http://www.dmst.aueb.gr/dds/pubs/Breview/2001-CR-Firewall/html/review.html This is an HTML rendering of a working paper draft that led to a publication. The publication should always be cited in preference to this draft using the following reference:
|
Diomidis Spinellis
Athens University of Economics and Business
Elizabeth Zwicky, Simon Cooper, and D. Brent Chapman
Building Internet Firewalls, Second Edition
O'Reilly & Associates, Inc., Sebastopol, CA 95472, 2000
869 pp. ISBN 1-56592-871-7
Firewalls are rightly accused as yet another impediment to one of the Internet's cornerstone building blocks: end-to-end connectivity between hosts. However, the realities of modern operating system and application software security, the proliferation of attack tools and scripts, and the need to centrally coordinate security policy implementation have made firewalls an essential aspect of many Internet connection topologies. "Building Internet Firewalls" contains all necessary information for planning the deployment, setup, and maintenance of firewall-based security.
The book targets security officers and system administrators and, in most cases, does not assume any domain-specific technical expertise. The book's first part, dealing with network security, covers basic background knowledge including the rationale behind Internet firewalls, a high-level description of Internet services, and a succinct overview of security strategies. The second part of the book provides all the technical information needed to understand how firewalls are designed, built, and operated. It describes Internet packets and protocols, different firewall technologies, architectures used for placing a firewall between the network and the Internet, firewall design, and the particulars of three basic strategies for implementing firewall-based security: packet filtering, proxy systems, and bastion hosts. (Bastion hosts are systems exposed to the Internet as an entity's main contact points; being potentially vulnerable to attack they need to be highly secured). The topology of a network protected by a firewall can get complicated: it can involve the public Internet, a perimeter network, and a number of internal networks with different security requirements. Into the play come then exterior and interior routers, firewalls, bastion hosts, dedicated servers, backbones, and virtual private networks. In addition, some functions can be combined on the same host. Fortunately for the reader, many typical topologies are described by means of clear examples and diagrams, while the authors also include a number of (clearly labeled) configurations that should be avoided. The description for setting up a bastion host is sometimes annoyingly generic, until one discovers that two separate chapters provide all the gory details for setting up bastion hosts based on the Unix and Windows operating systems. Differences between operating systems tend to generate passionate arguments. The authors take pains to provide a balanced treatment of the various flavors of Unix and Microsoft Windows carefully avoiding direct criticism even when outlining important shortcomings of specific implementations. The Windows configuration instructions are, in contrast with many other texts, technically accurate revealing a deeper understanding of the often opaque art of Windows system administration.
The configuration of firewalls can not be automated, nor can it be performed blindly. The person configuring a firewall needs a precise understanding of her organization's networking needs, and detailed knowledge of how various Internet services operate. Only then can she make intelligent decisions concerning whether to support a service over the public Internet, and how to configure the appropriate packet filters or proxy servers and clients. The third part of the book examines in detail the Internet services one is likely to encounter when configuring a firewall. It starts with a generic approach for addressing Internet services and then details intermediary protocols, Web services, email, file sharing, printing, remote access, real-time conferencing, naming, directory, authentication, auditing, and administration services, databases, and games. This part, covering over half of the book's volume, is designed to be used as a reference when configuring a firewall for a specific service. Two concrete firewall examples complement this part's material.
A firewall, even a correctly configured one, is only a part of a site's activities related to security. The last part of "Building Internet Firewalls" examines security policies (sadly without providing a concrete example), firewall maintenance, and security incident response procedures. On-line resources, a three page annotated bibliography, a list of firewall and security-related tools (in which the excellent Nessus port-scanning tool was unfortunately missing), and a brief introduction to cryptography are provided as appendixes.
Readers who want a comparative evaluation of commercial firewall products will not find it in this book. What they will find is all they information they need for intelligently comparing products and tools, choosing the ones that fit their needs, and correctly configuring the security of their site's Internet access. This is fortunate, because this is what firewalls are all about.