[opensuse] Re: Interactive Firewall Needed
Jim Henderson a écrit :
True, which is why she also uses up-to-date virus protection as well.
if so, no firewall needed
*this* is the problem: how can one know an application is clean?
Such a firewall application could use checksums on the application as a way of monitoring if the application that was approved has been modified in some way. I think (but don't know for sure) that this is what ZoneAlarm does.
needs the original md5sum, never seen that on Windows See. The Linux way of life is to go root when one needs to do something like protecting the computer. You get a chance to remember root is God :-) The Vista way of life is to ask at every moment "may I do", to let small windows on the desktop saying "I blocked this" when you know this should not be blocked... and I only sumarize. Why this? because most Windows 2000 and many XP users always run root accounts (or make new accounts root), and this because many old (and new?) applications can't run without writing in the programm install folder so windows users used to be root. On Vista, you can't be root (or nearly)!! but you can make root decision all the time, even in a hurry, when you have no time to think (or are too tired to do) I pray each day for the Kde4 devs not doing same thing :-((( apparmor, in the contrary, seems to do the same job but never ask... jdd -- http://www.dodin.net http://valerie.dodin.org http://news.opensuse.org/2009/04/13/people-of-opensuse-jean-daniel-dodin/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-05-06 at 20:03 +0200, jdd wrote:
apparmor, in the contrary, seems to do the same job but never ask...
No, its job is different. It allows an application access to a certain resource - the resource being a file, AFAIK. If the resource is not listed, acces is rejected. This is different from the firewall, which has no knowledge of applications. The configuration of apparmour has gotten quite complex nowdays, by the way. More complex than the firewall, I think. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkoB4MQACgkQtTMYHG2NR9XCsgCdFhGLgXUEeHyb4kzpNxJZALzy HMUAnRrYg8KclYo4nHHlrFpdDoQQc+nT =CmpT -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 06 May 2009 20:03:00 +0200, jdd wrote:
Jim Henderson a écrit :
True, which is why she also uses up-to-date virus protection as well.
if so, no firewall needed
Viruses aren't the only way of compromising a system.
*this* is the problem: how can one know an application is clean?
Such a firewall application could use checksums on the application as a way of monitoring if the application that was approved has been modified in some way. I think (but don't know for sure) that this is what ZoneAlarm does.
needs the original md5sum, never seen that on Windows
What? Pardon me for being brusque, but that's nonsense. etree.org IIRC offers an md5sum implementation that runs on Windows that is compatible with the Linux md5sum program. But md5sum isn't the only way to do checksums, either - there are plenty of algorithms to do this, and it can be implemented as part of an application. Besides, I thought we were talking about Linux, not Windows.
See. The Linux way of life is to go root when one needs to do something like protecting the computer. You get a chance to remember root is God :-)
Yeah, and which is the more critical part of an OS installation, the actual OS installation, or the data that a user stores under their own username? Reinstalling the OS takes, what, 45 minutes? Recovering lost data because of a rogue app can take much longer, especially on personal home systems because most users don't do backups of their data on their home machines. Yes, they should, but that's not really the point. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-05-06 at 19:11 -0000, Jim Henderson wrote:
needs the original md5sum, never seen that on Windows
What? Pardon me for being brusque, but that's nonsense.
etree.org IIRC offers an md5sum implementation that runs on Windows that is compatible with the Linux md5sum program.
I think jdd may refer to the checksum that the rpm database keeps and which can be used to learn if a file has been changed since installed. However, if you want to use checksums for security checking, you have to store them in external, RO media, and use a live CD to do the checking, not the system which is being audited. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkoB6JEACgkQtTMYHG2NR9VgzgCfQgf/oXH8+S/Ol9MITaThMSj0 sx8Anj4Nu2FaVmP6T8PKYab/Y+suMTRg =73M2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 06 May 2009 21:44:16 +0200, Carlos E. R. wrote:
I think jdd may refer to the checksum that the rpm database keeps and which can be used to learn if a file has been changed since installed. However, if you want to use checksums for security checking, you have to store them in external, RO media, and use a live CD to do the checking, not the system which is being audited.
Perhaps, I don't know if the rpm database uses md5sum or not, but even if it does, the md5sum algorithm is well known and could be implemented into the piece of software that's checking. Of course that also assumes that all executables are accounted for in the rpm database. So on my system, blender would be, but wings3d wouldn't be. It seems a better strategy to do a checksum the first time a program the protection software (I won't call it 'firewall' since that seems to be confusing some people) sees it run, ask if the program should be allowed to do what it wants, and save that result until (and unless) the checksum changes. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-05-06 at 20:02 -0000, Jim Henderson wrote:
On Wed, 06 May 2009 21:44:16 +0200, Carlos E. R. wrote:
I think jdd may refer to the checksum that the rpm database keeps and which can be used to learn if a file has been changed since installed. However, if you want to use checksums for security checking, you have to store them in external, RO media, and use a live CD to do the checking, not the system which is being audited.
Perhaps, I don't know if the rpm database uses md5sum or not,
It does.
but even if it does, the md5sum algorithm is well known and could be implemented into the piece of software that's checking.
Of course that also assumes that all executables are accounted for in the rpm database.
They are. All files, executables or not. Have a look at man rpm, "verify-options". - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkoB9m8ACgkQtTMYHG2NR9X8JwCfSQcVWYZSsTFHfEG/9hy1UFKs nhQAnRqfZ0NYHVbAa8Xe6xno47dKyJ5X =/M16 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 06 May 2009 21:11:02 Jim Henderson wrote:
Yeah, and which is the more critical part of an OS installation, the actual OS installation, or the data that a user stores under their own username?
Reinstalling the OS takes, what, 45 minutes? Recovering lost data because of a rogue app can take much longer, especially on personal home systems because most users don't do backups of their data on their home machines. Yes, they should, but that's not really the point.
ZoneAlarm's big idea is to protect against outgoing connections. In other words, when it steps in with its "unique" features, it's already too late To prevent applications from opening illicit outgoing connections, run it with apparmor, which is capable of preventing an application from doing just about anything that you haven't previously allowed. The normal iptables based firewall is enough to protect against incoming connections. Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 06 May 2009 21:46:54 +0200, Anders Johansson wrote:
On Wednesday 06 May 2009 21:11:02 Jim Henderson wrote:
Yeah, and which is the more critical part of an OS installation, the actual OS installation, or the data that a user stores under their own username?
Reinstalling the OS takes, what, 45 minutes? Recovering lost data because of a rogue app can take much longer, especially on personal home systems because most users don't do backups of their data on their home machines. Yes, they should, but that's not really the point.
ZoneAlarm's big idea is to protect against outgoing connections. In other words, when it steps in with its "unique" features, it's already too late
I disagree. How many times have you (not you, Anders, but "you" in the general sense) installed a program and not known every time it opens an outbound connection? Would you expect, say, Inkscape, to need a network connection for anything?
To prevent applications from opening illicit outgoing connections, run it with apparmor, which is capable of preventing an application from doing just about anything that you haven't previously allowed.
Hands up, all the "normal users" (not the experts in system configuration) who understand how to configure AppArmor. :-) (FWIW, AppArmor configuration is part of Novell's Certified Linux Engineer certification - the final certification in SUSE Linux certifications - considered a highly advanced topic).
The normal iptables based firewall is enough to protect against incoming connections.
Sure. That doesn't mean you can't protect against outgoing connections as well. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 06 May 2009 21:59:50 Jim Henderson wrote:
I disagree. How many times have you (not you, Anders, but "you" in the general sense) installed a program and not known every time it opens an outbound connection?
Would you expect, say, Inkscape, to need a network connection for anything?
I'm not big on graphics applications, so I don't really know what inkscape needs. But if you're that worried, simply block everything and let all valid connections complain until you manually let it through a socks proxy
To prevent applications from opening illicit outgoing connections, run it with apparmor, which is capable of preventing an application from doing just about anything that you haven't previously allowed.
