REVIEW: "Firewalls Complete", Marcus Goncalves (fwd)

[Darren Reed <darrenr () reed wattle id au>]

Date: Thu, 14 May 1998 08:10:35 -0800
Subject: REVIEW: "Firewalls Complete", Marcus Goncalves
Reply-to: rslade () sprint ca
Priority: normal

BKFWCMPL.RVW   980315

"Firewalls Complete", Marcus Goncalves, 1998, 0-07-024645-9, U$54.95
%A   Marcus Goncalves goncalves () process com
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   1998
%G   0-07-024645-9
%I   McGraw-Hill Ryerson/Osborne
%O   U$54.95 800-565-5758 fax: 905-430-5020 louisea () McGrawHill ca
%P   632 p. + CD-ROM
%T   "Firewalls Complete"

While there is a large amount of information in this book, and a
particularly valuable compilation of vendor data, I am not sure that I
can agree with the claim to be complete.  It is difficult to point out
specific gaps in the work, since the whole volume could use a thorough
reorganization.

Part one is described as a reference section.  Chapter one, rather
oddly for a security book, deals not with security, but with the
TCP/IP suite of protocols.  This appears to set the stage for a
technical treatment of the subject.  Networking details continue in
chapter two with an overview of the various connection methods over
the net.  I am always delighted to get more information about new
Kermit products, but I would sympathize with any reader who was
confused about what this material may have to do with firewalls. 
Encryption gets a brief review in chapter three.  The content gets the
basics across, but is of uneven depth between topics.  Chapter four
does start to provide security, and specifically firewall, related
information in regard to the Web.  The data is good, but seems to be
somewhat random and unstructured.  Advanced Web security areas
(including a more detailed examination of ActiveX vulnerabilities) is
found in chapter five.  Chapter six looks at specific programming
problems with the standard net APIs (Applications Programming
Interfaces) but does not address firewall responses.

Firewall technologies, implementations, and limitations are discussed
in part two.  Chapter seven attempts to define firewalls and describe
firewall technologies, but concentrates almost exclusively on packet
filtering aspects.  Vulnerabilities of individual Internet
applications are the subject of chapter eight, but many concerns
mentioned are more potential than actual (and thus difficult to defend
against) while a good deal of the content (including a complete, ten
page Perl script) is repeated from earlier chapters.  "Setting Up a
Firewall Security Policy," in chapter nine, is much broader, touching
on many security topics that may have little or nothing to do with
firewalls.  An example is the information on viruses, which is
generally trite.  The overview of antiviral software betrays no
knowledge of activity monitoring or change detection classes of
programs.  The recommended protection procedure suggests copying
downloaded programs to a floppy disk rather than the hard disk, which
is both useless (malicious software invoked from floppy will generally
happily destroy data on your hard drive) as well as being impractical
in these days of enormous packages.  The more effective approach would
involve a type of firewall: an isolated machine that could download
software and test it before the programs were used on production
machines.  Chapter ten is supposed to address issues of design and
implementation, but deals primarily with considerations for evaluation
of specific products.  The question of design is made more problematic
by the fact that the second major type of firewall Goncalves proposes,
an application gateway, while first mentioned in chapter seven, is not
defined until chapter eleven as a more generic form of a proxy server,
which is itself first mentioned in chapter five but not described
until this point.  Chapter twelve covers basic auditing of the
firewall, while chapter thirteen promotes the TIS Internet Firewall
Toolkit and offers three ludicrously short "case studies."

Part three is chapter fourteen, which lists firewall vendors and
products.  Descriptions of the products are extensive, and sometimes
technically detailed, but it is difficult to call them evaluations,
since there is little analysis of strengths and weaknesses.  It is
also hard to make comparisons, since there is little similarity of
format in the entries.  Appendix A is a collection of vendor contact
information.

Goncalves' writing on any given section is quite readable. 
Explanations are clear and illustrations can even be amusing.  At
times it seemed that the material was moving into common traps and
misconceptions, but ultimately the analysis is generally balanced and
realistic.  However, in some cases there is an apparent contradiction
between one paragraph and the next.  The incongruity disappears on
more rigorous scrutiny, but the text can be startling.  In addition,
the structure of the book, both overall and within individual
chapters, leaves something to be desired.  It can be difficult to
follow developing concepts, and also to use the book as a reference by
going back to specific topics to pick up particular points.

As an adjunct to Cheswick and Bellovin's "Firewalls and Internet
Security" (cf. BKFRINSC.RVW) or Chapman and Zwicky's more practical
"Building Internet Firewalls" (cf. BKBUINFI.RVW), this work does have
useful information.  As a reference or introduction it falls short.

copyright Robert M. Slade, 1998   BKFWCMPL.RVW   980315