Working in a university environment, one gets used to doing more with less. Security, particularly, seems to never get the budget it deserves though it has increased in recent years. For all their limitations, open-source tools are the vital lifeblood that makes IT work, and work securely, in academia.
Using Netfilter (or commonly called iptables) for the firewalls have managed to reduce costs but provide stable and secure service to the users. However, for some time we've been looking to get more out of our firewalls to enhance the security and data reporting from the firewalls. The syslogs are all fine and good, but no one is seriously going to review them without some application doing the heavy lifting of making the data presentable.
Linux Firewalls, in this regard, is a great resource. It provided insight and helpful information into additional tools to get the most out of iptables and to add in additional functionality. The book covers basic iptables fundamentals and then covers the additional applications of psad, fwsnort, fwknop and data visualization of firewall logs.
The iptables section of the book (Chapters 1-4) serves more as a reference than a teaching tool on iptables. It presumes some level of knowledge already but does expand on the components of iptables that will be used in later parts of the book. What it does cover, it covers well and provides a basic foundation with is relevant to the next parts of the book. However, one may wish to get a true iptables reference if they wish to truly have in-depth knowledge on that software.
The next application to be presented is psad (Port Scan Attack Detector) in chapters 5-8. Here the book goes into great detail on the configuration options and installation of psad. This begins to form the "meat" of the book, as psad, fwsnort and fwknop are tools that were created by the author of this book, Michael Rash. It's obvious here that he has in-depth knowledge of the tools he's presenting (one would hope the author knows his creation!).
The psad tool monitors the firewall logs looking for attack patterns and adds in alerting features when such attacks are detected and/or pass a defined threshold. Rash goes through the various options and the benefits and pitfalls of each. He shows how psad does more than merely analyze the logs, but when configured properly detects the type of attack and can even determine the operating system of the attacker.
Article comments