Building Internet Firewalls =========================== by D. Brent Chapman and Elizabeth D. Zwicky Published by O'Reilly & Associates 1st Edition September 1995 517 Pages ISBN 1-56592-124-0 List price $29.95 10% discount from Great Circle Associates ========================================= Overview ======== Everyone is jumping on the Internet bandwagon, despite the fact that the security risks associated with connecting to the Internet have never been greater. This book is a practical guide to building firewalls on the Internet. It describes a variety of firewall approaches and architectures and discusses how you can build packet filtering and proxying solutions at your site. It also contains a full discussion of how to configure Internet services (e.g., FTP, SMTP, Telnet) to work with a firewall, as well as a complete list of resources, including the location of many publicly available firewall construction tools. Key Points ========== The book is practical, not theoretical, unlike so many security books. It shows clearly what you need to decide and what you need to do to select and install a firewall. The book is filled with diagrams that help make complex concepts easy to follow. Although this book is aimed primarily at system administrators, Parts I and III of the book, which discuss Internet security risks, pros and cons of firewalls, and the development of security policies and responses to security incidents, are appropriate for managers and anyone who needs to make a business decision about the risks of getting connected to the Internet. Description =========== More than a million systems are now connected to the Internet, and something like 15 million people in 100 countries on all seven continents use Internet services. More than 100 million email messages are exchanged each day, along with countless files, documents, and audio and video images. Everyone is jumping on the Internet bandwagon. Once a haven for academicians and scientists, the Net is now reaching large and small businesses, government at all levels, school children, and senior citizens. The commercial world is rushing headlong into doing business on the Internet, barely pausing while technologies and policies catch up with their desire to go online. But, too few of the seekers after Internet wisdom and riches consider whether their businesses will be safe on the Internet. What kinds of security risks are posed by the Internet? Some risks have been around since the early days of networking -- password attacks (guessing them or cracking them via password dictionaries and cracking programs), denial of service, and exploiting known security holes. Some risks are newer and even more dangerous -- password sniffers, IP (Internet Protocol) forgery, and various types of hijacking attacks. Firewalls are a very effective way to protect your system from these Internet security threats. Firewalls in computer networks keep damage on one part of the network (e.g., eavesdropping, a worm program, file damage) from spreading to the rest of the network. Without firewalls, network security problems can rage out of control, dragging more and more systems down. What is a firewall? It's a hardware and/or software solution that restricts access from your internal network to the Internet -- and vice versa. A firewall may also be used to separate two or more parts of your local network (for example, protecting finance from R&D). The firewall is installed at the perimeter of the network, ordinarily where it connects to the Internet. You can think of a firewall as a checkpoint; all traffic, incoming and outgoing, is stopped at this point. Because it is, the firewall can make sure that it is acceptable. "Acceptable" means that whatever is passing through -- email, file transfers, remote logins, NFS mounts, etc. -- conforms to the security policy of the site. Building Internet Firewalls is a practical guide to building firewalls on the Internet. If your site is connected to the Internet, or if you're considering getting connected, you need this book. It describes a variety of firewall approaches and architectures and discusses how you can build packet filtering and proxying solutions at your site. It also contains a full discussion of how to configure Internet services (e.g., FTP, SMTP, Telnet) to work with a firewall. The book also includes complete list of resources, including the location of many publicly available firewall construction tools. The book is divided into four parts: Part I discusses Internet threats, the benefits of firewalls, overall security strategies, and a summary of Internet services and their security risks. Part II describes possible firewall designs and general terms and concepts, how to protect the bastion host in your firewall configuration, how to build proxying and packet filtering firewalls, and how to configure Internet services to operate with a firewall. Part III describes how to maintain a firewall, develop a security policy, and respond to a security incident. Part IV contains appendices consisting of a resource summary, a directory of how to find firewall toolkits and other security-related tools, and a detailed summary providing