Andre Truter wrote:
OK, Linux don't have things like ActiveX and Javascript can be controlled with the different browsers themselves.
That's the point -- those technologies aren't built into the Window\ manager on Linux. If you ported "Explorer" to Linux, "Linux" could be infected with the same viruses as Windows. It's the desktop and the automated MS applications that allow virii in.
FireFox lets you enable or disable javascript and you can tell it to only allow javascript from certain sites.
FF is an agnostic technology. It functions the same on Windows as on Linux. You are making my point. Choose better applications on Windows and you'll reduce your security-liability footprint.
How does a firewall detect incoming javascript?
Many firewall products have this feature. A firewall product sits on the boundary between "out there" and your system. In order for HTTP protocol to be passed "in", it has to go through a firewall. The Firewall simply does "deep inspection". Hardware firewall products (Juniper, et al) have this feature. So do some software firewall products.
the javascript through (using a previously built-up "whitelist" of previously approved websites). Barring corruption of "trusted websites", I don't have to worry about downloading trojan script-code.
Firefox does this on Linux.
Firefox does this. Period. It does it on Windows as well. One of the easier ways of reducing your security profile on Windows: switch to FireFox and T-bird. Neither has to do with the underlying security of the OS.
I don't have to run an
"intrusion [virus] detection program". It doesn't get that far.
Ummm.. Intrusion Detection systems have nothing to do with viruses.
---- That's where you are mistaken. I listed virus in brackets because that's what a virus is -- it is an intrusion of an outside program that has been run in some "privileged" mode such that it has installed portions of itself behind for _possible_ purposes of spreading, or just "owning" the machine. Both intrusion and virus detection software look for signs of altered or corrupt software retrospectively. Good intrusion detection software looks for signatures of known root-kits and infection vectors. About the only thing "virus" detection haws over I.D. is "on-access" scanning -- which is a bit like russian roulette. You hope your virus scanner is up-to-date enough to catch some number of known signatures. On Linux -- people tend more to rely on trusted software sources and gpg-signed binaries. But in both cases "intrusion detection" or virus detection, the scanners scan retrospectively for
Intrusion detection systems monitors incoming connections and prevent and warn possible breakin attempts. (where the real threat is on linux)
How many systems are "owned" linux vs. windows? I'd suggest the total is higher for windows. What's the difference in the intrusion detection you are talking about? You are referring to the singular case where someone is actually behind 1 specific attack on your system instead of it being one of a thousand automatic attack vectors. It makes much more sense for a "intruder-wanna-be" to use multiple viruses and launch 10's - 100's of thousands automated attacks. It's not profitable to waste time attacking 1 system unless you have some specific objective. It's far easier just looking for "easy pickings" -- people who have left their doors "unlocked".
Go and read up on snort, it seems to be exactly what you need. Am already familiar w/it.
Because I can block all network access in or out of my machine on my Windows box, I feel it is more secure than my linux box -- because on linux, something could have snuck-in via a corrupt binary or downloaded patch and I wouldn't know about it for days or longer depending on how well the evidence was buried in a log file.
First: You can set up your linux firewall to also block both incoming and outgoing traffic. In fact, I can set up my Linux firewall in such a way that my network connection becomes totally inefective. It is as if the network card does not work at all. No traffic flowing.
Cement-Pro also protects your system. You encase your system in 6-feet of cement. Nothing gets in or out. What's your point?
Secondly: How can something sneek in via a corrupt binary via a firewall? You have to download in and install it. How does ZoneAlarm protect you against that?
Same way as on Linux -- if you download a corrupt binary, you lose. If you run a pre-built RPM or binary on Linux you can suffer the same problems as on Windows. Your linux system will be compromised faster since there are almost no linux-virus detector's for downloaded binaries (RPMs). By a feature of the RPM system -- if you install an RPM, you've already used root, so any software you've installed has complete control over your system.
On Linux you have tools like checkrootkit, etc that inspect every file on your system and immediately lets you know if the file was tampered with.
Is it "on-access"? I don't think so. When you install, it uses "HTTP" to go out onto the net to download instructions -- does a linux system detect what applications are accessing HTTP and to what target system? An application like ZoneAlarm will tell you in real-time -- as soon as outside communication is attempted, that program "address book" is trying to use HTTP to contact "owned-systems.ru". On Linux, you may see an outgoing http log entry to owned-systems.ru, but are you going to know what program accessed it? That information generally isn't in my squid-log. If it is, it's too late -- the access has happened. With the "zone-alarm", the idea is that anytime a program on your "internal computer zone" attempts to cross onto the "internet zone", you get a real-time alarm and get to decide if it is allowed or not based on program name, and destination. In linux firewall rules, you have the destination, but do you have the source program or filename available so you can tell what program is trying to go out on HTTP?
AppArmour is also a tool that will let you know immediately if files are acessed without permission. It prevents the access and then notifies you. So it is pro-active.
How does it detect access? Signatures? Are they checked before every execution? Windows NT has this capability built-in. You can setup the default on Windows to deny every unregistered binary. Only binaries in known system locations can be setup to be allowed execution. If you copy a system binary to an unknown location and try to execute it, it will fail. This is already built-in to WinXP but is rarely used that way. I don't know of any Linux distro that ships with such capabilities built-in and enforced by the OS.
The main reason windows has more security problems than linux is because the defaults on windows-applications are designed for ease of use *over* security. It is often a trade-off. But linux provides *SO MUCH* logging about everything, that it's hard to sort through _everything_ to see what is important. At the very least, custom scripts and filtering are required and that right there puts it beyond most users (like my mom, etc...).
Well, the idea is that the normal user should not need to worry about security. Linux has been designed in such a way that it looks after itself. You don't need to monitor the security systems.
That's what you want to believe -- Linux doesnt' provide a real-time alarm system like zone-alarm that pops up graphically to tell the user about each network access. All it provides are log files that let you examine things after the fact. How is that more secure?
But, I think you need to have a look at squil and snort, as that is basically what you want. It will notify you immediately of any suspect activity on your ports.
How will you know it is suspect if it is going out on HTTP or SMTP? Do they permit access based on program and target machine? I'm not familiar with "Squil".
It does not read log files, it acts the moment the activity is happening on the port, so it is rather pro-active than re-active.
If true, then great! You solved the original poster's problem -- it can pop up a graphical UI and ask the user if the traffic is permitted if it doesn't already fall into a permitted class. That's what they wanted -- something that popped up in real time any time traffic not explicitly permitted happened. Perhaps you can instruct the original post on how that works. Personally, I haven't seen that on Linux, but if you have a solution, great! Let's hear it. :-). linda