Re: [SLE] Re: SUSE Firewall primitive shadow of ZoneAlarm in interactive user-control
- From: "Orn E. Hansen" <orn_hansen@xxxxxxxxxxx>
- Date: Fri, 24 Mar 2006 07:26:52 +0100
Þann Miðvikudaguren den 22 mars 2006 18:14 skrifaði Andre Truter:
Nope, that is wrong.
There have been people that have actively tried to install Windows
viruses on Linux and the best that a virus could do on Linux was to
delete a few of the user's files.
It could not survive for long and it could not propagate itself.
Due to the design of the system, Linux is very unfriendly environment
for a virus.
This isn't an infectious anything, it's merely a program that uses several
different "weaknesses" in your own system, to acquire access to run on your
Operating System. Since the Operating Systems are quite different, a
malicious program made for Windows, will simply have similar ability to run
on Linux, as a program made for the good old MS-DOS will have.
This does NOT mean, that there aren't weaknesses in Linux, nor that
malicious software for it don't exist.
FireFox lets you enable or disable javascript and you can tell it to
only allow javascript from certain sites.
---
FF is an agnostic technology. It functions the same on Windows
as on Linux. You are making my point. Choose better applications on
Windows and you'll reduce your security-liability footprint.
Yes, exactly. You said that ZoneAlarm does this, so I said that you
can use FF on Linux to get the same functionality. I know FF does
this on Windows too.
How does a firewall detect incoming javascript?
---
Many firewall products have this feature. A firewall product
sits on the boundary between "out there" and your system. In order for
HTTP protocol to be passed "in", it has to go through a firewall. The
Firewall simply does "deep inspection". Hardware firewall products
(Juniper, et al) have this feature. So do some software firewall
products.
Is this not exactly what I said when I mentioned the IPCop plugin?
Ummm.. Intrusion Detection systems have nothing to do with viruses.
----
That's where you are mistaken. I listed virus in brackets
because that's what a virus is -- it is an intrusion of an outside
program that has been run in some "privileged" mode such that it has
installed portions of itself behind for _possible_ purposes of spreading,
or just "owning" the machine.
Both intrusion and virus detection software look for signs of
altered or corrupt software retrospectively. Good intrusion detection
software looks for signatures of known root-kits and infection vectors.
No, Intrusion detection systems monitors incoming traffic and react to
malicious attacks on your ports. It does not check files for
signatures, that is what anti-virus does and anti-rootkits.
Checking the files for viruses is after the fact. An intrusion
detection system prevents anything from reaching your system.
---
How many systems are "owned" linux vs. windows? I'd suggest the
total is higher for windows. What's the difference in the intrusion
detection you are talking about? You are referring to the singular case
where someone is actually behind 1 specific attack on your system instead
of it being one of a thousand automatic attack vectors. It makes much
more sense for a "intruder-wanna-be" to use multiple viruses and launch
10's - 100's of thousands automated attacks. It's not profitable to waste
time attacking 1 system unless you have some specific objective. It's
far easier just looking for "easy pickings" -- people who have left their
doors "unlocked".
I don't really get your point here.
I don't know of a single Linux sytem that has been infected by a virus
(that the user did not install on purpose.
Linux systems gets "owned" by people exploiting vulnerabilities on a
machine that have the vulnerable software listening on an open port.
The other way is to physically gain access to the machine, or to
convince the root user to install comprimised software. In the last
two cases you are dealing with social engineering and something like
AppArmour can protect you there. In the forst case, your firewall and
IDS can protect you.
In neither of the cases is there any use in having a system that tells
you that an application tries to access the internet. If you get to
that point, you are already screwed.
You should use your firewall and AppArmour to make sure you don't get
to that point.
----
Cement-Pro also protects your system. You encase your system in
6-feet of cement. Nothing gets in or out. What's your point?
My point is that if you are worried about a compromised application on
your Linux system trying to "phone home", then set up your Linux
Firewall to block outgoing traffic too.
---
Same way as on Linux -- if you download a corrupt binary, you
lose. If you run a pre-built RPM or binary on Linux you can suffer the
same problems as on Windows. Your linux system will be compromised
faster since there are almost no linux-virus detector's for downloaded
binaries (RPMs). By a feature of the RPM system -- if you install an
RPM, you've already used root, so any software you've installed has
complete control over your system.
