OpenBSD Journal

[BookReview] Building Internet Firewalls

Contributed by Dengue on from the packets-ports-and-sockets dept.

This has been one of the slowest news weeks on record. I guess that's good, since work has kept me really busy with performance testing and debugging db2 and websphere problems. I had a chance recently to spend a lot of time in a hospital waiting room reading O'Reilly's Building Internet Firewalls , and this looks like as good a time as any for a book review.

Building Internet Firewalls
By Elizabeth D. Zwicky, Simon Cooper, and D. Brent Chapman
Copyright © 2000 O'Reilly & Associates, Inc.
ISBN 1-56592-871-7
$65.95 CAN, $44.95 US
869 pages

This is not a new book, first appearing in print in April of 1995, now updated and on it's second edition. To be honest, I didn't really feel this book would offer me much after all, I am comfortable writing ipfilter rules and since I use OpenBSD for everything , I don't have to do much in the way of OS hardening. I was wrong, Building Internet Firewalls is about much more than just firewalls. In fact, you have to go quite a ways into the book before you actually get to the nuts and bolts of firewall building. Building Internet Firewalls focuses primarily on Unix systems, with occasional sections focusing on WinNT/2k, and a chapter dedicated to Windows NT/2000 bastion hosts. Though it provides useful information on hardening Windows machines, this is not a good sole resource for you if your firewall runs on NT.

Part I Network Security provides an excellent overview of security principals, and is recommended reading for everyone who might be involved in a firewall project. In Chapter 1, you are faced with questions that are key to creating a successful security strategy. Chapter 3 does an effective job of describing security strategies and terminologies to everyone who might be involved in the firewall project.

Part II Building Firewalls provides system administrators and technical leads with a high-level view of the information they will need to make intelligent choices. The IP protocol is covered, along with a description of common attack methods based on low-level protocol details. Firewall architecture and technology chapters provide information useful to system archtects. These sections are excellent as well for management types who may not understand exactly where some of the requirements you are developing come from.

Of particular note to system administrators are the chapters on preparing bastion hosts. If you are less than intimately familiar with the platforms you administer, I highly recommend this series of chapters.

Part III Internet Services , systematically covers application protocols providing advice on the packet filtering and proxying characteristics of each service, along with specific information on how to secure each service further to prevent abuse. At the end of discussion of each application protocol, a summary of recommendations is presented.

Part IV Keeping Your Site Secure is geared more towards policy wonks, and provides a description of how to put together a security policy, what that policy should contain, and how it should be enforced.

Building Internet Firewalls is a well organized comprehensive resource, I have provided a complete chapter listing to pique your interest.

  1. Network Security
    1. Why Internet Firewalls?
    2. Internet Services
    3. Security Strategies
  2. Building Firewalls
    1. Packets and Protocols
    2. Firewall Technologies
    3. Firewall Architectures
    4. Firewall Design
    5. Packet Filtering
    6. Proxy Systems
    7. Bastion Hosts
    8. Unix and Linux Bastion Hosts
    9. Windows NT and Windows 2000 Bastion Hosts
  3. Internet Services
    1. Internet Services and Firewalls
    2. Intermediary Protocols
    3. The World Wide Web
    4. Electronic Mail and News
    5. File Transfer, File Sharing, and Printing
    6. Remote Access to Hosts
    7. Real-Time Conferencing Services
    8. Naming and Directory Services
    9. Authentication and Auditing Services
    10. Administrative Services
    11. Databases and Games
    12. Two Sample Firewalls
  4. Keeping Your Site Secure
    1. Security Policies
    2. Maintaining Firewalls
    3. Responding to Security Incidents
  5. Appendixes
    1. Resources
    2. Tools
    3. Cryptography

Building Internet Firewalls is an excellent resource. It provides a comprehensive overview of the security process. The detailed descriptions, and summary of recommendations of application protocols alone make it outstanding for firewall administrators. This is a book that is useful on many levels, and by many people within an organization.

(Comments are closed)

  1. By BluNereid () on

    Well, that book sounds good. I will have to pick that up later. Right now, I am reading "Hack Proofing you Network." It's pretty good so far. I will have to do a book review when I am finished.

    Also, has anybody else read O'Reilly's "Building Internet Firewalls" and what did they think?


    1. By Steve Tremblett () on

      I bought it last night, and on my first skim over the book I'd have to agree %100 - a fantastic resource - very comprehensive content. Everything you would expect from an O'Reilly title.

    2. By JC () on

      I agree with the review author. It is an excellent resource. I had the 1st edition as well and lost it along the way somehow. I cannot count how many times I have referred someone to this book for an explanation of active vs. passive ftp. Very informative for any fw ruleset configuration, and there are good bits of network security info throughout.

    3. By Douglas B () NoEmailPlease@Localhost on mailto:NoEmailPlease@Localhost

      I've owned the 1st ed. of the O'Reilly book for a number of years now; it's dog-eared from re-readings. Highly recommended, no matter what hardware (including embedded systems) or OS you use. Great fundamental explanation of all the pieces of the puzzle.

      I read the Sonnenheim ( book last week, and it too is excellent--a companion to the Zwicky book. It was the "last straw" in getting me to use OpenBSD instead of Linux. It's strength is not only the review of the pieces of the puzzle, but also the practical How-To's of actually installing and configuring a system.

      Bonus is the scripts -- the web site at is good too.

      You may also want to check out the New Riders book
      "Linux Firewalls" by Robert Ziegler. Though his preferred OS may be different than yours, there's still a lot of meaty stuff. Besides, anyone with ties to Wisconsin (he's a UW-Madison grad) deserves a plug.

      1. By Nicolas Herry () on

        It is for sure a very good book, but since the implementation of packet filtering changes quite often in the Linux kernel, it is like all the other books dealing with that : it gets out of date quite fast.

  2. By Christopher Hylarides () on

    One really good book that got me started with OpenBSD is "Building Linux and OpenBSD firewalls."
    It a great resource to getting started with OpenBSD and they keep up to date via
    I think I'm gonna get this book too. I'm always looking to expand my services w/o compromising security. Somthing that is all to common in the real world.

    1. By BluNereid () on

      I've actually bought this book already. I've just looked at it a bit. It looks pretty good so far. I think I will read it after I finish "Hack proofing your network." I assume it will be a good resource for ipf, other than the howto at

      1. By james phillips () dengue@ on file:/dev/null

        Keep in mind, I believe that book used OpenBSD 2.5 as for it's examples. If you are in doubt about filter rule syntax, I'd accept the ipf howto as definitive.

        1. By Randy Kyrk () on

          The book is written for OpenBSD 2.5, but updates for this is at Excellent book and excellent site.

          1. By Christopher Hylarides () on

            Ya, i was so suprised that they still keep that site up to date. one of the few good places on the net to get OpenBSD scripts.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]