[SLE] Re: SUSE Firewall primitive shadow of ZoneAlarm in interactive user-control

On 3/21/06, Linda Walsh <suse@xxxxxxxxx> wrote:
[...]
It isn't about the relative strengths of security but about real-time
interactivity. Linux is poor in real-time, interactive controls and
monitoring.

I disagree. If you tail the log file, you can immediately see what is
going on in realtime.

What I would agree to is that I don't know of any graphical tools that
will show this information to you.

What would be handy is a tool that parses the log file or listens for
notifications and then show important messages in a display. It
should also filter the messages so that you don't get flooded with
messages.

This is something that can be done relatively easy, but I think the
main reason why it has not been done is because the focus of Linux
security has been mainly server based, due to the design of the
system.


I find the discussion about how the user should or shouldn't be doing
things amusing -- i.e. "Dear ex-windows user: um, we don't have the
features and abilities you want, so we want to educate you on what you think
you should want and give you lots of reasons why what you want doesn't
really protect you (which is what we wanted to tell you what you really
wanted)." Bleh!

I think you are misunderstanding the thread (or at least my part of
the thread). It is not about telling the user that Linux lack the
features, etc, it is about getting the user to focus on the right
place.

It has no value creating tools that make Linux act like Windows if it
is misleading the user in the process.
The problem is that the bigger threat on a Linux system is not viruses
and spyware trying to get outside access, but crackers trying to get
access from outside.

So, what is the use of giving a user a nice app that acts like a
Windows tool, by reporting all outgoing attempts and by doing so, the
newbie is focussing on non-existing viruses, while he/she never
realise that they are being hacked to pieces.

I suggest to rather educate the user to understand the differences in
security issues and introduce the user to the appropriate tools,
rather than to give the user a false sense of security.

[...]

Some claim it would be "possible to provide the same functionality in
*nix". I challenge you to do so with the same constraints on easy of
install and control for
what ever user is using the desktop. It won't be easy:

You will have to:

1) identify what process is attempting unauthorized access.
(remember, the process may be owned by any user -- not just the
"logged
in user).

Yes, with netstat and ps you can determine which process is using a
port and who ownes the process.

2) display a high priority popup on the ... well...who? The primary
console
user's terminal? What if someone is running "Citrix" or logged in via
Terminal Services? Who gets the message? In Windows, it is the console
user.

Well, the user that has the monitoring tool running. On a sever system
it would be the Sys Admin and on a normal desktop it would the the
owner of the system.

[...] (snipped rest to make mail shorter)

The rest of the comments is mixing single-user scenarios with a server
scenario and it is assuming that it is important to know who and what
is trying to make outbound connections.

First, we need to look at single user/server scenarios.

Single user scenario: lets say we do think it is important to monitor
outgoing connections, then it would only make sense to show each user
his/her own connection attempts (applications run by the user that try
to establish an outside connection)
If you start to look at system processes that initiate access then you
move into the server arena.

If you run a firewall/gateway/proxy, then you normally don't have a
person sitting there authorrising access by clicking yes/no on
pop-ups. Does a Windows based firewall/gateway do this? I can just
imagine the poor firewall administrator at Microsoft having to
authorise each user's attempts to access the web or send mail.
Imagine how slow the internet access would be.

Now, if you look at your server, you configure your firewalls,
proxies, etc to allow certain types of access (inside or out). You
should in any case not have normal users working on a firewall.

[...]

as part of making the *nix system responsive and robust. You can't provide
something as convenient as "ZoneAlarm" on Linux without _alot_ of work and
a violation of the *nix system design.

The question is: Why do you want the "ZoneAlarm" functionality on a
Linux system?
Your problem is not applications trying to access the internet from inside.

Your focus areas are access attempts from outside (firewall handles
that) and somone breaking into your system and installing a rootkit.
(firewall, intrusion detection and checkrootkit)

If someone installed a rootkit, then a 'ZoneAlarm' clone will not help
much as you can tunnel over port 80 or something. If someone managed
to get the level of access to your system to install a rootkit, then
they can do basically anything on your system and you are screwed.

So, first line of defence is firewall blocking unathorised access.
Second line of defence is intrusion detection, like snort.
Then, you can also chek for rootkits and unexpected changes in files.


If you create the support structure necessary to support such
"automation",
including the ability to click on mail attachments like ".pdf" and have
them auto-open acrobat, you create the same opportunity for "holes" in *nix
as in WinNT bases systems. Do you need more examples?


No, not exactly true. First, a pdf document (or any attachement) will
not be executed, so how can it compromise your system?
The only way is if there is a vulnerability in acrobat reader or the
application you use to open a file with.

You cannot 'fool' a *nix system into executing something or opening it
with the wrong application by changing the extention, because it looks
at the contents of a file to determine it's type and the file has to
have executable bit set.

Then, if you do manage to get something to execute, it can only do
damage to the extent of the priveledges of the user running it, which
should not allow it to install anything or damage the system, else
something is wrong with the user's privelidges.

Note -- manual, human-based *logfile review* is _unacceptable_. It is
_reactive_,
time consuming and error prone. In the one-hour between being mailed
"logs",
a well qualified hacker could be in, plant a trojan and clean up the logs
to remove a trace of their being there. If you have to sleep or go on a
vacation for any number of days, you have even less responsiveness to
intrusions.

If you want an interactive view of what is going on with your network
traffic, you can use ethereal to see in realtime exactly what traffic
is going where.

There are some other tools available to give you an interactive view
on your network activity, but the problem is that you cannot sit and
watch all the traffic activity and expect to pick up when someone try
to attack you.

You need intrusion detection software like snort to highlight possible attacks.

Look at a tool like sguil (http://sguil.sourceforge.net/), it is a
graphical user interface to snort and other tools. It gives a
realtime view of possible issues.

I actually just stumbled onto squil, but I think it might be exactly
the tool that you need. It is in my opinion the 'ZoneAlarm' for *nix.

PS: I found another GUI: Razorback
(http://www.intersectalliance.com/projects/RazorBack/)

--
Andre Truter | Software Engineer | Registered Linux user #185282
ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za

~ A dinosaur is a salamander designed to Mil Spec ~

--
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@xxxxxxxx

Relevant Pages

  • Re: How safe Am I? tpf,hardware fw,socks,etc
    ... My guess is Linux will be mainstream someday and it is extremely stable ... because you didn't install patches or RTFM? ... > hard- ware firewall. ... however the operating system is much stabler than Windoze and you will ...
    (comp.security.firewalls)
  • Re: Firewall Unbreakable?
    ... no. There's no such thing as an unbreakable firewall. ... > I'd like the ADSL router to forward all ports to my linux server. ... an ADSL install for one of my clients and all I got was the ADSL modem. ...
    (comp.os.linux.security)
  • Re: install ipcop
    ... >> I have an old p100 and wonder if I can install ipcop on it? ... Ethernet-HOWTO from the Linux Documentation Project. ... IP-Cop is a Linux firewall, ... stations, because it lacks the disk and memory space for a compiler), ...
    (comp.security.firewalls)
  • Re: CPU speed for Linux Firewall/NAT solution
    ... minimal install for just firewall. ... They do not run a web server at this location but I wouldn't expect ... Linux era1.eracc.UUCP 2.4.19-16mdk i686 ...
    (comp.os.linux.security)
  • Re: Linux or BSD alternative to Windows Home Server
    ... My questions were about Gentoo vs. Linux for a sever, ... I will probably eventually have a dedicated firewall ... if you were to have a file server which is accessible ... I'm aware that I could probably create scripts to regularly backup ...
    (comp.os.linux.misc)