Home / Books / Book Reviews / Book Review: Linux Firewalls – Attack Detection and Response with iptables, psad, and fwsnort by Michael Rash

Book Review: Linux Firewalls – Attack Detection and Response with iptables, psad, and fwsnort by Michael Rash

Please Share...Print this pageTweet about this on TwitterShare on Facebook0Share on Google+0Pin on Pinterest0Share on Tumblr0Share on StumbleUpon0Share on Reddit0Email this to someone

Working in a university environment, one gets used to doing more with less. Security, particularly, seems to never get the budget it deserves though it has increased in recent years. For all their limitations, open-source tools are the vital lifeblood that makes IT work, and work securely, in academia.

Using Netfilter (or commonly called iptables) for the firewalls have managed to reduce costs but provide stable and secure service to the users. However, for some time we've been looking to get more out of our firewalls to enhance the security and data reporting from the firewalls. The syslogs are all fine and good, but no one is seriously going to review them without some application doing the heavy lifting of making the data presentable.

Linux Firewalls, in this regard, is a great resource. It provided insight and helpful information into additional tools to get the most out of iptables and to add in additional functionality. The book covers basic iptables fundamentals and then covers the additional applications of psad, fwsnort, fwknop and data visualization of firewall logs.

The iptables section of the book (Chapters 1-4) serves more as a reference than a teaching tool on iptables. It presumes some level of knowledge already but does expand on the components of iptables that will be used in later parts of the book. What it does cover, it covers well and provides a basic foundation with is relevant to the next parts of the book. However, one may wish to get a true iptables reference if they wish to truly have in-depth knowledge on that software.

The next application to be presented is psad (Port Scan Attack Detector) in chapters 5-8. Here the book goes into great detail on the configuration options and installation of psad. This begins to form the "meat" of the book, as psad, fwsnort and fwknop are tools that were created by the author of this book, Michael Rash. It's obvious here that he has in-depth knowledge of the tools he's presenting (one would hope the author knows his creation!).

The psad tool monitors the firewall logs looking for attack patterns and adds in alerting features when such attacks are detected and/or pass a defined threshold. Rash goes through the various options and the benefits and pitfalls of each. He shows how psad does more than merely analyze the logs, but when configured properly detects the type of attack and can even determine the operating system of the attacker.

Up next is fwsnort (Chapters 9-11) which provides the ability to take snort rules and configure them into iptables rules. This would allow not only alerting on malicious traffic, but either dropping or rejecting the traffic at the firewall. As Rash points out, this provides for good ability to protect machines against known attacks before a patch can be deployed. The book does a good job distinguishing between the methods of response between psad and fwsnort and shows how they can be used to compliment one another.

The next two chapters (12 and 13) cover port-knocking, single packet authorization and fwknop. Simply put, port-knocking and single packet authorization (SPA) allows remote systems to make dynamic changes to the firewall to allow temporary access to a service. This would leave, say, a web server protected by a firewall except in cases when it was dynamically opened only by an authorized user. The fwknop tool provides the functionality to do this.

While the tool itself is interesting and could have some niche applications, it's hard to see its use in a world with ubiquitous VPN services. It does add a layer of security, but also a layer of complexity that would be hard to justify in most cases.

The last chapter of Linux Firewalls covers visualization techniques based on statistics generated from the previous applications. While such efforts tend to be boring, most every IT admin has a pointy-haired boss that likes pretty pictures and this information provides valuable guidance to generate snappy looking graphs.

Rash is obviously an expert in this area and it comes through in the writing. The content is accessible to most and would provide a valuable reference to anyone who deploys any of the above services or just some subset of them. For those who can't afford a commercial solution, this book is a must.

Powered by

About John Doe

A political activist and security expert.