Mailinglist Archive: opensuse (3100 mails)
| < Previous | Next > |
Re: SUSE Firewall primitive shadow of ZoneAlarm in interactive user-control
- From: "Andre Truter" <andre.truter@xxxxxxxxx>
- Date: Wed, 22 Mar 2006 19:14:27 +0200
- Message-id: <173f0b9f0603220914t4e46ea88l1b86a7f8f937e19@xxxxxxxxxxxxxx>
On 3/22/06, Linda Walsh <suse@xxxxxxxxx> wrote:
> Andre Truter wrote:
> > OK, Linux don't have things like ActiveX and Javascript can be
> > controlled with the different browsers themselves.
> ---
> That's the point -- those technologies aren't built into the Window\
> manager on Linux. If you ported "Explorer" to Linux, "Linux" could be
> infected with the same viruses as Windows. It's the desktop and the
> automated MS applications that allow virii in.
Nope, that is wrong.
There have been people that have actively tried to install Windows
viruses on Linux and the best that a virus could do on Linux was to
delete a few of the user's files.
It could not survive for long and it could not propagate itself.
Due to the design of the system, Linux is very unfriendly environment
for a virus.
>
> > FireFox lets you enable or disable javascript and you can tell it to
> > only allow javascript from certain sites.
> ---
> FF is an agnostic technology. It functions the same on Windows
> as on Linux. You are making my point. Choose better applications on
> Windows and you'll reduce your security-liability footprint.
>
Yes, exactly. You said that ZoneAlarm does this, so I said that you
can use FF on Linux to get the same functionality. I know FF does
this on Windows too.
>
> > How does a firewall detect incoming javascript?
> ---
> Many firewall products have this feature. A firewall product sits
> on the boundary between "out there" and your system. In order for HTTP
> protocol to be passed "in", it has to go through a firewall. The Firewall
> simply does "deep inspection". Hardware firewall products (Juniper, et al)
> have this feature. So do some software firewall products.
>
Is this not exactly what I said when I mentioned the IPCop plugin?
> >
> > Ummm.. Intrusion Detection systems have nothing to do with viruses.
> ----
> That's where you are mistaken. I listed virus in brackets because
> that's what a virus is -- it is an intrusion of an outside program that
> has been run in some "privileged" mode such that it has installed portions
> of itself behind for _possible_ purposes of spreading, or just "owning" the
> machine.
> Both intrusion and virus detection software look for signs of altered or
> corrupt software retrospectively. Good intrusion detection software
> looks for signatures of known root-kits and infection vectors.
No, Intrusion detection systems monitors incoming traffic and react to
malicious attacks on your ports. It does not check files for
signatures, that is what anti-virus does and anti-rootkits.
Checking the files for viruses is after the fact. An intrusion
detection system prevents anything from reaching your system.
> ---
> How many systems are "owned" linux vs. windows? I'd suggest the total is
> higher for windows. What's the difference in the intrusion detection you are
> talking about? You are referring to the singular case where someone is actually
> behind 1 specific attack on your system instead of it being one of a thousand
> automatic attack vectors. It makes much more sense for a "intruder-wanna-be" to
> use multiple viruses and launch 10's - 100's of thousands automated attacks.
> It's not profitable to waste time attacking 1 system unless you have some
> specific objective. It's far easier just looking for "easy pickings" -- people
> who have left their doors "unlocked".
>
I don't really get your point here.
I don't know of a single Linux sytem that has been infected by a virus
(that the user did not install on purpose.
Linux systems gets "owned" by people exploiting vulnerabilities on a
machine that have the vulnerable software listening on an open port.
The other way is to physically gain access to the machine, or to
convince the root user to install comprimised software. In the last
two cases you are dealing with social engineering and something like
AppArmour can protect you there. In the forst case, your firewall and
IDS can protect you.
In neither of the cases is there any use in having a system that tells
you that an application tries to access the internet. If you get to
that point, you are already screwed.
