Mailinglist Archive: opensuse (4054 mails)
| < Previous | Next > |
Re: [SLE] How to log and block specific application activity
- From: Rikard Johnels <rikard.j@xxxxxxxxxx>
- Date: Mon, 2 Jan 2006 22:31:59 +0100
- Message-id: <200601022232.00192.rikard.j@xxxxxxxxxx>
On Monday 02 January 2006 22:12, Joachim Schrod wrote:
> Andrei Verovski (aka MacGuru) wrote:
> > I have quite simple and stupid question I have been unable to solve with
> > googling. I am need to log and block network activity of certain
> > applications on router/firewall level. For example, these programs should
> > be allowed: Mozilla, Safari, KMail, Apple Mail
> >
> > And these prohibited Internet Explorer, Outlook, Quciktime/RealVideo/MS
> > players, in order to prevent them to catch viruses, spyware or download
> > unwanted content like streaming video.
>
> Since you cite program names from many different operating systems, I infer
> that the systems with the applications are not the firewall. To fulfill
> your request is near to impossible with any firewall technology.[*] Thus,
> no googling will solve your problem.
>
> Your best bet is the installation of a personal firewall and anti-virus
> software on the workstations. There the application is still known and can
> be blocked. E.g. on Windows, Kerio firewalls are fine. On Linux
> workstations, you can use the --cmd-owner option of iptables to create
> rules that match connections that are caused by known command names.
>
> A firewall as perimeter defense is *not* a miracle tool that brings you
> all-over safety, quite to the contrary. It is very hard to get decent
> security just by protecting one's network perimeter.
>
> With lots of additional effort you can establish proxies on your firewall
> (i.e., use application gateways and not iptables, your clients access those
> proxies and not the original server) and filter requests and incoming data
> against malware. E.g., with Squid you can forbid Internet Explorer to make
> requests. With an MTA in-between you can (try to) filter malware before it
> reaches Outlook. This is hard to set up properly, and an ongoing effort to
> maintain. Usually it's only done at big companies by dedicated staff or by
> outsourcing companies.
>
> Joachim
>
> [*] Hypothetically, one could parse requests with something like Snort and
> abort connections when one identifies programs with signatures. But that's
> not on the level of the poster's question. ;-)
>
> --
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Joachim Schrod Email: jschrod@xxxxxxx
> Roedermark, Germany
>
> --
> Check the headers for your unsubscription address
> For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
> Also check the archives at http://lists.suse.com
> Please read the FAQs: suse-linux-e-faq@xxxxxxxx
In XP with SP2 you should be able to set access to applications per user.
I have never tried that but apparently you should be able to prevent users
from starting/accessing certain applications.
In Linux... Check ACL (?)
--
/Rikard
-----------------------------------------------------------------------------
email : rikard.j@xxxxxxxxxx
web : http://www.rikjoh.com
mob : +46 (0)736 19 76 25
------------------------ Public PGP fingerprint ----------------------------
< 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
> Andrei Verovski (aka MacGuru) wrote:
> > I have quite simple and stupid question I have been unable to solve with
> > googling. I am need to log and block network activity of certain
> > applications on router/firewall level. For example, these programs should
> > be allowed: Mozilla, Safari, KMail, Apple Mail
> >
> > And these prohibited Internet Explorer, Outlook, Quciktime/RealVideo/MS
> > players, in order to prevent them to catch viruses, spyware or download
> > unwanted content like streaming video.
>
> Since you cite program names from many different operating systems, I infer
> that the systems with the applications are not the firewall. To fulfill
> your request is near to impossible with any firewall technology.[*] Thus,
> no googling will solve your problem.
>
> Your best bet is the installation of a personal firewall and anti-virus
> software on the workstations. There the application is still known and can
> be blocked. E.g. on Windows, Kerio firewalls are fine. On Linux
> workstations, you can use the --cmd-owner option of iptables to create
> rules that match connections that are caused by known command names.
>
> A firewall as perimeter defense is *not* a miracle tool that brings you
> all-over safety, quite to the contrary. It is very hard to get decent
> security just by protecting one's network perimeter.
>
> With lots of additional effort you can establish proxies on your firewall
> (i.e., use application gateways and not iptables, your clients access those
> proxies and not the original server) and filter requests and incoming data
> against malware. E.g., with Squid you can forbid Internet Explorer to make
> requests. With an MTA in-between you can (try to) filter malware before it
> reaches Outlook. This is hard to set up properly, and an ongoing effort to
> maintain. Usually it's only done at big companies by dedicated staff or by
> outsourcing companies.
>
> Joachim
>
> [*] Hypothetically, one could parse requests with something like Snort and
> abort connections when one identifies programs with signatures. But that's
> not on the level of the poster's question. ;-)
>
> --
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Joachim Schrod Email: jschrod@xxxxxxx
> Roedermark, Germany
>
> --
> Check the headers for your unsubscription address
> For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
> Also check the archives at http://lists.suse.com
> Please read the FAQs: suse-linux-e-faq@xxxxxxxx
In XP with SP2 you should be able to set access to applications per user.
I have never tried that but apparently you should be able to prevent users
from starting/accessing certain applications.
In Linux... Check ACL (?)
--
/Rikard
-----------------------------------------------------------------------------
email : rikard.j@xxxxxxxxxx
web : http://www.rikjoh.com
mob : +46 (0)736 19 76 25
------------------------ Public PGP fingerprint ----------------------------
< 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
| < Previous | Next > |