Mailinglist Archive: opensuse-bugs (3543 mails)

< Previous Next >
[Bug 717152] New: Re Evaluate the Effectiveness of Yast Firewall Front End and its Application
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Sun, 11 Sep 2011 01:35:38 +0000
  • Message-id: <bug-717152-21960@http.bugzilla.novell.com/>

https://bugzilla.novell.com/show_bug.cgi?id=717152

https://bugzilla.novell.com/show_bug.cgi?id=717152#c0


Summary: Re Evaluate the Effectiveness of Yast Firewall Front
End and its Application
Classification: openSUSE
Product: openSUSE 12.1
Version: Factory
Platform: All
OS/Version: SuSE Other
Status: NEW
Severity: Major
Priority: P5 - None
Component: Security
AssignedTo: security-team@xxxxxxx
ReportedBy: scott@xxxxxxxxxxx
QAContact: qa@xxxxxxx
Found By: ---
Blocker: ---


User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like
Gecko) Chrome/13.0.782.220 Safari/535.1

In planning for 12.1 I would like to see a huge focus devoted to PC security.

The methodology of having an External and Internal Zone needs to stop!

The current Firewall offers a simple SPI interface from the IP tables in the
kernel. For any real protection from our Firewall we really need to have a
comms input into a PC and designated as the External Zone and then the comms
emerge from the same PC in the internal zone.

In ALL my years onside observing what is being put inplace, NO one but No one
wants to waste the resources of a PC to implement the external input to the
Internal output. If a site has their own web server this convention is used but
no one really wants to host their own domain - It is all to easy to have and
external company host both the DNS and Content of their site - Its far far far
cheaper to do this that go it alone.

The only valid way I can think of to have an External/Internal zone would be to
maintain the External inpout of TCP-IP but with the output being IPX/SPX and
or other protocol Stacks. This would require a large amount of processing to
convent the protocols but the only real application of Eternal/Internal Zones,
in my opinion.

This External/Internal Model *we* have been using for years, in reflection, was
a very bad Model and is being dumped as we speak. We also need to provide more
Firewall Security as well as not requiring and internal/external zone.

In Australia even moderate size LANS use 1 or 2 IP's inbound then NAT'd to
perhaps up to 50-75 PC's. Its just the way we do it. Home users, who are a huge
target for the open product will always use the same NAT'd IP for 2 or 4 PC's
in the home. It is rare to find ANYONE that uses public IP's let alone
External/Internal zone Models.

The role of SPI just inures than all invited inbound traffic == the same
outbound traffic. The biggest problem which makes SPI useless is that most all
threats are invited inbound by any number of means.

If threats are not invited inbound then yes, SPI is perfectly good at its job.
Ontop of an SPI filter I think we must add an ALG Inspection engine for the TCP
component, or the data component, and srtip the data payload then and there.

ALG filters, obviously can only inspect the TCP data payload and therefore do
not impinge on HTTPS or other encrypted traffic. ALF Filtering is effective
against the data payload of the most common forms of traffic.

HTTP/FTP/VOIP/.......

We can give the user the ability to whitlist a file on permitted file types
and/or URL and deny blacklisted file contents on the same.

URL and MAC Filtering are probably the easiest part of TCP/IP filter to be
disabled from an external intruder.

The ALG can then offer, within the data payload, the ability to inhibit active
X, cookies and so forth for other control functions in the data payload that we
can examine..The same whitelist and blacklist files should also be able to
permit/deny active X, cookies...even down to virus signatures. For that matter
we can even test for attack type intruder methods.

TCP/IP was never designed to be safe anbd it will never be safe in its current
V4/6 EVER as long it maintains the default trust offered to any device on the
net. Its not the job of the internet to secure the protocol, unless you thing
it will be completely dumped and replaced

The reason why we can accomplish this is we have the processing performance and
memory addressing that makes Windoze pail into its primate constraints that
still exist in W7.

We can achieve the above without any or appreciably slowing down on nominal
performance. Together with the sister bug I wrote on AppArmour I think we can
do this, provide real time and serious security at the desktop because Linux
can

I have classified this a a bug as we currently have a serious failing on how we
try to provide modernistic security. - Discussion is fruitful and expected well
before 12.1..Please add your thought idead the lost - We have a problem that we
need to fix...Its not an Enhancement its a current failing of us and every
other platform I would suggest.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >