Mailinglist Archive: opensuse (3100 mails)
| < Previous | Next > |
Re: SUSE Firewall primitive shadow of ZoneAlarm in interactive user-control
- From: "Andre Truter" <andre.truter@xxxxxxxxx>
- Date: Wed, 22 Mar 2006 03:25:19 +0200
- Message-id: <173f0b9f0603211725veef6e9fm710f26f9b6baff99@xxxxxxxxxxxxxx>
On 3/22/06, Linda Walsh <suse@xxxxxxxxx> wrote:
>
> On my system, for example, no browser (IE, firefox, opera) is able to
> run javascript or java from any site, unless I have explictly permitted that
> site through my web-filter. I don't have to worry about visiting some random
> website that will exploit the latest java[script] or activeX bug -- they are all
> blocked.
OK, Linux don't have things like ActiveX and Javascript can be
controlled with the different browsers themselves.
FireFox lets you enable or disable javascript and you can tell it to
only allow javascript from certain sites.
If I wished to configure it, each time my "firewall" detected incoming
> javascript from a website, it could popup a question to ask if I wished to let
How does a firewall detect incoming javascript?
I suppose the only way to do this is to inspect each HTML file passing
through and look for the javascript headers.
AFAIK, IPCop has a plugin that allow things like that.
> the javascript through (using a previously built-up "whitelist" of previously
> approved websites). Barring corruption of "trusted websites", I don't have
> to worry about downloading trojan script-code.
Firefox does this on Linux.
I don't have to run an
> "intrusion [virus] detection program". It doesn't get that far.
Ummm.. Intrusion Detection systems have nothing to do with viruses.
Intrusion detection systems monitors incoming connections and prevent
and warn possible breakin attempts. (where the real threat is on
linux)
Go and read up on snort, it seems to be exactly what you need.
>
> Because I can block all network access in or out of my machine on my Windows
> box, I feel it is more secure than my linux box -- because on linux, something
> could have snuck-in via a corrupt binary or downloaded patch and I
> wouldn't know about it for days or longer depending on how well the evidence was
> buried in a log file.
First: You can set up your linux firewall to also block both incoming
and outgoing traffic. In fact, I can set up my Linux firewall in such
a way that my network connection becomes totally inefective. It is as
if the network card does not work at all. No traffic flowing.
Secondly: How can something sneek in via a corrupt binary via a
firewall? You have to download in and install it. How does ZoneAlarm
protect you against that?
On Linux you have tools like checkrootkit, etc that inspect every file
on your system and immediately lets you know if the file was tampered
with.
AppArmour is also a tool that will let you know immediately if files
are acessed without permission. It prevents the access and then
notifies you. So it is pro-active.
> The main reason windows has more security problems than linux is because
> the defaults on windows-applications are designed for ease of use *over*
> security. It is often a trade-off. But linux provides *SO MUCH* logging about
> everything, that it's hard to sort through _everything_ to see what is
> important. At the very least, custom scripts and filtering are required and
> that right there puts it beyond most users (like my mom, etc...).
>
Well, the idea is that the normal user should not need to worry about
security. Linux has been designed in such a way that it looks after
itself. You don't need to monitor the security systems.
But, I think you need to have a look at squil and snort, as that is
basically what you want. It will notify you immediately of any
suspect activity on your ports. It does not read log files, it acts
the moment the activity is happening on the port, so it is rather
pro-active than re-active.
--
Andre Truter | Software Engineer | Registered Linux user #185282
ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za
~ A dinosaur is a salamander designed to Mil Spec ~
>
> On my system, for example, no browser (IE, firefox, opera) is able to
> run javascript or java from any site, unless I have explictly permitted that
> site through my web-filter. I don't have to worry about visiting some random
> website that will exploit the latest java[script] or activeX bug -- they are all
> blocked.
OK, Linux don't have things like ActiveX and Javascript can be
controlled with the different browsers themselves.
FireFox lets you enable or disable javascript and you can tell it to
only allow javascript from certain sites.
If I wished to configure it, each time my "firewall" detected incoming
> javascript from a website, it could popup a question to ask if I wished to let
How does a firewall detect incoming javascript?
I suppose the only way to do this is to inspect each HTML file passing
through and look for the javascript headers.
AFAIK, IPCop has a plugin that allow things like that.
> the javascript through (using a previously built-up "whitelist" of previously
> approved websites). Barring corruption of "trusted websites", I don't have
> to worry about downloading trojan script-code.
Firefox does this on Linux.
I don't have to run an
> "intrusion [virus] detection program". It doesn't get that far.
Ummm.. Intrusion Detection systems have nothing to do with viruses.
Intrusion detection systems monitors incoming connections and prevent
and warn possible breakin attempts. (where the real threat is on
linux)
Go and read up on snort, it seems to be exactly what you need.
>
> Because I can block all network access in or out of my machine on my Windows
> box, I feel it is more secure than my linux box -- because on linux, something
> could have snuck-in via a corrupt binary or downloaded patch and I
> wouldn't know about it for days or longer depending on how well the evidence was
> buried in a log file.
First: You can set up your linux firewall to also block both incoming
and outgoing traffic. In fact, I can set up my Linux firewall in such
a way that my network connection becomes totally inefective. It is as
if the network card does not work at all. No traffic flowing.
Secondly: How can something sneek in via a corrupt binary via a
firewall? You have to download in and install it. How does ZoneAlarm
protect you against that?
On Linux you have tools like checkrootkit, etc that inspect every file
on your system and immediately lets you know if the file was tampered
with.
AppArmour is also a tool that will let you know immediately if files
are acessed without permission. It prevents the access and then
notifies you. So it is pro-active.
> The main reason windows has more security problems than linux is because
> the defaults on windows-applications are designed for ease of use *over*
> security. It is often a trade-off. But linux provides *SO MUCH* logging about
> everything, that it's hard to sort through _everything_ to see what is
> important. At the very least, custom scripts and filtering are required and
> that right there puts it beyond most users (like my mom, etc...).
>
Well, the idea is that the normal user should not need to worry about
security. Linux has been designed in such a way that it looks after
itself. You don't need to monitor the security systems.
But, I think you need to have a look at squil and snort, as that is
basically what you want. It will notify you immediately of any
suspect activity on your ports. It does not read log files, it acts
the moment the activity is happening on the port, so it is rather
pro-active than re-active.
--
Andre Truter | Software Engineer | Registered Linux user #185282
ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za
~ A dinosaur is a salamander designed to Mil Spec ~
| < Previous | Next > |