Building Internet Firewalls, 2nd Edition

Larger Cover

By Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman

Publisher: O'Reilly Media

Released: June 2000

Pages: 896

In the five years since the first edition of this classic book was published, Internet use has exploded. The commercial world has rushed headlong into doing business on the Web, often without integrating sound security technologies and policies into their products and methods. The security risks--and the need to protect both business and personal data--have never been greater. We've updated Building Internet Firewalls to address these newer risks.

What kinds of security threats does the Internet pose? Some, like password attacks and the exploiting of known security holes, have been around since the early days of networking. And others, like the distributed denial of service attacks that crippled Yahoo, E-Bay, and other major e-commerce sites in early 2000, are in current headlines.

Firewalls, critical components of today's computer networks, effectively protect a system from most Internet security threats. They keep damage on one part of the network--such as eavesdropping, a worm program, or file damage--from spreading to the rest of the network. Without firewalls, network security problems can rage out of control, dragging more and more systems down.

Like the bestselling and highly respected first edition, Building Internet Firewalls, 2nd Edition, is a practical and detailed step-by-step guide to designing and installing firewalls and configuring Internet services to work with a firewall. Much expanded to include Linux and Windows coverage, the second edition describes:

Firewall technologies: packet filtering, proxying, network address translation, virtual private networks
Architectures such as screening routers, dual-homed hosts, screened hosts, screened subnets, perimeter networks, internal firewalls
Issues involved in a variety of new Internet services and protocols through a firewall
Email and News
Web services and scripting languages (e.g., HTTP, Java, JavaScript, ActiveX, RealAudio, RealVideo)
File transfer and sharing services such as NFS, Samba
Remote access services such as Telnet, the BSD "r" commands, SSH, BackOrifice 2000
Real-time conferencing services such as ICQ and talk
Naming and directory services (e.g., DNS, NetBT, the Windows Browser)
Authentication and auditing services (e.g., PAM, Kerberos, RADIUS);
Administrative services (e.g., syslog, SNMP, SMS, RIP and other routing protocols, and ping and other network diagnostics)
Intermediary protocols (e.g., RPC, SMB, CORBA, IIOP)
Database protocols (e.g., ODBC, JDBC, and protocols for Oracle, Sybase, and Microsoft SQL Server)

The book's complete list of resources includes the location of many publicly available firewall construction tools.

