Firewalls and Internet Security - Repelling the Wily Hacker

Danny Yee

Issue #6, October 1994

Firewalls and Internet Security tells you how to connect a network to the Internet without exposing all your computers to nefarious attacks.

Author: William R. Cheswick and Steven M. BellovinPublisher: Addison-WesleyISBN: 0-201-63357-4Reviewed by Danny Yee

Summary: you thought you were already paranoid?

Cheswick and Bellovin have written the first book that deals specifically with the security of whole networks rather than of individual hosts. Based on their experience administering the Internet firewall at AT&T, as well as on existing papers and reports, Firewalls and Internet Security tells you how to connect a network to the Internet without exposing all your computers to nefarious attacks. It begins with an introduction to security issues and a review of TCP/IP protocols from the point of view of security, but the reader is assumed to have a good understanding of the TCP/IP, an understanding of basic security concepts and some knowledge of Unix.

The core of the book is a detailed look at how to set up and run a firewall. This begins by covering the mechanics of setting up a packet filter, application and circuit gateways, the uses and abuses of tunneling and the general limitations of firewalls. A long chapter then goes into some detail in describing the application level gateway setup at AT&T. Also contains a brief discussion of user authentication and a description of useful tools such as connection libraries, network monitors and logging programs. (They recommend doing a lot of logging.) Also discussed are counter-intelligence measures, decoys and lures, and how to use standard hacking tools to test your security yourself. The stress throughout is on keeping things simple, in traditional Unix style.

Cheswick and Bellovin then look at how things actually work in practice. Here they present a general typology of network attacks, an account of their encounter with the infamous 'Berferd' hacker in 1991, and some statistics on penetration attempts from their logs. I'm a bit unsure about some of the conclusions they draw from the latter (see below), but it's good to see some statistics being published.

To round things off there are chapters on legal issues (if you watch a hacker instead of kicking him off at once, are you responsible for any damage he does while using your system to connect elsewhere?) and cryptography. The appendix contains a list of free resources - software packages and information sources - available to those trying to maintain secure networks, a port by port analysis of TCP and UDP protocol weaknesses and some suggestions for vendors and manufacturers of networking hardware and software.

This is great stuff, and I have only one quibble. I feel Cheswick and Bellovin are a little too paranoid in places, not in their evaluation of possible threats or in the precautions they suggest, but in their evaluation of the intensity of hacking activity. So attempts to rlogin in to their gateway as root, while they may be “evil”, are almost certainly due to bored university undergraduates - I should think it's the last thing a competent hacker would try. (Of course competent hackers probably have more sense than to attack a hardened target like AT&T at all, let alone head on.) Attempts to log in as guest, demo or visitor are surely signs of cluelessness, and hardly deserve to be labelled “attacks” or “evil”. And a graph which is supposed to show that hackers are less active on weekends, to me suggests instead that most of their “penetration” attempts are from company employees or university students who don't even have net access on weekends. Using the term “hacker” instead of “cracker” for those up to no good is one thing; debasing the term to include everyone capable of typing “rlogin research.att.com -l root” is another. It's a far cry from that to being able to mount sequence number attacks on TCP connections.

Firewalls and Internet Security has no rival; while much of the information it provides is available elsewhere, no comparable summary exists. Anyone in charge of installing or administering an Internet firewall would be insane not to get a copy. And while some of it is irrelevant to smaller sites, much will be useful to anyone concerned with TCP/IP network security. That said, it should be pointed out again that this is not an introductory book on security; not only does it assume a solid knowledge of internet protocols, but it doesn't deal with anything except external network threats. Of course anyone with pretensions to being an Internet hacker will also want to read this book (if only to find out why they shouldn't try to crack AT&T :-) and it can be read just for enjoyment. As well as being extremely informative, Firewalls is also extremely entertaining, with the authors managing to inject some lightheartedness into their subject while still respecting its seriousness. I finished my copy within a day of receiving it.

Declaration of interest: I requested and received a review copy of Firewalls and Internet Security from Addison-Wesley, but have no stake, financial or otherwise, in its success.

Firewalls and Internet Security - Repelling the Wily Hacker, by William R. Cheswick and Steven M. Bellovin. ISBN 0-201-63357-4

Danny Yee danny@cs.su.oz.au

This review and other reviews by Danny Yee are available by anonymous ftp from ftp.cs.su.oz.au in danny/book-reviews.

Comments on my reviews are always welcome. Criticism of any kind is particularly appreciated - anything from pointing out spelling mistakes to disagreement with the basic assumptions of the review.