On 3/21/06, Linda Walsh
It isn't about the relative strengths of security but about real-time interactivity. Linux is poor in real-time, interactive controls and monitoring.
I disagree. If you tail the log file, you can immediately see what is going on in realtime. What I would agree to is that I don't know of any graphical tools that will show this information to you. What would be handy is a tool that parses the log file or listens for notifications and then show important messages in a display. It should also filter the messages so that you don't get flooded with messages. This is something that can be done relatively easy, but I think the main reason why it has not been done is because the focus of Linux security has been mainly server based, due to the design of the system.
I find the discussion about how the user should or shouldn't be doing things amusing -- i.e. "Dear ex-windows user: um, we don't have the features and abilities you want, so we want to educate you on what you think you should want and give you lots of reasons why what you want doesn't really protect you (which is what we wanted to tell you what you really wanted)." Bleh!
I think you are misunderstanding the thread (or at least my part of the thread). It is not about telling the user that Linux lack the features, etc, it is about getting the user to focus on the right place. It has no value creating tools that make Linux act like Windows if it is misleading the user in the process. The problem is that the bigger threat on a Linux system is not viruses and spyware trying to get outside access, but crackers trying to get access from outside. So, what is the use of giving a user a nice app that acts like a Windows tool, by reporting all outgoing attempts and by doing so, the newbie is focussing on non-existing viruses, while he/she never realise that they are being hacked to pieces. I suggest to rather educate the user to understand the differences in security issues and introduce the user to the appropriate tools, rather than to give the user a false sense of security. [...]
Some claim it would be "possible to provide the same functionality in *nix". I challenge you to do so with the same constraints on easy of install and control for what ever user is using the desktop. It won't be easy:
You will have to:
1) identify what process is attempting unauthorized access. (remember, the process may be owned by any user -- not just the "logged in user).
Yes, with netstat and ps you can determine which process is using a port and who ownes the process.
2) display a high priority popup on the ... well...who? The primary console user's terminal? What if someone is running "Citrix" or logged in via Terminal Services? Who gets the message? In Windows, it is the console user.
Well, the user that has the monitoring tool running. On a sever system it would be the Sys Admin and on a normal desktop it would the the owner of the system. [...] (snipped rest to make mail shorter) The rest of the comments is mixing single-user scenarios with a server scenario and it is assuming that it is important to know who and what is trying to make outbound connections. First, we need to look at single user/server scenarios. Single user scenario: lets say we do think it is important to monitor outgoing connections, then it would only make sense to show each user his/her own connection attempts (applications run by the user that try to establish an outside connection) If you start to look at system processes that initiate access then you move into the server arena. If you run a firewall/gateway/proxy, then you normally don't have a person sitting there authorrising access by clicking yes/no on pop-ups. Does a Windows based firewall/gateway do this? I can just imagine the poor firewall administrator at Microsoft having to authorise each user's attempts to access the web or send mail. Imagine how slow the internet access would be. Now, if you look at your server, you configure your firewalls, proxies, etc to allow certain types of access (inside or out). You should in any case not have normal users working on a firewall. [...]
as part of making the *nix system responsive and robust. You can't provide something as convenient as "ZoneAlarm" on Linux without _alot_ of work and a violation of the *nix system design.
The question is: Why do you want the "ZoneAlarm" functionality on a Linux system? Your problem is not applications trying to access the internet from inside. Your focus areas are access attempts from outside (firewall handles that) and somone breaking into your system and installing a rootkit. (firewall, intrusion detection and checkrootkit) If someone installed a rootkit, then a 'ZoneAlarm' clone will not help much as you can tunnel over port 80 or something. If someone managed to get the level of access to your system to install a rootkit, then they can do basically anything on your system and you are screwed. So, first line of defence is firewall blocking unathorised access. Second line of defence is intrusion detection, like snort. Then, you can also chek for rootkits and unexpected changes in files.
If you create the support structure necessary to support such "automation", including the ability to click on mail attachments like ".pdf" and have them auto-open acrobat, you create the same opportunity for "holes" in *nix as in WinNT bases systems. Do you need more examples?
No, not exactly true. First, a pdf document (or any attachement) will not be executed, so how can it compromise your system? The only way is if there is a vulnerability in acrobat reader or the application you use to open a file with. You cannot 'fool' a *nix system into executing something or opening it with the wrong application by changing the extention, because it looks at the contents of a file to determine it's type and the file has to have executable bit set. Then, if you do manage to get something to execute, it can only do damage to the extent of the priveledges of the user running it, which should not allow it to install anything or damage the system, else something is wrong with the user's privelidges.
Note -- manual, human-based *logfile review* is _unacceptable_. It is _reactive_, time consuming and error prone. In the one-hour between being mailed "logs", a well qualified hacker could be in, plant a trojan and clean up the logs to remove a trace of their being there. If you have to sleep or go on a vacation for any number of days, you have even less responsiveness to intrusions.
If you want an interactive view of what is going on with your network traffic, you can use ethereal to see in realtime exactly what traffic is going where. There are some other tools available to give you an interactive view on your network activity, but the problem is that you cannot sit and watch all the traffic activity and expect to pick up when someone try to attack you. You need intrusion detection software like snort to highlight possible attacks. Look at a tool like sguil (http://sguil.sourceforge.net/), it is a graphical user interface to snort and other tools. It gives a realtime view of possible issues. I actually just stumbled onto squil, but I think it might be exactly the tool that you need. It is in my opinion the 'ZoneAlarm' for *nix. PS: I found another GUI: Razorback (http://www.intersectalliance.com/projects/RazorBack/) -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za ~ A dinosaur is a salamander designed to Mil Spec ~