On Monday 02 January 2006 22:12, Joachim Schrod wrote:
Andrei Verovski (aka MacGuru) wrote:
I have quite simple and stupid question I have been unable to solve with googling. I am need to log and block network activity of certain applications on router/firewall level. For example, these programs should be allowed: Mozilla, Safari, KMail, Apple Mail
And these prohibited Internet Explorer, Outlook, Quciktime/RealVideo/MS players, in order to prevent them to catch viruses, spyware or download unwanted content like streaming video.
Since you cite program names from many different operating systems, I infer that the systems with the applications are not the firewall. To fulfill your request is near to impossible with any firewall technology.[*] Thus, no googling will solve your problem.
Your best bet is the installation of a personal firewall and anti-virus software on the workstations. There the application is still known and can be blocked. E.g. on Windows, Kerio firewalls are fine. On Linux workstations, you can use the --cmd-owner option of iptables to create rules that match connections that are caused by known command names.
A firewall as perimeter defense is *not* a miracle tool that brings you all-over safety, quite to the contrary. It is very hard to get decent security just by protecting one's network perimeter.
With lots of additional effort you can establish proxies on your firewall (i.e., use application gateways and not iptables, your clients access those proxies and not the original server) and filter requests and incoming data against malware. E.g., with Squid you can forbid Internet Explorer to make requests. With an MTA in-between you can (try to) filter malware before it reaches Outlook. This is hard to set up properly, and an ongoing effort to maintain. Usually it's only done at big companies by dedicated staff or by outsourcing companies.
Joachim
[*] Hypothetically, one could parse requests with something like Snort and abort connections when one identifies programs with signatures. But that's not on the level of the poster's question. ;-)
-- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
In XP with SP2 you should be able to set access to applications per user. I have never tried that but apparently you should be able to prevent users from starting/accessing certain applications. In Linux... Check ACL (?) -- /Rikard ----------------------------------------------------------------------------- email : rikard.j@rikjoh.com web : http://www.rikjoh.com mob : +46 (0)736 19 76 25 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >