Andre Truter wrote:
On 3/21/06, Linda Walsh
wrote: [...] It isn't about the relative strengths of security but about real-time interactivity. Linux is poor in real-time, interactive controls and monitoring.
I disagree. If you tail the log file, you can immediately see what is going on in realtime.
Not really. The log is _retrospective_. It tells you what just happened and it it doesn't popup with an interactive message telling you something has happened "out of the ordinary". Zone alarm (and the ilk) tells you what _is_ happening -- allows you to decide what to permit *before* letting it happen, then allows the operation to proceed. With log files, the system already made a decision about what to do, and you are seeing what decision it made "seconds ago" (to borrow from Data's perspective, "an eternity in computer time...").
What I would agree to is that I don't know of any graphical tools that will show this information to you.
What would be handy is a tool that parses the log file or listens for notifications and then show important messages in a display. It should also filter the messages so that you don't get flooded with messages.
---- Again...all retrospective. I don't want to know what happened. I might want my firewall to stop traffic that is out of the ordinary -- not deny it, but pause it, and let me decide what to do. By default, if I'm not there to decide, the network request will timeout.
This is something that can be done relatively easy, but I think the main reason why it has not been done is because the focus of Linux security has been mainly server based, due to the design of the system.
The real-time aspect isn't relatively easy. When something happens at the network layer, there is no tracking to know what program running by what user "instigated" the network traffic.
I find the discussion about how the user should or shouldn't be doing things amusing -- i.e. "Dear ex-windows user: um, we don't have the features and abilities you want, so we want to educate you on what you think you should want and give you lots of reasons why what you want doesn't really protect you (which is what we wanted to tell you what you really wanted)." Bleh!
I think you are misunderstanding the thread (or at least my part of the thread). It is not about telling the user that Linux lack the features, etc, it is about getting the user to focus on the right place.
I have secure systems setup with both Windows and Linux. I don't think it is out of place to want a real-time decision capacity on my linux-based personal computer.
It has no value creating tools that make Linux act like Windows if it is misleading the user in the process. The problem is that the bigger threat on a Linux system is not viruses and spyware trying to get outside access, but crackers trying to get access from outside.
That's no more of a problem on linux than on Windows. It's just that with automation, Windows has more ways to "trick" user applications to open doors for outside crackers.
So, what is the use of giving a user a nice app that acts like a Windows tool, by reporting all outgoing attempts and by doing so, the newbie is focussing on non-existing viruses, while he/she never realise that they are being hacked to pieces.
ZoneAlarm in the firewall defense isn't about viruses. It is about permitting network traffic, either in or out. Making sure no processes are going "out" w/o permission in no way negates ZA's inbound firewall with the same real-time, interactive capabilities. In realtime I can see if someone is pounding my system, or I can see in real time that my printer is sending out network "advertisements" on my local net. I can choose to deny one and allow the other -- as they happen -- not by looking at a log file later. And, I'm sorry -- doing a "tail -f" of a log file is a very poor interactive defense mechanism. One blink and a burst will have things scrolling off the screen. By the time I figure out if the burst was important, it is way after the fact.
Yes, with netstat and ps you can determine which process is using a port and who ownes the process.
--- ??? I don't think so -- only if the network connection is persistent. If it is a UDP packet? There is nothing to look at in those real-time tools. Even if they replot once/second, you can't see the application, ports and addresses of the 100-1000 packets that can come in during 1 second. The event of interest is *over* by the time you bring up ps or netstat -- even if you have netstat running repeatedly in a TTY window (assuming you have screen real-estate to keep such things open while you are watching a movie). With the WinXP method -- the security popup comes up on top of the movie. It demands instant attention *before* it allows the action to complete.
If you start to look at system processes that initiate access then you move into the server arena.
Eh? I'm a single user of my system. My "server" system (which just serves me), right now has 97 processes running -- only 13 under my userid. The computer is just serving me. Even on my WinXP laptop, only 15 out of 27 processes are "owned" by me. On Windows, more things are handled in threads than in separate processes, under threads, only 79 out of 289 belong to me. This isn't a server.
If you run a firewall/gateway/proxy, then you normally don't have a person sitting there authorrising access by clicking yes/no on pop-ups. Does a Windows based firewall/gateway do this?
--- YES, you do (on a windows workstation) Zonealarm is a firewall. It pops up a question dialog for any traffic not explicitly permitted (when properly configured).
I can just imagine the poor firewall administrator at Microsoft having to authorise each user's attempts to access the web or send mail. Imagine how slow the internet access would be.
I'm the only one on my system. There is no other "administrator". It pops up questions to me when I am at the console.
The question is: Why do you want the "ZoneAlarm" functionality on a Linux system? Your problem is not applications trying to access the internet from inside.
Naw...rootkits never happen on linux. Zonealarm protects against *both* incoming and outgoing.
Your focus areas are access attempts from outside (firewall handles that) and somone breaking into your system and installing a rootkit. (firewall, intrusion detection and checkrootkit)
Mostly retrospective. Many breakins in the real world happen because of some "anomalous" traffic going *out* from the system.
If someone installed a rootkit, then a 'ZoneAlarm' clone will not help much as you can tunnel over port 80 or something. If someone managed to get the level of access to your system to install a rootkit, then they can do basically anything on your system and you are screwed.
If they thought of everything. Not alot of pieces of malware, for example, bother to detect proxies.
So, first line of defence is firewall blocking unathorised access. Zonealarm does that. Second line of defence is intrusion detection, like snort. Then, you can also chek for rootkits and unexpected changes in files.
Retrospective and easily fooled.
No, not exactly true. First, a pdf document (or any attachement) will not be executed, so how can it compromise your system? The only way is if there is a vulnerability in acrobat reader or the application you use to open a file with.
Bingo! pdf's, postscript files, even jpg's have had exploits in them that exploited standard applications on the inside.
If you want an interactive view of what is going on with your network traffic, you can use ethereal to see in realtime exactly what traffic is going where.
I want something that pops up a notice anytime any non-permitted program attempts any action that is out of the ordinary. If my "C" compiler attempts to open "/etc/passwd" with write access, or "/etc/shadow" with _any_ permission, I'd like to see that pop up in real time -- not wait for a log review sometime later when the log in question may have been tampered with or deleted.
There are some other tools available to give you an interactive view on your network activity, but the problem is that you cannot sit and watch all the traffic activity and expect to pick up when someone try to attack you.
On Windows, you don't need that -- it only shows you the exceptions, and blocks any traffic, in or out, that isn't explicitly permitted. On my system, for example, no browser (IE, firefox, opera) is able to run javascript or java from any site, unless I have explictly permitted that site through my web-filter. I don't have to worry about visiting some random website that will exploit the latest java[script] or activeX bug -- they are all blocked. If I wished to configure it, each time my "firewall" detected incoming javascript from a website, it could popup a question to ask if I wished to let the javascript through (using a previously built-up "whitelist" of previously approved websites). Barring corruption of "trusted websites", I don't have to worry about downloading trojan script-code. I don't have to run an "intrusion [virus] detection program". It doesn't get that far. Because I can block all network access in or out of my machine on my Windows box, I feel it is more secure than my linux box -- because on linux, something could have snuck-in via a corrupt binary or downloaded patch and I wouldn't know about it for days or longer depending on how well the evidence was buried in a log file. The main reason windows has more security problems than linux is because the defaults on windows-applications are designed for ease of use *over* security. It is often a trade-off. But linux provides *SO MUCH* logging about everything, that it's hard to sort through _everything_ to see what is important. At the very least, custom scripts and filtering are required and that right there puts it beyond most users (like my mom, etc...). linda