By Michael E. Whitman, Herbert J. Mattord, Andrew Green
Reviewed by Upesh Parekh, CISA
Organizational boundaries are becoming blurred. The enterprise’s network is accessed beyond the 4 walls of the organization. No longer is the network supposed to be used only by the organization’s employees. It is, therefore, important to protect the network perimeter of the organization more zealously than ever.
Firewalls are a powerful weapon in the armory of any security professional, and firewalls can be used to protect an organization from the insecurity of the public network. A firewall helps keep undesired elements from getting into the network and also helps protect insiders from visiting harmful web sites.
Authorized users of the organization’s network are required to access the network frequently from outside the organization. Many times such access is via a public network, which is not very safe. With the advancement of encryption technology, it is possible to create a specific type of private communication channel—a virtual private network (VPN)—to protect such access.
Guide to Firewalls and VPNs, now in its 3rd edition, is written to specifically address firewalls and VPNs in detail. The book is useful for candidates preparing for security and audit-related exams, such as the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) exams, and for security professionals interested in gaining a better grasp of the concepts. This book would be very useful for those who want an in-depth understanding of firewalls.
The book is divided into 3 parts. In the 1st part, the authors set the context for the discussion around firewalls and VPNs. They establish that firewalls are not magical tools that, once installed, solve all security-related miseries. Rather, they are just a clever piece of technology that should be supported by strong security policies, detailed security standards and robust training/awareness programs.
The 2nd part of the book explains that a firewall is not a piece of a hardware or software, but rather a combination of hardware and software. For example, firewalls can be classified by their type, technology, generation or placement in the network. The firewall is configured to make it behave in line with the organization’s intent. Too many false positives or false negatives could result in an irritated worker, a constricted business or an exposed network.
The 3rd part of the book starts with an explanation of encryption, which is the underlying foundation of the VPN. It then discusses the concept and configuration of VPNs.
The book is written in as simple language as is possible when discussing a technology-oriented subject. It presumes that readers have a basic understanding of networking concepts. Each chapter ends with practice questions for readers. The highlights of the book are the real-world exercises and the hands-on projects included at the end of every chapter. The book is not completely vendor-neutral, and this helps readers visualize some of the concepts in the context of some leading products.
Guide to Firewalls and VPNs, 3rd Edition is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in the latest issue of the ISACA Journal, visit the ISACA Bookstore online or email email@example.com.
Upesh Parekh, CISA, is a governance and risk professional with more than 10 years of experience in the fields of IT risk management and audit. He is based in Pune, India, and works for Barclays Technology Centre, India.