You should use your firewall and AppArmour to make sure you don't get
to that point.
> ----
> Cement-Pro also protects your system. You encase your system in
> 6-feet of cement. Nothing gets in or out. What's your point?
>
My point is that if you are worried about a compromised application on
your Linux system trying to "phone home", then set up your Linux
Firewall to block outgoing traffic too.
> ---
> Same way as on Linux -- if you download a corrupt binary, you lose.
> If you run a pre-built RPM or binary on Linux you can suffer the same problems
> as on Windows. Your linux system will be compromised faster since there are
> almost no linux-virus detector's for downloaded binaries (RPMs). By a feature
> of the RPM system -- if you install an RPM, you've already used root, so any
> software you've installed has complete control over your system.
That is why you have gpg signature checking built into your package
managers. They act as anti-virus software. All built in.
>
> > On Linux you have tools like checkrootkit, etc that inspect every file
> > on your system and immediately lets you know if the file was tampered
> > with.
> ---
> Is it "on-access"? I don't think so. When you install, it uses "HTTP"
> to go out onto the net to download instructions -- does a linux system detect
> what applications are accessing HTTP and to what target system? An application
> like ZoneAlarm will tell you in real-time -- as soon as outside communication
> is attempted, that program "address book" is trying to use HTTP to contact
> "owned-systems.ru".
But is it not too late then? That means that you have already been
compromised. The idea on Linux is to prevent that situation, not sit
and wait until it happens and then it can proudly inform you that you
have been owned.
>
> > AppArmour is also a tool that will let you know immediately if files
> > are acessed without permission. It prevents the access and then
> > notifies you. So it is pro-active.
> ----
> How does it detect access? Signatures? Are they checked before every
> execution?
You set up your AppArmour to allow a user access to certain files.
> built-in to WinXP but is rarely used that way. I don't know of any Linux distro
> that ships with such capabilities built-in and enforced by the OS.
>
AFAIK, SE Linux enforce it.
> >
> > Well, the idea is that the normal user should not need to worry about
> > security. Linux has been designed in such a way that it looks after
> > itself. You don't need to monitor the security systems.
> ----
> That's what you want to believe -- Linux doesnt' provide a real-time
> alarm system like zone-alarm that pops up graphically to tell the user about
> each network access. All it provides are log files that let you examine things
> after the fact. How is that more secure?
>
Again, you are looking at this from the wrong side. Tools like
ZoneAlarm will inform you that you have already been infected, while
Linux security systems prevents you from being infected in the first
place.
I would rather spend more time and energy on preventing being owned
that being informed that I have been owned.
> Perhaps you can instruct the original post on how that works. Personally, I
> haven't seen that on Linux, but if you have a solution, great!
> Let's hear it. :-).
>
I have provided the link, all the documentation and software is there.
My point is still that people coming from a Windows background treats
Linux security from the wrong end.
The functionality of ZoneAlarm that the original OP wanted is useless
on Linux, as it only informs you that you HAVE ALREADY been
compromised. If you get to that stage, you can just as well format
your disk and re-install as you are screwed.
I suggest that the OP should rather look at the tools that PREVENT a
system from being owned.
Those tools are a firewall, IDS, AppArmour, etc.
If you want to know if you have already been owned then you can use
tripwire and checkrootkit.
A system like ZoneAlarm will not have any effect if you have been
compromised, as the atacker initiate the connection from outside and
compromise an application that normally do have net access (how else
will they get to the app if it is not listening on a socket). These
are applications like sendmail, telnet, apache, ssh, etc.
So, let's look at a situation: You have your Linux system with the
newly ported ZoneAlarm running, and it tells you that sendmail wants
to access the net. So you say OK, as you want your mail to be sent.
Now the atacker compromise sendmail and they are happily using
sendmail to do all kinds of nasty stuff. How will ZoneAlarm protect
you?