Hands up, all the "normal users" (not the experts in system configuration) who understand how to configure AppArmor. :-)
(FWIW, AppArmor configuration is part of Novell's Certified Linux Engineer certification - the final certification in SUSE Linux certifications - considered a highly advanced topic).
..or you could just start the yast module and let it do the work for you. Selecting OK to everything except the socket_* functions for an application that shouldn't do any networking (though you probably want to be careful with applications that use tcp networking to communicate with something else on localhost). But if you filter on type="inet" you won't block things like accessing the local X server :)
The normal iptables based firewall is enough to protect against incoming connections.
Sure. That doesn't mean you can't protect against outgoing connections as well.
No, but if you're doing that, you have to ask yourself "what am I not protecting against?" It seems to be that establishing an outgoing connection is among the least harmful a rogue application could do Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 06 May 2009 22:20:15 +0200, Anders Johansson wrote:
On Wednesday 06 May 2009 21:59:50 Jim Henderson wrote:
I disagree. How many times have you (not you, Anders, but "you" in the general sense) installed a program and not known every time it opens an outbound connection?
Would you expect, say, Inkscape, to need a network connection for anything?
I'm not big on graphics applications, so I don't really know what inkscape needs. But if you're that worried, simply block everything and let all valid connections complain until you manually let it through a socks proxy
That's kinda my point. You don't know what Inkscape needs - it actually does have a "whiteboarding" capability that uses a network connection. Maybe it starts up when you start the app, maybe not. I don't know.
To prevent applications from opening illicit outgoing connections, run it with apparmor, which is capable of preventing an application from doing just about anything that you haven't previously allowed.
Hands up, all the "normal users" (not the experts in system configuration) who understand how to configure AppArmor. :-)
(FWIW, AppArmor configuration is part of Novell's Certified Linux Engineer certification - the final certification in SUSE Linux certifications - considered a highly advanced topic).
..or you could just start the yast module and let it do the work for you. Selecting OK to everything except the socket_* functions for an application that shouldn't do any networking (though you probably want to be careful with applications that use tcp networking to communicate with something else on localhost). But if you filter on type="inet" you won't block things like accessing the local X server :)
So again, hands up all "normal" users who know that this is the way to configure AppArmor. Or who understood what Anders said here. ;-) It's not about catering to a technical audience, it's about catering to an audience who uses computers as a tool rather than as a way of life. I understand what you're saying, you understand what you're saying. My mother - a normal computer user who uses her PC to design greeting cards, send e-mail, and work on patters for her sewing - would have no idea what you mean by this.
The normal iptables based firewall is enough to protect against incoming connections.
Sure. That doesn't mean you can't protect against outgoing connections as well.
No, but if you're doing that, you have to ask yourself "what am I not protecting against?" It seems to be that establishing an outgoing connection is among the least harmful a rogue application could do
And yet it's one of the more popular avenues to compromise a system - trick the user into running something they didn't mean to and then connect outbound. Why? Because it's something a lot of systems don't protect against. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 06 May 2009 22:28:43 Jim Henderson wrote:
And yet it's one of the more popular avenues to compromise a system - trick the user into running something they didn't mean to and then connect outbound. Why? Because it's something a lot of systems don't protect against.
You managed to miss my point. If you're running a rogue application, an outbound connection should be the least of your worries. What local root/Administrator exploits do we not know about yet? What happened to that critical presentation you were going to deliver to a customer at 7am tomorrow? And as for the pseudo-security presented by ZoneAlarm, the "security by popup" scheme simply does not work. Microsoft tried it in Vista, and people forced them to stop. The immediate and instantaneous reaction to a popup, any popup, regardless of circumstance, from a "normal" user is to click ok. I have seen it even from relatively experienced users. Error popups, warnings, whatever - it's gone a tenth of a second after it's appeared. The first ten times they might be OK with clicking "Yes, I accept" when the web browser or email client wants to connect. After this, they either click by rota, or simply select "always allow this application". And guess what? No more security, no more blocking of outgoing connections, the rogue app has a path to the outside world. It's better to design for security correctly in the first place. Part of this is not running applications from untrusted sources, and part is to have a good security infrastructure - and in this, things like ZoneAlarm have no place at all Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 06 May 2009 22:38:14 +0200, Anders Johansson wrote:
On Wednesday 06 May 2009 22:28:43 Jim Henderson wrote:
And yet it's one of the more popular avenues to compromise a system - trick the user into running something they didn't mean to and then connect outbound. Why? Because it's something a lot of systems don't protect against.