Network Security
1. Chapter 1 Why Internet Firewalls?
  1. What Are You Trying to Protect?
  2. What Are You Trying to Protect Against?
  3. Who Do You Trust?
  4. How Can You Protect Your Site?
  5. What Is an Internet Firewall?
  6. Religious Arguments
2. Chapter 2 Internet Services
  1. Secure Services and Safe Services
  2. The World Wide Web
  3. Electronic Mail and News
  4. File Transfer, File Sharing, and Printing
  5. Remote Access
  6. Real-Time Conferencing Services
  7. Naming and Directory Services
  8. Authentication and Auditing Services
  9. Administrative Services
  10. Databases
  11. Games
3. Chapter 3 Security Strategies
  1. Least Privilege
  2. Defense in Depth
  3. Choke Point
  4. Weakest Link
  5. Fail-Safe Stance
  6. Universal Participation
  7. Diversity of Defense
  8. Simplicity
  9. Security Through Obscurity
Building Firewalls
1. Chapter 4 Packets and Protocols
  1. What Does a Packet Look Like?
  2. IP
  3. Protocols Above IP
  4. Protocols Below IP
  5. Application Layer Protocols
  6. IP Version 6
  7. Non-IP Protocols
  8. Attacks Based on Low-Level Protocol Details
2. Chapter 5 Firewall Technologies
  1. Some Firewall Definitions
  2. Packet Filtering
  3. Proxy Services
  4. Network Address Translation
  5. Virtual Private Networks
3. Chapter 6 Firewall Architectures
  1. Single-Box Architectures
  2. Screened Host Architectures
  3. Screened Subnet Architectures
  4. Architectures with Multiple Screened Subnets
  5. Variations on Firewall Architectures
  6. Terminal Servers and Modem Pools
  7. Internal Firewalls
4. Chapter 7 Firewall Design
  1. Define Your Needs
  2. Evaluate the Available Products
  3. Put Everything Together
5. Chapter 8 Packet Filtering
  1. What Can You Do with Packet Filtering?
  2. Configuring a Packet Filtering Router
  3. What Does the Router Do with Packets?
  4. Packet Filtering Tips and Tricks
  5. Conventions for Packet Filtering Rules
  6. Filtering by Address
  7. Filtering by Service
  8. Choosing a Packet Filtering Router
  9. Packet Filtering Implementations for General-Purpose Computers
  10. Where to Do Packet Filtering
  11. What Rules Should You Use?
  12. Putting It All Together
6. Chapter 9 Proxy Systems
  1. Why Proxying?
  2. How Proxying Works
  3. Proxy Server Terminology
  4. Proxying Without a Proxy Server
  5. Using SOCKS for Proxying
  6. Using the TIS Internet Firewall Toolkit for Proxying
  7. Using Microsoft Proxy Server
  8. What If You Can't Proxy?
7. Chapter 10 Bastion Hosts
  1. General Principles
  2. Special Kinds of Bastion Hosts
  3. Choosing a Machine
  4. Choosing a Physical Location
  5. Locating Bastion Hosts on the Network
  6. Selecting Services Provided by a Bastion Host
  7. Disabling User Accounts on Bastion Hosts
  8. Building a Bastion Host
  9. Securing the Machine
  10. Disabling Nonrequired Services
  11. Operating the Bastion Host
  12. Protecting the Machine and Backups
8. Chapter 11 Unix and Linux Bastion Hosts
  1. Which Version of Unix?
  2. Securing Unix
  3. Disabling Nonrequired Services
  4. Installing and Modifying Services
  5. Reconfiguring for Production
  6. Running a Security Audit
9. Chapter 12 Windows NT and Windows 2000 Bastion Hosts
  1. Approaches to Building Windows NT Bastion Hosts
  2. Which Version of Windows NT?
  3. Securing Windows NT
  4. Disabling Nonrequired Services
  5. Installing and Modifying Services
Internet Services
1. Chapter 13 Internet Services and Firewalls
  1. Attacks Against Internet Services
  2. Evaluating the Risks of a Service
  3. Analyzing Other Protocols
  4. What Makes a Good Firewalled Service?
  5. Choosing Security-Critical Programs
  6. Controlling Unsafe Configurations
2. Chapter 14 Intermediary Protocols
  1. Remote Procedure Call (RPC)
  2. Distributed Component Object Model (DCOM)
  3. NetBIOS over TCP/IP (NetBT)