Sendmail is supposed to access the net.
See my point? You should catch the guy before he gets to sendmail and
that is what a firewall and IDS is for.
--
Andre Truter | Software Engineer | Registered Linux user #185282
ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za
~ A dinosaur is a salamander designed to Mil Spec ~
> Andre Truter wrote:
> > OK, Linux don't have things like ActiveX and Javascript can be
> > controlled with the different browsers themselves.
> ---
> That's the point -- those technologies aren't built into the Window\
> manager on Linux. If you ported "Explorer" to Linux, "Linux" could be
> infected with the same viruses as Windows. It's the desktop and the
> automated MS applications that allow virii in.
Nope, that is wrong.
There have been people that have actively tried to install Windows
viruses on Linux and the best that a virus could do on Linux was to
delete a few of the user's files.
It could not survive for long and it could not propagate itself.
Due to the design of the system, Linux is very unfriendly environment
for a virus.
>
> > FireFox lets you enable or disable javascript and you can tell it to
> > only allow javascript from certain sites.
> ---
> FF is an agnostic technology. It functions the same on Windows
> as on Linux. You are making my point. Choose better applications on
> Windows and you'll reduce your security-liability footprint.
>
Yes, exactly. You said that ZoneAlarm does this, so I said that you
can use FF on Linux to get the same functionality. I know FF does
this on Windows too.
>
> > How does a firewall detect incoming javascript?
> ---
> Many firewall products have this feature. A firewall product sits
> on the boundary between "out there" and your system. In order for HTTP
> protocol to be passed "in", it has to go through a firewall. The Firewall
> simply does "deep inspection". Hardware firewall products (Juniper, et al)
> have this feature. So do some software firewall products.
>
Is this not exactly what I said when I mentioned the IPCop plugin?
> >
> > Ummm.. Intrusion Detection systems have nothing to do with viruses.
> ----
> That's where you are mistaken. I listed virus in brackets because
> that's what a virus is -- it is an intrusion of an outside program that
> has been run in some "privileged" mode such that it has installed portions
> of itself behind for _possible_ purposes of spreading, or just "owning" the
> machine.
> Both intrusion and virus detection software look for signs of altered or
> corrupt software retrospectively. Good intrusion detection software
> looks for signatures of known root-kits and infection vectors.
No, Intrusion detection systems monitors incoming traffic and react to
malicious attacks on your ports. It does not check files for
signatures, that is what anti-virus does and anti-rootkits.
Checking the files for viruses is after the fact. An intrusion
detection system prevents anything from reaching your system.
> ---
> How many systems are "owned" linux vs. windows? I'd suggest the total is
> higher for windows. What's the difference in the intrusion detection you are
> talking about? You are referring to the singular case where someone is actually
> behind 1 specific attack on your system instead of it being one of a thousand
> automatic attack vectors. It makes much more sense for a "intruder-wanna-be" to
> use multiple viruses and launch 10's - 100's of thousands automated attacks.
> It's not profitable to waste time attacking 1 system unless you have some
> specific objective. It's far easier just looking for "easy pickings" -- people
> who have left their doors "unlocked".
>
I don't really get your point here.
I don't know of a single Linux sytem that has been infected by a virus
(that the user did not install on purpose.
Linux systems gets "owned" by people exploiting vulnerabilities on a
machine that have the vulnerable software listening on an open port.
The other way is to physically gain access to the machine, or to
convince the root user to install comprimised software. In the last
two cases you are dealing with social engineering and something like
AppArmour can protect you there. In the forst case, your firewall and
IDS can protect you.
In neither of the cases is there any use in having a system that tells
you that an application tries to access the internet. If you get to
that point, you are already screwed.
You should use your firewall and AppArmour to make sure you don't get
to that point.
> ----
> Cement-Pro also protects your system. You encase your system in
> 6-feet of cement. Nothing gets in or out. What's your point?