TCP/IP background information. Table of Contents ================= Foreword Preface Part I: Network Security Chapter 1: Why Internet Firewalls Chapter 2: Internet Services Chapter 3: Security Strategies Part II: Building Firewalls Chapter 4: Firewall Design Chapter 5: Bastion Hosts Chapter 6: Packet Filtering Chapter 7: Proxy Systems Chapter 8: Configuring Internet Services Chapter 9: Two Sample Firewalls Chapter 10: Authentication and Inbound Services Part III: Keeping Your Site Secure Chapter 11: Security Policies Chapter 12: Maintaining Firewalls Chapter 13: Responding to Security Incidents Part IV: Appendices Appendix A: Resources Appendix B: Tools Appendix C: TCP/IP Fundamentals Audience ======== Primarily system administrators, although managers who are concerned about securing their systems or deciding whether to connect to the Internet will get a lot of general information from Parts I and III of this book. Reviews ======= In these dangerous times, firewalls should be at the very center of your security plans. . . Chapman and Zwicky have written a book that will raise consciousness of, and competence in, Internet security to a new level. -- Ed DeHart, Technical Advisor at the Computer Emergency Response Team Coordination Center (CERT-CC) By focusing on firewalls and how they provide network-wide protection from the outside world, this must-have book stands out from the crowd. . . If you are building, buying, managing, or just considering a firewall, this is the book you want. -- Steve Simmons, president of Inland Sea, former president of the System Administrators Guild (SAGE) About the Authors ================= D. Brent Chapman is a consultant in the San Francisco Bay Area, specializing in Internet firewalls. He has designed and built Internet firewall systems for a wide range of clients, using a variety of techniques and technologies. Before founding Great Circle Associates, he was operations manager for a financial services company, a world-renowned corporate research lab, a software engineering company, and a hardware engineering company. He holds a bachelor of science degree in electrical engineering and computer science from the University of California, Berkeley. He is the manager of the Firewalls Internet mailing list. In his spare time, Brent is a volunteer search and rescue pilot, disaster relief pilot, and mission coordinator for the California Wing of the Civil Air Patrol (the civilian auxiliary of the United States Air Force). Elizabeth D. Zwicky is a senior system administrator at Silicon Graphics and the president of SAGE (the System Administrators Guild). She has been doing large-scale UNIX system administration for 10 years and was a founding board member of both SAGE and BayLISA (the San Francisco Bay Area system administrators' group), as well as a non-voting member of the first board of the Australian system administration group, SAGE-AU. She has been involuntarily involved in Internet security since before the Internet worm. In her lighter moments, she is one of the few people who makes significant use of the "rand" function in PostScript, producing PostScript documents that are different every time they're printed. 10% discount for Internet orders ================================ Please print this page, fill in the blanks, and fax or mail it back to us along with your payment. Sorry, but we aren't yet willing to ask our customers to send their credit card numbers over the Internet! Quantity Description Price Each Total -------- ----------- ---------- ----- ________ Building Internet Firewalls $29.95 ea ________ 10% Internet order discount -$3.00 ea ________ SUBTOTAL ======== Sales Tax (California addresses only) _______ % ________ 7.75% Santa Clara County 7.25% All other California counties 0.0% Outside California Shipping & Handling -- $2 + $2 per book (USA only) ________ (1 book = $4, 2 books = $6, 3 books = $8, etc.) International buyers please contact Great Circle Associates for shipping TOTAL ======== [ ] Payment Enclosed. Make checks payable in U.S. dollars to Great Circle Associates. [ ] Charge to: [ ] Visa [ ] MasterCard [ ] American Express Account Number _________________________________ Expires ______________________ Cardholder's Name ______________________ Signature ____________________________ Shipping Information ==================== Name ___________________________________________________________________________ Company/Institution ____________________________________________________________ Mailing Address ________________________________________________________________ City, State ZIP ________________________________________________________________ Telephone ( ) _______________________ Fax ( ) _______________________ E-mail _________________________________________________________________________ Please send completed order form and payment to: ================================================ Great Circle Associates 1057 West Dana Street Mountain View, CA 94041 If paying by credit card, you can fax your order to +1 415 962 0842 For further information, please call Great Circle Associates at 1-800-270-2562 or +1 415 962 0841, or email book-orders@GreatCircle.COM