  4. Common Internet File System (CIFS) and Server Message Block (SMB)
  5. Common Object Request Broker Architecture (CORBA) and Internet Inter-Orb Protocol (IIOP)
  6. ToolTalk
  7. Transport Layer Security (TLS) and Secure Socket Layer (SSL)
  8. The Generic Security Services API (GSSAPI)
  9. IPsec
  10. Remote Access Service (RAS)
  11. Point-to-Point Tunneling Protocol (PPTP)
  12. Layer 2 Transport Protocol (L2TP)
3. Chapter 15 The World Wide Web
  1. HTTP Server Security
  2. HTTP Client Security
  3. HTTP
  4. Mobile Code and Web-Related Languages
  5. Cache Communication Protocols
  6. Push Technologies
  7. RealAudio and RealVideo
  8. Gopher and WAIS
4. Chapter 16 Electronic Mail and News
  1. Electronic Mail
  2. Simple Mail Transfer Protocol (SMTP)
  3. Other Mail Transfer Protocols
  4. Microsoft Exchange
  5. Lotus Notes and Domino
  6. Post Office Protocol (POP)
  7. Internet Message Access Protocol (IMAP)
  8. Microsoft Messaging API (MAPI)
  9. Network News Transfer Protocol (NNTP)
5. Chapter 17 File Transfer, File Sharing, and Printing
  1. File Transfer Protocol (FTP)
  2. Trivial File Transfer Protocol (TFTP)
  3. Network File System (NFS)
  4. File Sharing for Microsoft Networks
  5. Summary of Recommendations for File Sharing
  6. Printing Protocols
  7. Related Protocols
6. Chapter 18 Remote Access to Hosts
  1. Terminal Access (Telnet)
  2. Remote Command Execution
  3. Remote Graphical Interfaces
7. Chapter 19 Real-Time Conferencing Services
  1. Internet Relay Chat (IRC)
  2. ICQ
  3. talk
  4. Multimedia Protocols
  5. NetMeeting
  6. Multicast and the Multicast Backbone (MBONE)
8. Chapter 20 Naming and Directory Services
  1. Domain Name System (DNS)
  2. Network Information Service (NIS)
  3. NetBIOS for TCP/IP Name Service and Windows Internet Name Service
  4. The Windows Browser
  5. Lightweight Directory Access Protocol (LDAP)
  6. Active Directory
  7. Information Lookup Services
9. Chapter 21 Authentication and Auditing Services
  1. What Is Authentication?
  2. Passwords
  3. Authentication Mechanisms
  4. Modular Authentication for Unix
  5. Kerberos
  6. NTLM Domains
  7. Remote Authentication Dial-in User Service (RADIUS)
  8. TACACS and Friends
  9. Auth and identd
10. Chapter 22 Administrative Services
  1. System Management Protocols
  2. Routing Protocols
  3. Protocols for Booting and Boot-Time Configuration
  4. ICMP and Network Diagnostics
  5. Network Time Protocol (NTP)
  6. File Synchronization
  7. Mostly Harmless Protocols
11. Chapter 23 Databases and Games
  1. Databases
  2. Games
12. Chapter 24 Two Sample Firewalls
  1. Screened Subnet Architecture
  2. Merged Routers and Bastion Host Using General-Purpose Hardware
Keeping Your Site Secure
1. Chapter 25 Security Policies
  1. Your Security Policy
  2. Putting Together a Security Policy
  3. Getting Strategic and Policy Decisions Made
  4. What If You Can't Get a Security Policy?
2. Chapter 26 Maintaining Firewalls
  1. Housekeeping
  2. Monitoring Your System
  3. Keeping up to Date
  4. How Long Does It Take?
  5. When Should You Start Over?
3. Chapter 27 Responding to Security Incidents
  1. Responding to an Incident
  2. What to Do After an Incident
  3. Pursuing and Capturing the Intruder
  4. Planning Your Response
  5. Being Prepared
Appendixes
1. Appendix A Resources
  1. Web Pages
  2. FTP Sites
  3. Mailing Lists
  4. Newsgroups
  5. Response Teams
  6. Other Organizations
  7. Conferences
  8. Papers
  9. Books
2. Appendix B Tools
  1. Authentication Tools
  2. Analysis Tools
  3. Packet Filtering Tools
  4. Proxy Systems Tools
  5. Daemons
  6. Utilities
3. Appendix C Cryptography
  1. What Are You Protecting and Why?
  2. Key Components of Cryptographic Systems
  3. Combined Cryptography
  4. What Makes a Protocol Secure?
  5. Information About Algorithms