>
My point is that if you are worried about a compromised application on
your Linux system trying to "phone home", then set up your Linux
Firewall to block outgoing traffic too.
> ---
> Same way as on Linux -- if you download a corrupt binary, you lose.
> If you run a pre-built RPM or binary on Linux you can suffer the same problems
> as on Windows. Your linux system will be compromised faster since there are
> almost no linux-virus detector's for downloaded binaries (RPMs). By a feature
> of the RPM system -- if you install an RPM, you've already used root, so any
> software you've installed has complete control over your system.
That is why you have gpg signature checking built into your package
managers. They act as anti-virus software. All built in.
>
> > On Linux you have tools like checkrootkit, etc that inspect every file
> > on your system and immediately lets you know if the file was tampered
> > with.
> ---
> Is it "on-access"? I don't think so. When you install, it uses "HTTP"
> to go out onto the net to download instructions -- does a linux system detect
> what applications are accessing HTTP and to what target system? An application
> like ZoneAlarm will tell you in real-time -- as soon as outside communication
> is attempted, that program "address book" is trying to use HTTP to contact
> "owned-systems.ru".
But is it not too late then? That means that you have already been
compromised. The idea on Linux is to prevent that situation, not sit
and wait until it happens and then it can proudly inform you that you
have been owned.
>
> > AppArmour is also a tool that will let you know immediately if files
> > are acessed without permission. It prevents the access and then
> > notifies you. So it is pro-active.
> ----
> How does it detect access? Signatures? Are they checked before every
> execution?
You set up your AppArmour to allow a user access to certain files.
> built-in to WinXP but is rarely used that way. I don't know of any Linux distro
> that ships with such capabilities built-in and enforced by the OS.
>
AFAIK, SE Linux enforce it.
> >
> > Well, the idea is that the normal user should not need to worry about
> > security. Linux has been designed in such a way that it looks after
> > itself. You don't need to monitor the security systems.
> ----
> That's what you want to believe -- Linux doesnt' provide a real-time
> alarm system like zone-alarm that pops up graphically to tell the user about
> each network access. All it provides are log files that let you examine things
> after the fact. How is that more secure?
>
Again, you are looking at this from the wrong side. Tools like
ZoneAlarm will inform you that you have already been infected, while
Linux security systems prevents you from being infected in the first
place.
I would rather spend more time and energy on preventing being owned
that being informed that I have been owned.
> Perhaps you can instruct the original post on how that works. Personally, I
> haven't seen that on Linux, but if you have a solution, great!
> Let's hear it. :-).
>
I have provided the link, all the documentation and software is there.
My point is still that people coming from a Windows background treats
Linux security from the wrong end.
The functionality of ZoneAlarm that the original OP wanted is useless
on Linux, as it only informs you that you HAVE ALREADY been
compromised. If you get to that stage, you can just as well format
your disk and re-install as you are screwed.
I suggest that the OP should rather look at the tools that PREVENT a
system from being owned.
Those tools are a firewall, IDS, AppArmour, etc.
If you want to know if you have already been owned then you can use
tripwire and checkrootkit.
A system like ZoneAlarm will not have any effect if you have been
compromised, as the atacker initiate the connection from outside and
compromise an application that normally do have net access (how else
will they get to the app if it is not listening on a socket). These
are applications like sendmail, telnet, apache, ssh, etc.
So, let's look at a situation: You have your Linux system with the
newly ported ZoneAlarm running, and it tells you that sendmail wants
to access the net. So you say OK, as you want your mail to be sent.
Now the atacker compromise sendmail and they are happily using
sendmail to do all kinds of nasty stuff. How will ZoneAlarm protect
you?
Sendmail is supposed to access the net.
See my point? You should catch the guy before he gets to sendmail and
that is what a firewall and IDS is for.
--
Andre Truter | Software Engineer | Registered Linux user #185282
ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za
~ A dinosaur is a salamander designed to Mil Spec ~
| < Previous | Next > |