Linux Firewalls: Attack Detection and Response with iptables, psad and fwsnort
Author: Michael Rash
Publisher: No Starch Press
I think there’s no need to emphasize the significance of a firewall in the overall security architecture. Countless security professionals turn to Linux when it comes to deploying firewalls using open source tools and Michael Rash, the author of this book, is one of them.
When you open a book and you see a glowing foreword by Richard Bejtlich, expectations start to rise. Read on to see what you can find in this title.
About the author
Michael Rash is a security architect with Enterasys Networks, where he develops the Dragon intrusion and prevention system. He is a frequent contributor to open source projects and the creator of psad, fwknop, and fwsnort. Rash is an expert on firewalls, intrusion detection systems, passive OS fingerprinting, and the Snort rules language.
Inside the book
“Linux Firewalls” serves a considerable amount of information in its 14 chapters and 2 appendices.
Iptables is covered in detail as Rash guides you through the installation and administration. He manages to present the subject very comprehensibly and, what’s really important, only with relevant information. Practical details reveal themselves immediately as you are guided in the creation of a firewall configuration for a network comprised of several client machines and two servers.
When it comes to attacks and defenses, the network, transport and application layers are covered. You’ll be knee-deep in particulars about logging, spoofing, scanning, and much more.
Four chapters are dedicated to the Port Scan Attack Detector (psad) and you get all the juicy installation and configuration details. The author also presents more intricate topics such as port scan detection, alerts, reporting and attack response. Mentioned are also other relevant tools such as nmap, p0f and ipEye.
Rash illustrates why you should run fwsnort, a tool that translates Snort rules into equivalent iptables rules and guides you through a deployment with a myriad of other details. The practical aspect of the book continues and you see how fwsnort operates with specific real-world attacks. After all this material, the chapter that ties together a significant part of the book shows you how to combine fwsnort together with psad.
A firewall can generate a vast amount of data and visualizing iptables logs is a necessity for many. The author explains how to use Gnuplot and AfterGlow with psad in order to get a graphical depiction of iptables log data. You learn how to interpret data based on several examples.
At the very end of the book you find an appendix on attack spoofing as well as the explanation of a complete fwsnort.sh script.
Rash provides a plethora of details in every chapter and his examples are clear. Nevertheless, in order to get the most out of this book you’ll need some prior knowledge about Linux system administration and TCP/IP networking concepts.
Another detail worth noting about this book is the coherent layout that, in combination with clear typography, makes it effortless to browse and find what you need on the spot. The aboundance of code snippets, figures and tables enables the reader to grasp the material with ease.
If you want to master Linux firewalls get this title, it is outstanding.