https://bugzilla.novell.com/show_bug.cgi?id=717152 https://bugzilla.novell.com/show_bug.cgi?id=717152#c0 Summary: Re Evaluate the Effectiveness of Yast Firewall Front End and its Application Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: All OS/Version: SuSE Other Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: scott@aphofis.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1 In planning for 12.1 I would like to see a huge focus devoted to PC security. The methodology of having an External and Internal Zone needs to stop! The current Firewall offers a simple SPI interface from the IP tables in the kernel. For any real protection from our Firewall we really need to have a comms input into a PC and designated as the External Zone and then the comms emerge from the same PC in the internal zone. In ALL my years onside observing what is being put inplace, NO one but No one wants to waste the resources of a PC to implement the external input to the Internal output. If a site has their own web server this convention is used but no one really wants to host their own domain - It is all to easy to have and external company host both the DNS and Content of their site - Its far far far cheaper to do this that go it alone. The only valid way I can think of to have an External/Internal zone would be to maintain the External inpout of TCP-IP but with the output being IPX/SPX and or other protocol Stacks. This would require a large amount of processing to convent the protocols but the only real application of Eternal/Internal Zones, in my opinion. This External/Internal Model *we* have been using for years, in reflection, was a very bad Model and is being dumped as we speak. We also need to provide more Firewall Security as well as not requiring and internal/external zone. In Australia even moderate size LANS use 1 or 2 IP's inbound then NAT'd to perhaps up to 50-75 PC's. Its just the way we do it. Home users, who are a huge target for the open product will always use the same NAT'd IP for 2 or 4 PC's in the home. It is rare to find ANYONE that uses public IP's let alone External/Internal zone Models. The role of SPI just inures than all invited inbound traffic == the same outbound traffic. The biggest problem which makes SPI useless is that most all threats are invited inbound by any number of means. If threats are not invited inbound then yes, SPI is perfectly good at its job. Ontop of an SPI filter I think we must add an ALG Inspection engine for the TCP component, or the data component, and srtip the data payload then and there. ALG filters, obviously can only inspect the TCP data payload and therefore do not impinge on HTTPS or other encrypted traffic. ALF Filtering is effective against the data payload of the most common forms of traffic. HTTP/FTP/VOIP/....... We can give the user the ability to whitlist a file on permitted file types and/or URL and deny blacklisted file contents on the same. URL and MAC Filtering are probably the easiest part of TCP/IP filter to be disabled from an external intruder. The ALG can then offer, within the data payload, the ability to inhibit active X, cookies and so forth for other control functions in the data payload that we can examine..The same whitelist and blacklist files should also be able to permit/deny active X, cookies...even down to virus signatures. For that matter we can even test for attack type intruder methods. TCP/IP was never designed to be safe anbd it will never be safe in its current V4/6 EVER as long it maintains the default trust offered to any device on the net. Its not the job of the internet to secure the protocol, unless you thing it will be completely dumped and replaced The reason why we can accomplish this is we have the processing performance and memory addressing that makes Windoze pail into its primate constraints that still exist in W7. We can achieve the above without any or appreciably slowing down on nominal performance. Together with the sister bug I wrote on AppArmour I think we can do this, provide real time and serious security at the desktop because Linux can I have classified this a a bug as we currently have a serious failing on how we try to provide modernistic security. - Discussion is fruitful and expected well before 12.1..Please add your thought idead the lost - We have a problem that we need to fix...Its not an Enhancement its a current failing of us and every other platform I would suggest. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.