Colophon

Title:

Building Internet Firewalls, 2nd Edition

By:

Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman

Publisher:

O'Reilly Media

Formats:

Print
Ebook
Safari Books Online

Print:

June 2000

Ebook:

February 2009

Pages:

896

Print ISBN:

978-1-56592-871-8

| ISBN 10:

1-56592-871-7

Ebook ISBN:

978-0-596-10325-5

| ISBN 10:

0-596-10325-5

Colophon

Our look is the result of reader comments, our own experimentation, and feedback from distribution channels. Distinctive covers complement our distinctive approach to technical topics, breathing personality and life into potentially dry subjects. The illustration on the cover of Building Internet Firewalls is of a doorway of Gothic design, topped by a crenelated parapet. The period of Gothic architecture is often said to have begun in the mid-12th century, when the church of Saint-Denis was built, in Paris in 1144. The architect of that church is unknown. Although Gothic architecture was mainly used in the building of churches, by the late 13th century it was used for secular purposes also, including fortifications. The structure of the merlons (the raised portions of the parapet) in this illustration gives information about the date and place of construction. The oblique sides of the merlons suggest that the doorway was built in the 14th century, and the plain but sloping top suggests that it was built in England or France.

Merlons were designed to provide defense to those inside the fortification, while crenels (the recessed portions between the merlons) let them shoot projectiles at attacking enemies. Given the size of this door, and the relatively low merlons, this may have been a postern, a doorway used by foot travellers to avoid lowering the main gate. Madeleine Newell was the production coordinator for this book. Nancy Crumpton provided all editorial and production services and wrote the index. Mike Sierra provided FrameMaker technical support. Nancy Kotary and Jane Ellin provided quality control.

Edie Freedman designed the cover of this book, using a 19th-century engraving from Heck's Pictorial Archive of Art and Architecture. The cover layout was produced by Emma Colby with QuarkXPress 3.3 using the ITC Garamond font. Whenever possible, our books use a durable and flexible lay-flat binding. If the page count exceeds this binding's limit, perfect binding is used.

The inside layout for this second edition was adapted by Alicia Cech and David Futato from a design created by Nancy Priest, Edie Freedman, and Jennifer Niederst, and was implemented by Mike Sierra in FrameMaker 5.5.6. The text and heading fonts are ITC Garamond Light and Garamond Book. Chris Reilley created the figures for the first edition of this book; Robert Romano and Rhon Porter adapted those figures and created new figures for this second edition using Adobe Photoshop 5 and Macromedia Freehand 8. This colophon was written by Clairemarie Fisher O'Leary.

Description

Table of Contents

Product Details

About the Author

Colophon

Recommended for You

Recently Viewed

Dynamic Learning: Photoshop CS3

By Jennifer Smith, AGI Creative Team

July 2007

Print: $44.99

Practical Perforce

Channeling the Flow of Change in Software Development Collaboration

By Laura Wingerd

November 2005

Ebook: $31.99

Print & Ebook: $43.95

Print: $39.95

ASP.NET 2.0: A Developer's Notebook

By Wei-Meng Lee

June 2005

Ebook: $23.99

Print & Ebook: $32.95

Print: $29.95

Customer Reviews

REVIEW SNAPSHOT®

by PowerReviews

oreilly Building Internet Firewalls, Second Edition

4.9

(based on 7 reviews)

REVIEWS

Reviewed by 7 customers

Sort by

Displaying reviews 1-7

2/29/2004

(4 of 4 customers found this review helpful)

5.0

Building Internet Firewalls, 2nd Edition Review

By Anonymous

from Undisclosed

Comments about oreilly Building Internet Firewalls, Second Edition:

Very usefull book for admins! While I learned quite a bit of good information, the second section (Building Firewalls) is where I personally learned the most. The chapters in this section discuss topics like packet filtering, firewall architectures and design, proxy systems and bastion hosts.

An informative, well-put together book that can be used as a reference and >in some sections, a tutorial as well.

The book also talks about reasons for having (or not having) a firewall,security issues and near the end of the book, what to do if the site you're protecting with a firewall does get broken into.

Kate Lea

3/16/2002

(1 of 1 customers found this review helpful)

5.0

Building Internet Firewalls, 2nd Edition Review

By Shane Witschen

from Undisclosed

Comments about oreilly Building Internet Firewalls, Second Edition:

This book was excellent. Coming from a programmer's perspective (and having a fairly limited experience with bare-bones networking topology), I was thoroughly impressed with the brilliant way this information was presented. I read this entire book in 4 days, and was hooked on the way in which its technical precision was presented in such an understandable manner.

I haven't taken this much raw, fresh, and applicable knowledge from a book in quite some time, and for every situation where I found myself wondering about another item: its explanation wasn't far behind. Very excellent presentation, and advanced readers will find it easy to circumvent unneeded chapters without sacrificing continuity. I would most certainly recommend this book to anyone needing to work with and/or implement a firewall, and especially for anyone interested in network security as a whole. Extremely heads up, and a must for System Administrators!!

8/16/2001

(1 of 1 customers found this review helpful)

5.0

Building Internet Firewalls, 2nd Edition Review

By Graham Barber

from Undisclosed

Comments about oreilly Building Internet Firewalls, Second Edition:

I found this book both informative and extremely accessible - a rare combination in technical writing. Not only were all the issues I was interested in covered, they were treated both concisely and with an approachable and even occasionally humorous tone which is quite refreshing.

