. you wind up with inconsistent coverage and have difficulty in finding the same information in any of the chapters. it's very tough to have multiple authors writing a book, but the editors should have budgeted time to provide a cohesive voice or enforced coverage standards. the reader would have benefitted dramatically for that.
as is often the case with syngress books, the screenshots are too often poorly done. again, this seems to be a function of the chapter and, i'm presuming, the author (based on their stated strengths in the intro to the book). the chapters using web-based and UNIX tools are often filled with poor quality, full screen screenshots that are illegible due to the scaling. the chapters on windows-based tools often have only a small window as a screenshot, enabling better legibility. care needs to be taken for these sorts of things.
the quality of the writing is ok, but it could be better overall. again, a function of the authors, i think, and not a strong editing job. often the writing is not very clear or well organized, and overall the book suffers for it. there's some good info in here, but it's buried under unclear and poorly organized text.
you should look over this book carefully if you're thinking about buying it. this will probably target people in large, heterogeneous environments or people studying for exams. i doubt someone will have all of these technologies in their production environment. however, if you want to see a lot of different firewalls compared, this is worth looking at, but be cautious about buying it.