You managed to miss my point. If you're running a rogue application, an outbound connection should be the least of your worries.
Sure, it's not the only problem, but again, if your machine is being controlled for purposes of spamming the world, I would think that something that's in place to prevent that from taking place would be a good thing.
What local root/Administrator exploits do we not know about yet? What happened to that critical presentation you were going to deliver to a customer at 7am tomorrow?
We're not talking about local exploits, though. Changing the subject midstream distracts from the discussion itself.
And as for the pseudo-security presented by ZoneAlarm, the "security by popup" scheme simply does not work. Microsoft tried it in Vista, and people forced them to stop. The immediate and instantaneous reaction to a popup, any popup, regardless of circumstance, from a "normal" user is to click ok. I have seen it even from relatively experienced users. Error popups, warnings, whatever - it's gone a tenth of a second after it's appeared.
Depends on the user. I've seen normal users who use it who do question every time i comes up because they do want to be protected.
It's better to design for security correctly in the first place. Part of this is not running applications from untrusted sources, and part is to have a good security infrastructure - and in this, things like ZoneAlarm have no place at all
It's a combination of technological measures and educational measures for the users. ZA provides a technological measure that does have a positive effect - many people voluntarily run it because they recognise they need to protect themselves. Some of those people even pay for it. That's a difference between ZA and UAC - UAC wasn't really a user choice, it was forced on the users. Give the users a choice on methods to protect themselves, though, and they do take it. Well some do, and those who don't there's no change with. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 06 May 2009 22:46:44 Jim Henderson wrote:
You managed to miss my point. If you're running a rogue application, an outbound connection should be the least of your worries.
Sure, it's not the only problem, but again, if your machine is being controlled for purposes of spamming the world, I would think that something that's in place to prevent that from taking place would be a good thing.
What local root/Administrator exploits do we not know about yet? What happened to that critical presentation you were going to deliver to a customer at 7am tomorrow?
We're not talking about local exploits, though. Changing the subject midstream distracts from the discussion itself.
The topic is security. This whole discussion is a little akin to sending a serial killer out on the streets with the proviso that he's not allowed to use a crossbow. "Nobody is talking about killing people with guns! Look, he can't use a crossbow!" The (apparently not so obvious) point is that once you have a local exploit, you also have the means to bypass, or completely remove, your ZoneAlarm.
Depends on the user. I've seen normal users who use it who do question every time i comes up because they do want to be protected.
I've seen it often enough. Even the most arduous user will give up after 100 clicks and allow full access to their email program (for example)
It's a combination of technological measures and educational measures for the users. ZA provides a technological measure that does have a positive effect - many people voluntarily run it because they recognise they need to protect themselves. Some of those people even pay for it.
No, they run it because they believe the advertising (including free ads, like this thread) and think it makes them safe
That's a difference between ZA and UAC - UAC wasn't really a user choice, it was forced on the users.
Give the users a choice on methods to protect themselves, though, and they do take it. Well some do, and those who don't there's no change with.
Sure, and some people try to cure serious diseases with homeopathic medicine. It still doesn't mean it works Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 06 May 2009 23:17:22 +0200, Anders Johansson wrote:
On Wednesday 06 May 2009 22:46:44 Jim Henderson wrote:
We're not talking about local exploits, though. Changing the subject midstream distracts from the discussion itself.
The topic is security. This whole discussion is a little akin to sending a serial killer out on the streets with the proviso that he's not allowed to use a crossbow.
The topic is limiting inbound/outbound connections as an element of security.
