REVIEW: "Firewalls Complete", Marcus Goncalves (fwd)

From: Darren Reed (darrenrat_private)
Date: Thu May 14 1998 - 09:50:07 PDT

  • Next message: Tony Schliesser: "Re: Inside PIX?"

    Date: Thu, 14 May 1998 08:10:35 -0800
    Subject: REVIEW: "Firewalls Complete", Marcus Goncalves
    Reply-to: rsladeat_private
    Priority: normal
    BKFWCMPL.RVW   980315
    "Firewalls Complete", Marcus Goncalves, 1998, 0-07-024645-9, U$54.95
    %A   Marcus Goncalves goncalvesat_private
    %C   300 Water Street, Whitby, Ontario   L1N 9B6
    %D   1998
    %G   0-07-024645-9
    %I   McGraw-Hill Ryerson/Osborne
    %O   U$54.95 800-565-5758 fax: 905-430-5020 louiseaat_private
    %P   632 p. + CD-ROM
    %T   "Firewalls Complete"
    While there is a large amount of information in this book, and a
    particularly valuable compilation of vendor data, I am not sure that I
    can agree with the claim to be complete.  It is difficult to point out
    specific gaps in the work, since the whole volume could use a thorough
    Part one is described as a reference section.  Chapter one, rather
    oddly for a security book, deals not with security, but with the
    TCP/IP suite of protocols.  This appears to set the stage for a
    technical treatment of the subject.  Networking details continue in
    chapter two with an overview of the various connection methods over
    the net.  I am always delighted to get more information about new
    Kermit products, but I would sympathize with any reader who was
    confused about what this material may have to do with firewalls. 
    Encryption gets a brief review in chapter three.  The content gets the
    basics across, but is of uneven depth between topics.  Chapter four
    does start to provide security, and specifically firewall, related
    information in regard to the Web.  The data is good, but seems to be
    somewhat random and unstructured.  Advanced Web security areas
    (including a more detailed examination of ActiveX vulnerabilities) is
    found in chapter five.  Chapter six looks at specific programming
    problems with the standard net APIs (Applications Programming
    Interfaces) but does not address firewall responses.
    Firewall technologies, implementations, and limitations are discussed
    in part two.  Chapter seven attempts to define firewalls and describe
    firewall technologies, but concentrates almost exclusively on packet
    filtering aspects.  Vulnerabilities of individual Internet
    applications are the subject of chapter eight, but many concerns
    mentioned are more potential than actual (and thus difficult to defend
    against) while a good deal of the content (including a complete, ten
    page Perl script) is repeated from earlier chapters.  "Setting Up a
    Firewall Security Policy," in chapter nine, is much broader, touching
    on many security topics that may have little or nothing to do with
    firewalls.  An example is the information on viruses, which is
    generally trite.  The overview of antiviral software betrays no
    knowledge of activity monitoring or change detection classes of
    programs.  The recommended protection procedure suggests copying
    downloaded programs to a floppy disk rather than the hard disk, which
    is both useless (malicious software invoked from floppy will generally
    happily destroy data on your hard drive) as well as being impractical
    in these days of enormous packages.  The more effective approach would
    involve a type of firewall: an isolated machine that could download
    software and test it before the programs were used on production
    machines.  Chapter ten is supposed to address issues of design and
    implementation, but deals primarily with considerations for evaluation
    of specific products.  The question of design is made more problematic
    by the fact that the second major type of firewall Goncalves proposes,
    an application gateway, while first mentioned in chapter seven, is not
    defined until chapter eleven as a more generic form of a proxy server,
    which is itself first mentioned in chapter five but not described
    until this point.  Chapter twelve covers basic auditing of the
    firewall, while chapter thirteen promotes the TIS Internet Firewall
    Toolkit and offers three ludicrously short "case studies."
    Part three is chapter fourteen, which lists firewall vendors and
    products.  Descriptions of the products are extensive, and sometimes
    technically detailed, but it is difficult to call them evaluations,
    since there is little analysis of strengths and weaknesses.  It is
    also hard to make comparisons, since there is little similarity of
    format in the entries.  Appendix A is a collection of vendor contact
    Goncalves' writing on any given section is quite readable. 
    Explanations are clear and illustrations can even be amusing.  At
    times it seemed that the material was moving into common traps and
    misconceptions, but ultimately the analysis is generally balanced and
    realistic.  However, in some cases there is an apparent contradiction
    between one paragraph and the next.  The incongruity disappears on
    more rigorous scrutiny, but the text can be startling.  In addition,
    the structure of the book, both overall and within individual
    chapters, leaves something to be desired.  It can be difficult to
    follow developing concepts, and also to use the book as a reference by
    going back to specific topics to pick up particular points.
    As an adjunct to Cheswick and Bellovin's "Firewalls and Internet
    Security" (cf. BKFRINSC.RVW) or Chapman and Zwicky's more practical
    "Building Internet Firewalls" (cf. BKBUINFI.RVW), this work does have
    useful information.  As a reference or introduction it falls short.
    copyright Robert M. Slade, 1998   BKFWCMPL.RVW   980315

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:16 PDT