On 3/22/06, Linda Walsh
Andre Truter wrote:
OK, Linux don't have things like ActiveX and Javascript can be controlled with the different browsers themselves.
That's the point -- those technologies aren't built into the Window\ manager on Linux. If you ported "Explorer" to Linux, "Linux" could be infected with the same viruses as Windows. It's the desktop and the automated MS applications that allow virii in.
Nope, that is wrong. There have been people that have actively tried to install Windows viruses on Linux and the best that a virus could do on Linux was to delete a few of the user's files. It could not survive for long and it could not propagate itself. Due to the design of the system, Linux is very unfriendly environment for a virus.
FireFox lets you enable or disable javascript and you can tell it to only allow javascript from certain sites.
FF is an agnostic technology. It functions the same on Windows as on Linux. You are making my point. Choose better applications on Windows and you'll reduce your security-liability footprint.
Yes, exactly. You said that ZoneAlarm does this, so I said that you can use FF on Linux to get the same functionality. I know FF does this on Windows too.
How does a firewall detect incoming javascript?
Many firewall products have this feature. A firewall product sits on the boundary between "out there" and your system. In order for HTTP protocol to be passed "in", it has to go through a firewall. The Firewall simply does "deep inspection". Hardware firewall products (Juniper, et al) have this feature. So do some software firewall products.
Is this not exactly what I said when I mentioned the IPCop plugin?
Ummm.. Intrusion Detection systems have nothing to do with viruses.
---- That's where you are mistaken. I listed virus in brackets because that's what a virus is -- it is an intrusion of an outside program that has been run in some "privileged" mode such that it has installed portions of itself behind for _possible_ purposes of spreading, or just "owning" the machine. Both intrusion and virus detection software look for signs of altered or corrupt software retrospectively. Good intrusion detection software looks for signatures of known root-kits and infection vectors.
No, Intrusion detection systems monitors incoming traffic and react to malicious attacks on your ports. It does not check files for signatures, that is what anti-virus does and anti-rootkits. Checking the files for viruses is after the fact. An intrusion detection system prevents anything from reaching your system.
--- How many systems are "owned" linux vs. windows? I'd suggest the total is higher for windows. What's the difference in the intrusion detection you are talking about? You are referring to the singular case where someone is actually behind 1 specific attack on your system instead of it being one of a thousand automatic attack vectors. It makes much more sense for a "intruder-wanna-be" to use multiple viruses and launch 10's - 100's of thousands automated attacks. It's not profitable to waste time attacking 1 system unless you have some specific objective. It's far easier just looking for "easy pickings" -- people who have left their doors "unlocked".
I don't really get your point here. I don't know of a single Linux sytem that has been infected by a virus (that the user did not install on purpose. Linux systems gets "owned" by people exploiting vulnerabilities on a machine that have the vulnerable software listening on an open port. The other way is to physically gain access to the machine, or to convince the root user to install comprimised software. In the last two cases you are dealing with social engineering and something like AppArmour can protect you there. In the forst case, your firewall and IDS can protect you. In neither of the cases is there any use in having a system that tells you that an application tries to access the internet. If you get to that point, you are already screwed. You should use your firewall and AppArmour to make sure you don't get to that point.
---- Cement-Pro also protects your system. You encase your system in 6-feet of cement. Nothing gets in or out. What's your point?
My point is that if you are worried about a compromised application on your Linux system trying to "phone home", then set up your Linux Firewall to block outgoing traffic too.
--- Same way as on Linux -- if you download a corrupt binary, you lose. If you run a pre-built RPM or binary on Linux you can suffer the same problems as on Windows. Your linux system will be compromised faster since there are almost no linux-virus detector's for downloaded binaries (RPMs). By a feature of the RPM system -- if you install an RPM, you've already used root, so any software you've installed has complete control over your system.
That is why you have gpg signature checking built into your package managers. They act as anti-virus software. All built in.
On Linux you have tools like checkrootkit, etc that inspect every file on your system and immediately lets you know if the file was tampered with.
Is it "on-access"? I don't think so. When you install, it uses "HTTP" to go out onto the net to download instructions -- does a linux system detect what applications are accessing HTTP and to what target system? An application like ZoneAlarm will tell you in real-time -- as soon as outside communication is attempted, that program "address book" is trying to use HTTP to contact "owned-systems.ru".
But is it not too late then? That means that you have already been compromised. The idea on Linux is to prevent that situation, not sit and wait until it happens and then it can proudly inform you that you have been owned.
AppArmour is also a tool that will let you know immediately if files are acessed without permission. It prevents the access and then notifies you. So it is pro-active.
How does it detect access? Signatures? Are they checked before every execution?
You set up your AppArmour to allow a user access to certain files.
built-in to WinXP but is rarely used that way. I don't know of any Linux distro that ships with such capabilities built-in and enforced by the OS.
AFAIK, SE Linux enforce it.
Well, the idea is that the normal user should not need to worry about security. Linux has been designed in such a way that it looks after itself. You don't need to monitor the security systems.
---- That's what you want to believe -- Linux doesnt' provide a real-time alarm system like zone-alarm that pops up graphically to tell the user about each network access. All it provides are log files that let you examine things after the fact. How is that more secure?
Again, you are looking at this from the wrong side. Tools like ZoneAlarm will inform you that you have already been infected, while Linux security systems prevents you from being infected in the first place. I would rather spend more time and energy on preventing being owned that being informed that I have been owned.
Perhaps you can instruct the original post on how that works. Personally, I haven't seen that on Linux, but if you have a solution, great! Let's hear it. :-).
I have provided the link, all the documentation and software is there. My point is still that people coming from a Windows background treats Linux security from the wrong end. The functionality of ZoneAlarm that the original OP wanted is useless on Linux, as it only informs you that you HAVE ALREADY been compromised. If you get to that stage, you can just as well format your disk and re-install as you are screwed. I suggest that the OP should rather look at the tools that PREVENT a system from being owned. Those tools are a firewall, IDS, AppArmour, etc. If you want to know if you have already been owned then you can use tripwire and checkrootkit. A system like ZoneAlarm will not have any effect if you have been compromised, as the atacker initiate the connection from outside and compromise an application that normally do have net access (how else will they get to the app if it is not listening on a socket). These are applications like sendmail, telnet, apache, ssh, etc. So, let's look at a situation: You have your Linux system with the newly ported ZoneAlarm running, and it tells you that sendmail wants to access the net. So you say OK, as you want your mail to be sent. Now the atacker compromise sendmail and they are happily using sendmail to do all kinds of nasty stuff. How will ZoneAlarm protect you? Sendmail is supposed to access the net. See my point? You should catch the guy before he gets to sendmail and that is what a firewall and IDS is for. -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za ~ A dinosaur is a salamander designed to Mil Spec ~