How to log and block specific application activity
Hi, I have quite simple and stupid question I have been unable to solve with googling. I am need to log and block network activity of certain applications on router/firewall level. For example, these programs should be allowed: Mozilla, Safari, KMail, Apple Mail And these prohibited Internet Explorer, Outlook, Quciktime/RealVideo/MS players, in order to prevent them to catch viruses, spyware or download unwanted content like streaming video. Since they are using the same ports one need to filter traffic from/to specific application(s) and not certain ports and/or protocols. Here is a log from /var/log/firewall: Jan 2 21:20:56 su37 kernel: Shorewall:filter:OUTPUT:IN= OUT=eth0 SRC=85.115.127.51 DST=66.35.250.67 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38602 DF PROTO=TCP SPT=50535 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Jan 2 21:20:56 su37 kernel: Shorewall:mangle:POSTROUTING:IN= OUT=eth0 SRC=85.115.127.51 DST=66.35.250.67 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38602 DF PROTO=TCP SPT=50535 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Unfortunately, there are no information which application(s) have requested certain packets. Thanks in advance for any suggestion(s) Andrei. PS. If you have any other ide(s) besides iptables please advice
Andrei Verovski (aka MacGuru) wrote:
I have quite simple and stupid question I have been unable to solve with googling. I am need to log and block network activity of certain applications on router/firewall level. For example, these programs should be allowed: Mozilla, Safari, KMail, Apple Mail
And these prohibited Internet Explorer, Outlook, Quciktime/RealVideo/MS players, in order to prevent them to catch viruses, spyware or download unwanted content like streaming video.
Since you cite program names from many different operating systems, I infer that the systems with the applications are not the firewall. To fulfill your request is near to impossible with any firewall technology.[*] Thus, no googling will solve your problem. Your best bet is the installation of a personal firewall and anti-virus software on the workstations. There the application is still known and can be blocked. E.g. on Windows, Kerio firewalls are fine. On Linux workstations, you can use the --cmd-owner option of iptables to create rules that match connections that are caused by known command names. A firewall as perimeter defense is *not* a miracle tool that brings you all-over safety, quite to the contrary. It is very hard to get decent security just by protecting one's network perimeter. With lots of additional effort you can establish proxies on your firewall (i.e., use application gateways and not iptables, your clients access those proxies and not the original server) and filter requests and incoming data against malware. E.g., with Squid you can forbid Internet Explorer to make requests. With an MTA in-between you can (try to) filter malware before it reaches Outlook. This is hard to set up properly, and an ongoing effort to maintain. Usually it's only done at big companies by dedicated staff or by outsourcing companies. Joachim [*] Hypothetically, one could parse requests with something like Snort and abort connections when one identifies programs with signatures. But that's not on the level of the poster's question. ;-) -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany
On Monday 02 January 2006 22:12, Joachim Schrod wrote:
Andrei Verovski (aka MacGuru) wrote:
I have quite simple and stupid question I have been unable to solve with googling. I am need to log and block network activity of certain applications on router/firewall level. For example, these programs should be allowed: Mozilla, Safari, KMail, Apple Mail
And these prohibited Internet Explorer, Outlook, Quciktime/RealVideo/MS players, in order to prevent them to catch viruses, spyware or download unwanted content like streaming video.
Since you cite program names from many different operating systems, I infer that the systems with the applications are not the firewall. To fulfill your request is near to impossible with any firewall technology.[*] Thus, no googling will solve your problem.
Your best bet is the installation of a personal firewall and anti-virus software on the workstations. There the application is still known and can be blocked. E.g. on Windows, Kerio firewalls are fine. On Linux workstations, you can use the --cmd-owner option of iptables to create rules that match connections that are caused by known command names.
A firewall as perimeter defense is *not* a miracle tool that brings you all-over safety, quite to the contrary. It is very hard to get decent security just by protecting one's network perimeter.
With lots of additional effort you can establish proxies on your firewall (i.e., use application gateways and not iptables, your clients access those proxies and not the original server) and filter requests and incoming data against malware. E.g., with Squid you can forbid Internet Explorer to make requests. With an MTA in-between you can (try to) filter malware before it reaches Outlook. This is hard to set up properly, and an ongoing effort to maintain. Usually it's only done at big companies by dedicated staff or by outsourcing companies.
Joachim
[*] Hypothetically, one could parse requests with something like Snort and abort connections when one identifies programs with signatures. But that's not on the level of the poster's question. ;-)
-- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
In XP with SP2 you should be able to set access to applications per user. I have never tried that but apparently you should be able to prevent users from starting/accessing certain applications. In Linux... Check ACL (?) -- /Rikard ----------------------------------------------------------------------------- email : rikard.j@rikjoh.com web : http://www.rikjoh.com mob : +46 (0)736 19 76 25 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
participants (3)
-
Andrei Verovski (aka MacGuru)
-
Joachim Schrod
-
Rikard Johnels