The (apparently not so obvious) point is that once you have a local exploit, you also have the means to bypass, or completely remove, your ZoneAlarm.
I've not seen any such exploit. Got a reference?
Depends on the user. I've seen normal users who use it who do question every time i comes up because they do want to be protected.
I've seen it often enough. Even the most arduous user will give up after 100 clicks and allow full access to their email program (for example)
And I've seen enough users who do exactly what they're told. It's not reasonable to characterize all users as not doing it (or doing it, for that matter) just based on a limited sampling of all users.
It's a combination of technological measures and educational measures for the users. ZA provides a technological measure that does have a positive effect - many people voluntarily run it because they recognise they need to protect themselves. Some of those people even pay for it.
No, they run it because they believe the advertising (including free ads, like this thread) and think it makes them safe
And for many of those users, they do. Got a reference for a ZA-based exploit?
That's a difference between ZA and UAC - UAC wasn't really a user choice, it was forced on the users.
Give the users a choice on methods to protect themselves, though, and they do take it. Well some do, and those who don't there's no change with.
Sure, and some people try to cure serious diseases with homeopathic medicine. It still doesn't mean it works
And some people apply homeopathic remedies as part of their daily living, along with eating a balanced diet, exercising, and getting enough sleep at night - and many of those people don't get sick. I agree, applying a "homeopathic remedy" (ie, a single point solution) to "cancer" (malware) doesn't solve the problem. You need a comprehensive strategy. I have not ever advocated this as the "killer solution" that eliminates the need for other forms of protection. Come to that, I didn't even propose the idea in the first place. :-) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-05-06 at 22:20 +0200, Anders Johansson wrote:
(FWIW, AppArmor configuration is part of Novell's Certified Linux Engineer certification - the final certification in SUSE Linux certifications - considered a highly advanced topic).
..or you could just start the yast module and let it do the work for you. Selecting OK to everything except the socket_* functions for an application that shouldn't do any networking (though you probably want to be careful with applications that use tcp networking to communicate with something else on localhost). But if you filter on type="inet" you won't block things like accessing the local X server :)
A year or two ago I though I understood how to configure apparmour using Yast, but not nowdays, it is quite obscure. Even the wizard, it asks questions and there is little or none explanations in its online help. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkoB9/0ACgkQtTMYHG2NR9Xb5gCeK/yXGvuCEOy/lPArhhkY50zN z8kAn1vRZYoayiwQG9WmhZm31Qq2ezez =JpsA -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 06 May 2009 02:46:54 pm Anders Johansson wrote:
On Wednesday 06 May 2009 21:11:02 Jim Henderson wrote:
Yeah, and which is the more critical part of an OS installation, the actual OS installation, or the data that a user stores under their own username?
Reinstalling the OS takes, what, 45 minutes? Recovering lost data because of a rogue app can take much longer, especially on personal home systems because most users don't do backups of their data on their home machines. Yes, they should, but that's not really the point.
ZoneAlarm's big idea is to protect against outgoing connections. In other words, when it steps in with its "unique" features, it's already too late
Particular program, in last incarnation that I used, is very good supplement to computer security, but not all in one. It prevents incoming connections like firewall, but also outgoing connections which other parts of the system don't control. To detect rogue applications you have to use other programs, and to prevent them to do what they should not, there are access permissions, like in Linux. Although, they are not very often used, as setup equals AppArmor setup.
To prevent applications from opening illicit outgoing connections, run it with apparmor, which is capable of preventing an application from doing just about anything that you haven't previously allowed.
If apparmor would ask questions and provide web pages with relevant help content, like ZA, it will be possible to setup profiles even to non-expert users, but it doesn't. So, situation is that one one side there is comprehensive solution that is not used, and partial that is used. Which one is better for computer security? BTW, I just looked in AppArmor Control Center. What kind of control center is that? Enable, and 2 fields, where only one can be guessed what it does? Abort, to prevent problems. -- Regards, Rajko http://news.opensuse.org/category/people-of-opensuse/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Anders Johansson -
Carlos E. R. -
jdd -
Jim Henderson -
Rajko M.