Mailinglist Archive: opensuse (3100 mails)
| < Previous | Next > |
Re: SUSE Firewall primitive shadow of ZoneAlarm in interactive user-control
- From: Linda Walsh <suse@xxxxxxxxx>
- Date: Wed, 22 Mar 2006 08:12:47 -0800
- Message-id: <4421777F.9050805@xxxxxxxxx>
Andre Truter wrote:
That's the point -- those technologies aren't built into the Window\
manager on Linux. If you ported "Explorer" to Linux, "Linux" could be
infected with the same viruses as Windows. It's the desktop and the
automated MS applications that allow virii in.
FF is an agnostic technology. It functions the same on Windows
as on Linux. You are making my point. Choose better applications on
Windows and you'll reduce your security-liability footprint.
Many firewall products have this feature. A firewall product sits
on the boundary between "out there" and your system. In order for HTTP
protocol to be passed "in", it has to go through a firewall. The Firewall
simply does "deep inspection". Hardware firewall products (Juniper, et al)
have this feature. So do some software firewall products.
Firefox does this. Period. It does it on Windows as well. One
of the easier ways of reducing your security profile on Windows: switch to
FireFox and T-bird. Neither has to do with the underlying security of the OS.
That's where you are mistaken. I listed virus in brackets because
that's what a virus is -- it is an intrusion of an outside program that
has been run in some "privileged" mode such that it has installed portions
of itself behind for _possible_ purposes of spreading, or just "owning" the machine.
Both intrusion and virus detection software look for signs of altered or corrupt software retrospectively. Good intrusion detection software
looks for signatures of known root-kits and infection vectors.
About the only thing "virus" detection
haws over I.D. is "on-access" scanning -- which is a bit like russian
roulette. You hope your virus scanner is up-to-date enough to catch some number
of known signatures. On Linux -- people tend more to rely on trusted software
sources and gpg-signed binaries.
But in both cases "intrusion detection" or virus detection, the scanners
scan retrospectively for
How many systems are "owned" linux vs. windows? I'd suggest the total is higher for windows. What's the difference in the intrusion detection you are
talking about? You are referring to the singular case where someone is actually
behind 1 specific attack on your system instead of it being one of a thousand
automatic attack vectors. It makes much more sense for a "intruder-wanna-be" to
use multiple viruses and launch 10's - 100's of thousands automated attacks. It's not profitable to waste time attacking 1 system unless you have some specific objective. It's far easier just looking for "easy pickings" -- people
who have left their doors "unlocked".
Cement-Pro also protects your system. You encase your system in
6-feet of cement. Nothing gets in or out. What's your point?
Same way as on Linux -- if you download a corrupt binary, you lose.
If you run a pre-built RPM or binary on Linux you can suffer the same problems
as on Windows. Your linux system will be compromised faster since there are
almost no linux-virus detector's for downloaded binaries (RPMs). By a feature
of the RPM system -- if you install an RPM, you've already used root, so any
software you've installed has complete control over your system.
Is it "on-access"? I don't think so. When you install, it uses "HTTP"
to go out onto the net to download instructions -- does a linux system detect
what applications are accessing HTTP and to what target system? An application
like ZoneAlarm will tell you in real-time -- as soon as outside communication
is attempted, that program "address book" is trying to use HTTP to contact
"owned-systems.ru".
On Linux, you may see an outgoing http log entry to owned-systems.ru, but are you going to know what program accessed it? That information generally
isn't in my squid-log. If it is, it's too late -- the access has happened. With the "zone-alarm", the idea is that anytime a program on your "internal computer zone" attempts to cross onto the "internet zone", you get a real-time
alarm and get to decide if it is allowed or not based on program name, and destination.
In linux firewall rules, you have the destination, but do you have the
source program or filename available so you can tell what program is trying to
go out on HTTP?
