BKFWCMGD.RVW 20000517 "Firewalls: A Complete Guide", Marcus Goncalves, 2000, 0-07-135639-8, U$54.95 %A Marcus Goncalves goncalves@process.com goncalves@arcweb.com %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2000 %G 0-07-135639-8 %I McGraw-Hill Ryerson/Osborne %O U$54.95 800-565-5758 fax: 905-430-5020 %P 678 p. + CD-ROM %T "Firewalls: A Complete Guide" Despite the change of name, this is not just essentially the second edition of "Firewalls Complete" (cf. BKFWCMPL.RVW), it is identical, right down to the price. While there is a large amount of information in this book, and a particularly valuable compilation of vendor data, I am not sure that I can agree with the claim to be complete, even though the preface says it has been expanded. (The only specific expansion mentioned involves protocols.) It is difficult to point out particular gaps in the work, since the whole volume could still use a thorough reorganization. Part one has been renamed to reflect the emphasis on TCP/IP. Chapter one deals with the TCP/IP suite of protocols. It does address protocol related weaknesses, but the protocols and attacks are not related, appearing in disorganized and even random material. Some attacks are described incorrectly, and sections even seem to contradict each other, such as the text emphasizing login controls and then discussing IP spoofing, which takes over legitimate logins. This appears to set the stage for a technical treatment of the subject. Networking details continue in chapter two with an overview of the various connection methods over the net. I am always delighted to get more information about new Kermit products, but I would sympathize with any reader who was confused about what this material may have to do with firewalls. Encryption gets a brief review in chapter three. The content gets the basics across, but is of uneven depth between topics. Chapter four does start to provide security, and specifically firewall, related information in regard to the Web, but also includes a ten page CGI script that might be less useful. The data is good, but seems to be somewhat random and unstructured. Advanced Web security areas (including a more detailed examination of ActiveX vulnerabilities) is found in chapter five. Chapter six looks at much the same material. Firewall technologies, implementations, and limitations are discussed in part two. Chapter seven attempts to define firewalls and describe firewall technologies. The discussion of firewall types has been expanded, but is still confused. The chapter also suffers from duplicate sentences and even paragraphs, and obviously could have used another copy edit. Vulnerabilities of individual Internet applications are the subject of chapter eight, but many concerns mentioned are more potential than actual (and thus difficult to defend against) while a good deal of the content (including yet another complete, ten page Perl script, this one a version from three years before the first) is repeated from earlier chapters. "Setting Up a Firewall Security Policy," in chapter nine, is much broader, touching on many security topics that may have little or nothing to do with firewalls. An example is the information on viruses, which is generally trite. The overview of antiviral software betrays no knowledge of activity monitoring or change detection classes of programs. The recommended protection procedure suggests copying downloaded programs to a floppy disk rather than the hard disk, which is both useless (malicious software invoked from floppy will generally happily destroy data on your hard drive) as well as being impractical in these days of enormous packages. The more effective approach would involve a type of firewall: an isolated machine that could download software and test it before the programs were used on production machines. Chapter ten is supposed to address issues of design and implementation, but deals primarily with considerations for evaluation of specific products, as well as some suggestions for what to do once you've been hit. The question of design is made more problematic by the fact that the second major type of firewall Goncalves proposes, an application gateway, while first mentioned in chapter seven, is not defined until chapter eleven as a more generic form of a proxy server, which is itself first mentioned in chapter five but not described until this point. Chapter twelve covers basic auditing of the firewall, while chapter thirteen mentions a few firewall products. Part three is chapter fourteen, which lists firewall vendors and products. Descriptions of the products are extensive, and sometimes technically detailed, but it is difficult to call them evaluations, since there is little analysis of strengths and weaknesses. It is also hard to make comparisons, since there is little similarity of format in the entries. Appendix A is a collection of vendor contact information. Goncalves' writing on any given section is quite readable. Explanations are clear and illustrations can even be amusing. At times it seemed that the material was moving into common traps and misconceptions, but ultimately the analysis is generally balanced and realistic. However, in some cases there is an apparent contradiction between one paragraph and the next. The incongruity disappears on more rigorous scrutiny, but the text can be startling. In addition, the structure of the book, both overall and within individual chapters, leaves something to be desired. It can be difficult to follow developing concepts, and also to use the book as a reference by going back to specific topics to pick up particular points. As an adjunct to Cheswick and Bellovin's "Firewalls and Internet Security" (cf. BKFRINSC.RVW) or Chapman and Zwicky's more practical "Building Internet Firewalls" (cf. BKBUINFI.RVW), this work does have useful information. As a reference or introduction it falls short. copyright Robert M. Slade, 1998, 2000 BKFWCMGD.RVW 20000517