[svlug] Firewalls and Internet Security

[Rick Moen]

Quoting Skip Evans (skip at bigskypenguin.com):

> Just wanted to ask you about the book you recommended, Firewalls and
> Internet Security, by William R. Cheswick and Steven M. Bellovin.
[...]
> it is true that even the first edition, published in 1994, will have
> plenty of good info for someone as green to the subject as me?

Yes -- because the important things in that book are timeless, and are 
what made it worth reading in the first place.  Let me just quote
something I posted as part of a response, some time last year, to a user
who'd written to Linux Gazette's "The Answer Gang" about security issues
(and yes, my remarks concern Cheswick & Bellovin's first edition):


[...]
Now, getting back to the big picture, I've always taken something of a
zero-based approach to 'Nix security, partly because Cheswick and
Bellovin's seminal _Firewalls and Internet Security: Repelling the Wily
Hacker_ book made quite an impression on me, early on.  Unlike many
other such books, theirs starts with key principles of security rather
than just technique -- such as these:

o  There is no such thing as absolute security.
o  Security is always a matter of economics.
o  Keep the level of all of your defences at about the same height.
o  An attacker doesn't go through security, but around it.
o  Put your defences in layers.
o  It's a bad idea to rely on 'security through obscurity'.
o  Keep it simple.
o  Don't give a person or a program any more privileges than 
   those necessary to do the job.
o  Programming is hard.
o  Security should be an integral part of the original design.
o  If you do not run a program, it does not matter if it has security holes.
o  A program or protocol is insecure until proven secure.
o  A chain is only as strong as its weakest link.
o  Security is a tradeoff with convenience.
o  Don't underestimate the value of your assets.

In my own deployments, I never _had_ a separate "firewall", so I always,
of necessity, attempted to apply Cheswick and Bellovin's principles at
the level of each host:  This turned out to be a Very Good Thing, as 
it inculcates good habits and tends to encourage "layered" defence
tactics.

When I started building and deploying my own BSD and Linux hosts -- and
putting them directly on the Internet, by the way -- I was horrified 
at how poorly the default installs measured up against Cheswick and
Bellovin's criteria:  Linux distros in general through about the time of
Red Hat 6.x tended to be lit up like a Christmas tree with attackable 
daemons, generally poorly selected and overfeatured ones.

Thus my zero-based strategy -- which had the additional advantage of
being an excellent learning strategy:  If I didn't know absolutely for
certain why I was running a process, _any_ process, and why I genuinely
needed it, I simply killed it.  If it was essential, I'd find out.  If
nothing bad happened, then obviously it wasn't necessary.  

I also, bearing in mind Cheswick and Bellovin's dicta about simplicity
and minimum privilege, considered alternatives:  Was it necessary for 
my RH 4.2 box to run specifically wu-ftpd, when all I wanted to offer
the public was anonymous-only incoming ftp?  (wu-ftp was and is both
notoriously bad spaghetti code and grossly overfeatured.)  No, it turned
out that there were better, faster, smaller, more easily audited ftp
daemons that didn't aspire to deliver the kitchen sink.
[...]