That is why you have gpg signature checking built into your package
managers. They act as anti-virus software. All built in.
On Linux you have tools like checkrootkit, etc that inspect every file
on your system and immediately lets you know if the file was tampered
with.
---
Is it "on-access"? I don't think so. When you install, it uses
"HTTP" to go out onto the net to download instructions -- does a linux
system detect what applications are accessing HTTP and to what target
system? An application like ZoneAlarm will tell you in real-time -- as
soon as outside communication is attempted, that program "address book"
is trying to use HTTP to contact "owned-systems.ru".
But is it not too late then? That means that you have already been
compromised. The idea on Linux is to prevent that situation, not sit
and wait until it happens and then it can proudly inform you that you
have been owned.
AppArmour is also a tool that will let you know immediately if files
are acessed without permission. It prevents the access and then
notifies you. So it is pro-active.
----
How does it detect access? Signatures? Are they checked before
every execution?
You set up your AppArmour to allow a user access to certain files.
built-in to WinXP but is rarely used that way. I don't know of any Linux
distro that ships with such capabilities built-in and enforced by the OS.
AFAIK, SE Linux enforce it.
Well, the idea is that the normal user should not need to worry about
security. Linux has been designed in such a way that it looks after
itself. You don't need to monitor the security systems.
----
That's what you want to believe -- Linux doesnt' provide a
real-time alarm system like zone-alarm that pops up graphically to tell
the user about each network access. All it provides are log files that
let you examine things after the fact. How is that more secure?
Again, you are looking at this from the wrong side. Tools like
ZoneAlarm will inform you that you have already been infected, while
Linux security systems prevents you from being infected in the first
place.
I would rather spend more time and energy on preventing being owned
that being informed that I have been owned.
Perhaps you can instruct the original post on how that works.
Personally, I haven't seen that on Linux, but if you have a solution,
great!
Let's hear it. :-).
I have provided the link, all the documentation and software is there.
My point is still that people coming from a Windows background treats
Linux security from the wrong end.
The functionality of ZoneAlarm that the original OP wanted is useless
on Linux, as it only informs you that you HAVE ALREADY been
compromised. If you get to that stage, you can just as well format
your disk and re-install as you are screwed.
I suggest that the OP should rather look at the tools that PREVENT a
system from being owned.
Those tools are a firewall, IDS, AppArmour, etc.
If you want to know if you have already been owned then you can use
tripwire and checkrootkit.
A system like ZoneAlarm will not have any effect if you have been
compromised, as the atacker initiate the connection from outside and
compromise an application that normally do have net access (how else
will they get to the app if it is not listening on a socket). These
are applications like sendmail, telnet, apache, ssh, etc.
So, let's look at a situation: You have your Linux system with the
newly ported ZoneAlarm running, and it tells you that sendmail wants
to access the net. So you say OK, as you want your mail to be sent.
Now the atacker compromise sendmail and they are happily using
sendmail to do all kinds of nasty stuff. How will ZoneAlarm protect
you?
Sendmail is supposed to access the net.
See my point? You should catch the guy before he gets to sendmail and
that is what a firewall and IDS is for.
--
Andre Truter | Software Engineer | Registered Linux user #185282
ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za
~ A dinosaur is a salamander designed to Mil Spec ~
--
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@xxxxxxxx
- Follow-Ups:
- References:
- [SLE] SUSE Firewall not like ZoneAlarm...
- From: Shriramana Sharma
- [SLE] Re: SUSE Firewall primitive shadow of ZoneAlarm in interactive user-control
- From: Linda Walsh
- [SLE] Re: SUSE Firewall primitive shadow of ZoneAlarm in interactive user-control
- From: Andre Truter
- [SLE] SUSE Firewall not like ZoneAlarm...
- Prev by Date: Re: [SLE] Buildrequires [kitchen sink] in .spec files? (suse93& suse10)
- Next by Date: [SLE] 3ware RAID - what exactly does "INIT ARRAY" mean?
- Previous by thread: Re: [SLE] Re: SUSE Firewall primitive shadow of ZoneAlarm in interactive user-control
- Next by thread: Re: [SLE] Re: SUSE Firewall primitive shadow of ZoneAlarm in interactive user-control
- Index(es):
Relevant Pages
|
