[opensuse] Re: Interactive Firewall Needed
Rajko M. a écrit :
To prevent applications from opening illicit outgoing connections, run it with apparmor, which is capable of preventing an application from doing just about anything that you haven't previously allowed.
If apparmor would ask questions and provide web pages with relevant help content, like ZA, it will be possible to setup profiles even to non-expert users, but it doesn't. So, situation is that one one side there is comprehensive solution that is not used, and partial that is used.
what an application can do should be done by the programmer, not the user. The user should be made aware of that when calling the app for install. I don't see why Amarok should need absolutely network? it should only need it if it have to play files on an other computer or scan external database what is not necessary. I don't see any case where one could have to be asked at run time... The Zonealarm feature is done to prevent apps maliciously installed to make connections, but preventing these apps to install is better jdd -- http://www.dodin.net http://valerie.dodin.org http://news.opensuse.org/2009/04/13/people-of-opensuse-jean-daniel-dodin/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 07 May 2009 09:00:52 +0200, jdd wrote:
The Zonealarm feature is done to prevent apps maliciously installed to make connections, but preventing these apps to install is better
Sure, but a comprehensive security policy would do both - do what is reasonable to prevent the app from being installed, but if the app does somehow get installed, prevent it from talking to the outside world. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 May 2009 10:58:34 am Jim Henderson wrote:
Sure, but a comprehensive security policy would do both - do what is reasonable to prevent the app from being installed, but if the app does somehow get installed, prevent it from talking to the outside world.
In other words, multilayer security. The ZA is actually good example, although advertised as firewall, it is more like AppArmor and Firewall with friendly face. It was long ago that I used it, but so far I recall, in last incarnation it was able to control any resource application is trying to use, including local, like libraries. Which is pretty much what AppArmor is meant to do. That level was a pain to configure for applications that ZA wasn't preconfigured, which is specially problematic in closed source world. -- Regards, Rajko http://news.opensuse.org/category/people-of-opensuse/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 07 May 2009 19:36:38 -0500, Rajko M. wrote:
On Thursday 07 May 2009 10:58:34 am Jim Henderson wrote:
Sure, but a comprehensive security policy would do both - do what is reasonable to prevent the app from being installed, but if the app does somehow get installed, prevent it from talking to the outside world.
In other words, multilayer security.
Precisely. :-)
The ZA is actually good example, although advertised as firewall, it is more like AppArmor and Firewall with friendly face.
It was long ago that I used it, but so far I recall, in last incarnation it was able to control any resource application is trying to use, including local, like libraries. Which is pretty much what AppArmor is meant to do.
That level was a pain to configure for applications that ZA wasn't preconfigured, which is specially problematic in closed source world.
So perhaps a good "solution" would be further enhancement and simplification of the AppArmor administrative interfaces with an eye towards making those interfaces usable for people who don't spend their lives in front of a computer. :-) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 07 May 2009 09:20:05 pm Jim Henderson wrote:
So perhaps a good "solution" would be further enhancement and simplification of the AppArmor administrative interfaces with an eye towards making those interfaces usable for people who don't spend their lives in front of a computer. :-)
Exactly that. I suppressed temptation to start commenting on AppArmor configuration module that is behind ZA approach. Once again, to see how it works, and evaluate it one has to use paid for version. The free one is not much more then firewall. -- Regards, Rajko http://news.opensuse.org/category/people-of-opensuse/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 07 May 2009 22:21:59 -0500, Rajko M. wrote:
On Thursday 07 May 2009 09:20:05 pm Jim Henderson wrote:
So perhaps a good "solution" would be further enhancement and simplification of the AppArmor administrative interfaces with an eye towards making those interfaces usable for people who don't spend their lives in front of a computer. :-)
Exactly that.
I suppressed temptation to start commenting on AppArmor configuration module that is behind ZA approach. Once again, to see how it works, and evaluate it one has to use paid for version. The free one is not much more then firewall.
Very true, and personally, I haven't looked at the paid version - the free version did enough for me. Interestingly, I received a couple of replies off-list (perhaps the sender meant to send them on the list but didn't) suggesting that using Wireshark was trivially simple and anyone should be able to learn to use it. The individual also suggested that programs that don't do a setup as a post-installation script when the RPM is installed are developed wrong. It seemed odd to me that (a) the idea of using a more complex piece of software like Wireshark - which requires root privileges to do capturing - rather than a popup that says "Application FooBar wants to talk to the Internet, allow it?" was a good thing. I supposxe because making a system easy to use is evil. <shrug> I've worked with networked computers for some 20 years and have done LAN analysis with programs and products that pretty much run the gambit, and I certainly think Wireshark is the best of the best out there. But at the same time, it has taken years of working with tools like that to know without extensive research whether: Transmission Control Protocol, Src Port: 790 (790), Dst Port: shilp (2049), Seq: 141, Ack: 20613, Len: 0 is something I should expect or not on my network. To ask that every person who uses a computer be trained to perform network analysis of their applications "if they're really interested in security" is frankly nonsense. (b) That rather than put technological measures in place to quarantine programs that are poorly developed, it is better to say "don't use programs that are poorly developed" and then blame the user when one of those programs does something unexpected or behaves badly. To me that seems like a really bad idea. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
jdd -
Jim Henderson -
Rajko M.