BKFWCMPL.RVW 980315 "Firewalls Complete", Marcus Goncalves, 1998, 0-07-024645-9, U$54.95 %A Marcus Goncalves goncalves@process.com %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 1998 %G 0-07-024645-9 %I McGraw-Hill Ryerson/Osborne %O U$54.95 800-565-5758 fax: 905-430-5020 louisea@McGrawHill.ca %P 632 p. + CD-ROM %T "Firewalls Complete" While there is a large amount of information in this book, and a particularly valuable compilation of vendor data, I am not sure that I can agree with the claim to be complete. It is difficult to point out specific gaps in the work, since the whole volume could use a thorough reorganization. Part one is described as a reference section. Chapter one, rather oddly for a security book, deals not with security, but with the TCP/IP suite of protocols. This appears to set the stage for a technical treatment of the subject. Networking details continue in chapter two with an overview of the various connection methods over the net. I am always delighted to get more information about new Kermit products, but I would sympathize with any reader who was confused about what this material may have to do with firewalls. Encryption gets a brief review in chapter three. The content gets the basics across, but is of uneven depth between topics. Chapter four does start to provide security, and specifically firewall, related information in regard to the Web. The data is good, but seems to be somewhat random and unstructured. Advanced Web security areas (including a more detailed examination of ActiveX vulnerabilities) is found in chapter five. Chapter six looks at specific programming problems with the standard net APIs (Applications Programming Interfaces) but does not address firewall responses. Firewall technologies, implementations, and limitations are discussed in part two. Chapter seven attempts to define firewalls and describe firewall technologies, but concentrates almost exclusively on packet filtering aspects. Vulnerabilities of individual Internet applications are the subject of chapter eight, but many concerns mentioned are more potential than actual (and thus difficult to defend against) while a good deal of the content (including a complete, ten page Perl script) is repeated from earlier chapters. "Setting Up a Firewall Security Policy," in chapter nine, is much broader, touching on many security topics that may have little or nothing to do with firewalls. An example is the information on viruses, which is generally trite. The overview of antiviral software betrays no knowledge of activity monitoring or change detection classes of programs. The recommended protection procedure suggests copying downloaded programs to a floppy disk rather than the hard disk, which is both useless (malicious software invoked from floppy will generally happily destroy data on your hard drive) as well as being impractical in these days of enormous packages. The more effective approach would involve a type of firewall: an isolated machine that could download software and test it before the programs were used on production machines. Chapter ten is supposed to address issues of design and implementation, but deals primarily with considerations for evaluation of specific products. The question of design is made more problematic by the fact that the second major type of firewall Goncalves proposes, an application gateway, while first mentioned in chapter seven, is not defined until chapter eleven as a more generic form of a proxy server, which is itself first mentioned in chapter five but not described until this point. Chapter twelve covers basic auditing of the firewall, while chapter thirteen promotes the TIS Internet Firewall Toolkit and offers three ludicrously short "case studies." Part three is chapter fourteen, which lists firewall vendors and products. Descriptions of the products are extensive, and sometimes technically detailed, but it is difficult to call them evaluations, since there is little analysis of strengths and weaknesses. It is also hard to make comparisons, since there is little similarity of format in the entries. Appendix A is a collection of vendor contact information. Goncalves' writing on any given section is quite readable. Explanations are clear and illustrations can even be amusing. At times it seemed that the material was moving into common traps and misconceptions, but ultimately the analysis is generally balanced and realistic. However, in some cases there is an apparent contradiction between one paragraph and the next. The incongruity disappears on more rigorous scrutiny, but the text can be startling. In addition, the structure of the book, both overall and within individual chapters, leaves something to be desired. It can be difficult to follow developing concepts, and also to use the book as a reference by going back to specific topics to pick up particular points. As an adjunct to Cheswick and Bellovin's "Firewalls and Internet Security" (cf. BKFRINSC.RVW) or Chapman and Zwicky's more practical "Building Internet Firewalls" (cf. BKBUINFI.RVW), this work does have useful information. As a reference or introduction it falls short. copyright Robert M. Slade, 1998 BKFWCMPL.RVW 980315