How does it detect access? Signatures? Are they checked before every
execution? Windows NT has this capability built-in. You can setup the default
on Windows to deny every unregistered binary. Only binaries in known system
locations can be setup to be allowed execution. If you copy a system binary to
an unknown location and try to execute it, it will fail. This is already built-in to WinXP but is rarely used that way. I don't know of any Linux distro
that ships with such capabilities built-in and enforced by the OS.
That's what you want to believe -- Linux doesnt' provide a real-time
alarm system like zone-alarm that pops up graphically to tell the user about
each network access. All it provides are log files that let you examine things
after the fact. How is that more secure?
How will you know it is suspect if it is going out on HTTP or SMTP?
Do they permit access based on program and target machine? I'm not familiar
with "Squil".
If true, then great! You solved the original poster's problem -- it can pop up a graphical UI and ask the user if the traffic is permitted if it doesn't
already fall into a permitted class. That's what they wanted -- something that
popped up in real time any time traffic not explicitly permitted happened.
Perhaps you can instruct the original post on how that works. Personally, I haven't seen that on Linux, but if you have a solution, great!
Let's hear it. :-).
linda
OK, Linux don't have things like ActiveX and Javascript can be---
controlled with the different browsers themselves.
That's the point -- those technologies aren't built into the Window\
manager on Linux. If you ported "Explorer" to Linux, "Linux" could be
infected with the same viruses as Windows. It's the desktop and the
automated MS applications that allow virii in.
FireFox lets you enable or disable javascript and you can tell it to---
only allow javascript from certain sites.
FF is an agnostic technology. It functions the same on Windows
as on Linux. You are making my point. Choose better applications on
Windows and you'll reduce your security-liability footprint.
How does a firewall detect incoming javascript?---
Many firewall products have this feature. A firewall product sits
on the boundary between "out there" and your system. In order for HTTP
protocol to be passed "in", it has to go through a firewall. The Firewall
simply does "deep inspection". Hardware firewall products (Juniper, et al)
have this feature. So do some software firewall products.
---the javascript through (using a previously built-up "whitelist" of previously
approved websites). Barring corruption of "trusted websites", I don't have
to worry about downloading trojan script-code.
Firefox does this on Linux.
Firefox does this. Period. It does it on Windows as well. One
of the easier ways of reducing your security profile on Windows: switch to
FireFox and T-bird. Neither has to do with the underlying security of the OS.
----
I don't have to run an
"intrusion [virus] detection program". It doesn't get that far.
Ummm.. Intrusion Detection systems have nothing to do with viruses.
That's where you are mistaken. I listed virus in brackets because
that's what a virus is -- it is an intrusion of an outside program that
has been run in some "privileged" mode such that it has installed portions
of itself behind for _possible_ purposes of spreading, or just "owning" the machine.
Both intrusion and virus detection software look for signs of altered or corrupt software retrospectively. Good intrusion detection software
looks for signatures of known root-kits and infection vectors.
About the only thing "virus" detection
haws over I.D. is "on-access" scanning -- which is a bit like russian
roulette. You hope your virus scanner is up-to-date enough to catch some number
of known signatures. On Linux -- people tend more to rely on trusted software
sources and gpg-signed binaries.
But in both cases "intrusion detection" or virus detection, the scanners
scan retrospectively for
Intrusion detection systems monitors incoming connections and prevent---
and warn possible breakin attempts. (where the real threat is on
linux)
How many systems are "owned" linux vs. windows? I'd suggest the total is higher for windows. What's the difference in the intrusion detection you are
talking about? You are referring to the singular case where someone is actually
behind 1 specific attack on your system instead of it being one of a thousand
automatic attack vectors. It makes much more sense for a "intruder-wanna-be" to
use multiple viruses and launch 10's - 100's of thousands automated attacks. It's not profitable to waste time attacking 1 system unless you have some specific objective. It's far easier just looking for "easy pickings" -- people
who have left their doors "unlocked".
Go and read up on snort, it seems to be exactly what you need.Am already familiar w/it.