Where the book did not go into extensive detail it gave a very comprehensive introduction to the topic and certainly made researching the required level of detail independently much easier.

6/24/2001

(0 of 2 customers found this review helpful)

4.0

Building Internet Firewalls, 2nd Edition Review

By rakib

from Undisclosed

Comments about oreilly Building Internet Firewalls, Second Edition:

very good

9/7/2000

5.0

Building Internet Firewalls, 2nd Edition Review

By Dario Gnaccarini

from Undisclosed

Comments about oreilly Building Internet Firewalls, Second Edition:

It was from a long time that reading a book about solutions was not a product manual; this is definitively a plain explanation about haow technologies are working and how to manage them if you want to build a firewall understanding what it is and what is needed to build it on a service prospective. Thanks a lot to the authors

8/28/2000

(1 of 2 customers found this review helpful)

5.0

Building Internet Firewalls, 2nd Edition Review

By Todd Hawley

from Undisclosed

Comments about oreilly Building Internet Firewalls, Second Edition:

Good reference on firewalls

This second edition explains in great detail about firewalls, both in building them (and the software and hardware you can use) and maintaining them. It also discusses the different types of firewalls available, which services you want to protect (World Wide Web, electronic mail and netnews,

FTP, telnet, teleconferencing, for example).

The book is timely enough to discuss the 'break-ins' of several well-known web sites earlier this year, thus pointing out one need for the use of firewalls. While I learned quite a bit of good information, the second section (Building Firewalls) is where I personally learned the most. The chapters in this section discuss topics like packet filtering, firewall >architectures and design, proxy systems and bastion hosts.

The book also talks about reasons for having (or not having) a firewall,security issues and near the end of the book, what to do if the site you're

protecting with a firewall does get broken into.

An informative, well-put together book that can be used as a reference and >in some sections, a tutorial as well.

7/27/2000

(1 of 1 customers found this review helpful)

5.0

Building Internet Firewalls, 2nd Edition Review

By Anonymous

from Undisclosed

Comments about oreilly Building Internet Firewalls, Second Edition:

I have read just about every book out there about firewalls, and have to say that this book is: concise, to the point and EXTREAMLY informative. A must have for anyone that wants to learn about security, and more specifically firewall procedures, policies and configurations.

Displaying reviews 1-7

Save a Tree - Go Digital what is this?

Ebook: $47.99

Formats: DAISY, ePub, Mobi, PDF

Print & Ebook: $65.99

Print: $59.99

Safari Books Online - Read now >

Network Security

Chapter 1 Why Internet Firewalls?

Chapter 2 Internet Services

Chapter 3 Security Strategies

Building Firewalls

Chapter 4 Packets and Protocols

Chapter 5 Firewall Technologies

Chapter 6 Firewall Architectures

Chapter 7 Firewall Design

Chapter 8 Packet Filtering

Chapter 9 Proxy Systems

Chapter 10 Bastion Hosts

Chapter 11 Unix and Linux Bastion Hosts

Chapter 12 Windows NT and Windows 2000 Bastion Hosts

Internet Services

Chapter 13 Internet Services and Firewalls

Chapter 14 Intermediary Protocols

Chapter 15 The World Wide Web

Chapter 16 Electronic Mail and News

Chapter 17 File Transfer, File Sharing, and Printing

Chapter 18 Remote Access to Hosts

Chapter 19 Real-Time Conferencing Services

Chapter 20 Naming and Directory Services

Chapter 21 Authentication and Auditing Services

Chapter 22 Administrative Services

Chapter 23 Databases and Games

Chapter 24 Two Sample Firewalls

Keeping Your Site Secure

Chapter 25 Security Policies

Chapter 26 Maintaining Firewalls

Chapter 27 Responding to Security Incidents

Appendixes

Appendix A Resources

Appendix B Tools

Appendix C Cryptography

Colophon

Simon Cooper

About O'Reilly

Community

More O'Reilly Sites

Partner Sites

Shop O'Reilly