Four stars if reorganized and distilled, five if updated

I first looked at Inside Network Perimeter Security, 2nd Ed (INPS:2E) for my blog, in May 2005. I decided to try reading it this week because I've been reading books on related topics. Individually, the INPS:2E authors largely know their craft. Unfortunately, the book is so poorly organized and diffused that I don't know why other reviewers rate it so highly. Furthermore, the choice of material covered and certain recommendations drag the book down. A third edition might be promising, but I recommend avoiding INPS:2E.

On the macro level, I question the ordering of the book's parts. It's best to lead with definitions, policy, and design, but that doesn't happen here. Part I is mostly about firewalls, with a chapter about policy at the end (Ch 5). Fundamentals of Secure Perimeter Design (Ch 12) appears in Part III (Designing a Secure Network Perimeter). Another design chapter (Ch 23) pops up in Part IV. This makes no sense. The book should have been divided into Theory / Implementation / Processes or some other rational system, with all related material in the proper place.

For example, the operation of FTP (control vs data channels, active vs passive FTP, etc.) is separated into three chapters (2, 3, and 4). FTP should have been explained early in one place, then referenced later. Host IPS appears as part of Ch 11, when it should have been in Ch 10 (Host Defense Components). VPNs appear in Ch 7 and again in Ch 16. TCP state is explained in Ch 3 (Stateful Firewalls), when it should have been covered in Ch 2 (Packeting Filtering) or in a different and earlier section. Yet another firewall -- Pf -- isn't shown until Ch 10 (which covers host defense). Ch 6 (The Role of a Router) covers routers, but Ch 2 mostly covered using routers for filtering.

Beyond organization, the book's choice of technical material is sometimes questionable. INPS:2E spends a good deal of time on reflexive ACLs, even though Cisco recommends using CBAC instead. INPS:2E mentions CBAC but gives no implementation details. Worse, the extrusion RACL suggestion on p 51 allows outbound FTP control (port 21 TCP) but makes no provision for FTP data channels. Ch 19 promotes the virtues of Big Brother, a monitoring tool that's been declining for years since its acquisition. Nagios should have been covered instead. When I also see discussions of IPChains (Ch 2) and FWTK (Ch 4), I question the relevancy of the text.

Despite these problems, most of the book's technical recommendations are sound. I found fault with a few suggestions, e.g. "a good way to improve security is to disable SSID broadcasts on all wireless access points" (p 364). I did like the tip on changing Windows MAC addresses on p 365.

If a third edition is planned, I would like to see a ground-up rewrite. A lead author should plan the chapters of the book, including a rough outline of each chapter's contents. Experts can work within that framework, and then have the lead author edit for consistency and coherency. As it stands, INPS:2E reads more like a collection of disparate thoughts loosely bound by a network security theme. If the existing material was rewritten with clarity and structure in mind, the book would probably be 350-400 pages (not 660).

Richard Deal's Cisco Router Firewall Security, while Cisco-centric, is a better book on this subject. The older Security Sage's Guide to Hardening the Network Infrastructure is helpful. Sean Convery's Network Security Architectures might be the best of all.

Other Reviews

• It's a firewall book
• Network Security Book
• Four stars if reorganized and distilled, five if updated
• Excellent book at discussing how to defend your network perimeter