----
Because I can block all network access in or out of my machine on my Windows
box, I feel it is more secure than my linux box -- because on linux, something
could have snuck-in via a corrupt binary or downloaded patch and I
wouldn't know about it for days or longer depending on how well the evidence was
buried in a log file.
First: You can set up your linux firewall to also block both incoming
and outgoing traffic. In fact, I can set up my Linux firewall in such
a way that my network connection becomes totally inefective. It is as
if the network card does not work at all. No traffic flowing.
Cement-Pro also protects your system. You encase your system in
6-feet of cement. Nothing gets in or out. What's your point?
Secondly: How can something sneek in via a corrupt binary via a---
firewall? You have to download in and install it. How does ZoneAlarm
protect you against that?
Same way as on Linux -- if you download a corrupt binary, you lose.
If you run a pre-built RPM or binary on Linux you can suffer the same problems
as on Windows. Your linux system will be compromised faster since there are
almost no linux-virus detector's for downloaded binaries (RPMs). By a feature
of the RPM system -- if you install an RPM, you've already used root, so any
software you've installed has complete control over your system.
On Linux you have tools like checkrootkit, etc that inspect every file---
on your system and immediately lets you know if the file was tampered
with.
Is it "on-access"? I don't think so. When you install, it uses "HTTP"
to go out onto the net to download instructions -- does a linux system detect
what applications are accessing HTTP and to what target system? An application
like ZoneAlarm will tell you in real-time -- as soon as outside communication
is attempted, that program "address book" is trying to use HTTP to contact
"owned-systems.ru".
On Linux, you may see an outgoing http log entry to owned-systems.ru, but are you going to know what program accessed it? That information generally
isn't in my squid-log. If it is, it's too late -- the access has happened. With the "zone-alarm", the idea is that anytime a program on your "internal computer zone" attempts to cross onto the "internet zone", you get a real-time
alarm and get to decide if it is allowed or not based on program name, and destination.
In linux firewall rules, you have the destination, but do you have the
source program or filename available so you can tell what program is trying to
go out on HTTP?
AppArmour is also a tool that will let you know immediately if files----
are acessed without permission. It prevents the access and then
notifies you. So it is pro-active.
How does it detect access? Signatures? Are they checked before every
execution? Windows NT has this capability built-in. You can setup the default
on Windows to deny every unregistered binary. Only binaries in known system
locations can be setup to be allowed execution. If you copy a system binary to
an unknown location and try to execute it, it will fail. This is already built-in to WinXP but is rarely used that way. I don't know of any Linux distro
that ships with such capabilities built-in and enforced by the OS.
----The main reason windows has more security problems than linux is because
the defaults on windows-applications are designed for ease of use *over*
security. It is often a trade-off. But linux provides *SO MUCH* logging about
everything, that it's hard to sort through _everything_ to see what is
important. At the very least, custom scripts and filtering are required and
that right there puts it beyond most users (like my mom, etc...).
Well, the idea is that the normal user should not need to worry about
security. Linux has been designed in such a way that it looks after
itself. You don't need to monitor the security systems.
That's what you want to believe -- Linux doesnt' provide a real-time
alarm system like zone-alarm that pops up graphically to tell the user about
each network access. All it provides are log files that let you examine things
after the fact. How is that more secure?
But, I think you need to have a look at squil and snort, as that is---
basically what you want. It will notify you immediately of any
suspect activity on your ports.
How will you know it is suspect if it is going out on HTTP or SMTP?
Do they permit access based on program and target machine? I'm not familiar
with "Squil".
It does not read log files, it acts----
the moment the activity is happening on the port, so it is rather
pro-active than re-active.
If true, then great! You solved the original poster's problem -- it can pop up a graphical UI and ask the user if the traffic is permitted if it doesn't
already fall into a permitted class. That's what they wanted -- something that
popped up in real time any time traffic not explicitly permitted happened.
Perhaps you can instruct the original post on how that works. Personally, I haven't seen that on Linux, but if you have a solution, great!
Let's hear it. :-).
linda
| < Previous | Next > |