Review: Linux Firewalls
Posted by Administrator   
Book Reviews Security is at the forefront of everyone's mind and a firewall can be an integral part of your Linux defense. But is Michael's Rash's "Linux Firewalls," the newest release from NoStarchPress, up for the challenge? Eckie S. here at Linuxsecurity.com gives you the low-down on this newest addition to the Linux security resource library and how it's one of the best ways to crack down on attacks to your Linux network.


Vitals:

Title: Linux Firewalls
Author: Michael Rash
Pages: 281
ISBN: ISBN-10 1-59327-141-7
ISBN-13 978-1-59327-141-1
Publisher: No Starch Press
Edition: 1st Edition
Purchase: No Starch Press: Firewalls

Overview:

"Linux Firewalls" by Michael Rash is an answer to the perpetual problem of the one true constant in life - change. The strategies for an attacker wishing to compromise a client fall into the same niche as a boxer constantly looking for openings from all angles. In 2007, attackers have sidestepped operating systems and are jabbing straight for the end-user applications. With a new attack approach comes the need for a solid defensive measure.

Rash's book provides a concise yet detailed look into the application of firewalls in Linux. The reader will be able to gain an understanding of host and network based firewalls as well as having a chance to implement them through clear examples. A variety of both common and bleeding edge attacks are analyzed and broken down to their essentials. Along with the installation, configuration, and deployment of firewalls, Rash provides methods to help the user render logs and traffic to gain a better understanding of what lies beneath the code. This book is intended for readers who have had previous experience with Linux and iptables as far as basic installation and administration. Those who have no idea what the kernel is will find this book beyond the scope of what they need.

Review Summary:

The first chapter of "Linux Firewalls" provides the reader with the basics of iptables from installation, configuration, to deployment. Rash goes over concepts such as packet filtering, tables, and chains with concise examples.

There are even kernel build specifics for the home-kernel brewers! This chapter will provide a good introduction for those wanting to know more about iptables administration and the basics of policy testing.

Chapters two through four cover layers three, four, and seven, respectively, of the OSI Reference Model. The second chapter deals with a variety of network layer attacks as well as defense. Readers will learn the basics of logging packet header info and get a deeper look under the ICMP hood. Attack definitions such as header abuse, network stack exploits, and bandwidth saturation are analyzed yet countered with filter responses.

Chapter three provides a good explanation of the transport layer's specific attack definitions such as connection resource exhaustion, header abuses, and transport stack exploits. Need to read up on the different types of port scans that can hit your system and how to properly respond? This chapter is for you!

Chapter four deals with application layer attacks and will be of most interest to any web developers out there wanting to know the do's and don'ts of application design. Learn how to use iptables and string match against bad data that is intended to be injected into your application. Combine the firewall rules with Snort signatures to counter buffer overflows and SQL injection attacks!

Chapters five through eight provides a look into the Port Scan Attack Detector (PSAD). The chapters are almost like a mini-book, providing the reader the means to install, configure, and deploy PSAD. System administrators will appreciate the configuration examples as well as how to integrate PSAD with syslog and email alerts. Forensics enthusiasts will want to read chapter seven for its emphasis on OS fingerprinting and signature matching. Many readers will find chapter eight to be the most interesting as Rash explains how to actively respond to attacks with PSAD including responses to SYN scans, Nmap version scans, and anyone attempting to maliciously spoof a scan. Finally, in keeping with the *nix tradition, Rash provides ways to integrate PSAD with third party tools and the command-line interface.

As a reviewer I found chapters nine through eleven the most interesting as Rash goes into an active defense against attacks through the combination of iptables and fwsnort. There is an excellent overview of target based intrusion detection and network layer defragmentation. End users will be able to install, configure, and deploy fwsnort while complementing it with iptables. Command line options are explained, bleeding edge attacks are countered, and the reader will even be able to set up whitelists and blacklists.

On a side note, Rash goes head to head with one of the more prominent exploit frameworks, Metasploit, by explaining how to thwart any updates attempted by the system. This is a great example of how a properly configured firewall can stop even the latest in exploit technology.

Chapters twelve and thirteen look into the concept of single packet authorization vs. port knocking. These chapters are for anyone looking to learn more about access piggybacking via NAT addresses and thwarting zero-day attack problems through Nmap and target identification phases. Rash also introduces fwknop (Firewall Knock Operator), the first port-knocking implementation to allow OS fingerprinting. Fwknop installation, configuration, and deployment is explained along with how to integrate it with SPA. Users will enjoy the fwknop OpenSSH integration patch explanation for more secure connections.

Chapter fourteen wraps up "Linux Firewalls" with a look into the visualization of iptables logs. System administrators will enjoy this chapter as Rash introduces applications such as GNUplot and Afterglow to help them gain a better understanding of what traffic is going through their system.

In conclusion, if you or anyone you know is responsible for keeping a secure network, "Linux Firewalls" is an invaluable resource to have by your side. You will gain a better understanding of attacks, how to use iptables, PSAD, and fwsnort - all in an effort to properly defend and respond to attempted compromises.

Comments
How does it compare to Linux Firewalls?Written by Chris K on 2007-11-01 15:44:38
There is another book by the same name published by New Riders. The author is Robert Ziegler. Zieglers book is also very good, although Rashs book may have more current information. Has anyone read both who can compare/contrast?
UNIX/Linux Systems Security AdministratoWritten by Joshua Gimer on 2007-11-02 12:03:26
I also had the privilege of reviewing this book. I use many of the tools that are described in the book on all of my production systems. This is a great read for anyone that is looking at a new approach to securing there systems, without using an outdated security approach.
Book AuthorWritten by Michael Rash on 2007-11-03 21:32:13
In response to the first comment, Robert Ziegler's book has a lot of great information and is very detailed when it comes to discussing traditional firewall concepts (deployment architectures, policy management, UNIX sys admin issues, etc.). This is definitely a set of topics that needs to be covered in book form, and Ziegler's book accomplishes this. 
 
My book in contrast is focused on the actual attacks that can be detected with advanced iptables usage. For example, a central concept in my book is the application of the iptables string match extension to detect application layer attacks. Also, significant coverage is devoted to showing how iptables policies can emulate the Snort rule set with fwsnort, and how port scans and probes for backdoor programs can be detected with psad. This is a very different approach to security than Ziegler's book, and is more about intrusion detection with facilities provided by iptables than anything else. 
 
Thanks for reading.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!