Yes, but let's look toward the future. Is this problem getting larger or
smaller? Unless new programs like RealAudio/Napster/etc stop being created,
I will say it could get larger.
Checksum of programs on the client --- that is exactly what "Anti-virus"
software is basically doing, scanning all files on a system and doing
pattern matching. The anti-virus software vendors are also in the business
of making "lists" and distributing those "lists" of patterns.
I personally don't see as much need for the real-time "system slowing"
non-stop virus scanning that Martin [[EMAIL PROTECTED]] talks about for this
type of issue. A scan every 24 hours would seem sufficient to identify
potentially "undesired" programs (above and beyond normal virus scanning).
I can think of two technologies available today:
--- The netnanny web filter software. These companies are in the business
of tracking the web pages out there and classifying them based on porno and
other factors. What about "safe to post data"? Yes, these lists of sites
are far far far from perfect... but the technology and model exists.
--- The anti-virus checking of executables.
A new type of program and server?
===================================
Maybe there needs to be a new network protocol? Maybe a digital signature
applied to the opening packet of a network session? Maybe some new type of
program that runs on client PC's and requests permission from a "outbound
security server" before a firewall would allow a new session?
That doesn't sound like a bad idea. Something like ZoneAlarms that runs on
the client operating system and intercepts all outbound traffic... but
INSTEAD of asking the user of the PC ("do you want to allow iexplore.exe to
go outbound") -- it does a request to a "corporate authorization server."
And base the program detection on a digital signature/checksum -- not just
the name of the exe! So far, at least one program (Zone Alarms) has proven
sufficient at detecting new outbound traffic session on a PC.
And besides, the firewall policy could be to block ALL OUTBOUND unless
authorized. So if the person isn't running the "authorized outbound
requester program," or has a trojan that bypasses it -- outbound data would
never get out...
The same could be said for user identification. Perhaps "logging into the
firewall" should be required for outbound Internet use in general. We know
is in our email and custom applications, but we really have no idea who a
web surfer is (other than their machine IP)?
Oh yha, one other thing... any program that blocks user access when the
program isn't authorized... it should allow the user to be sent to a custom
web page and not just pop up a "you can't connect" error. This way the
MIS-types can at least provide the user (via private web server) with
site-specific informaton on how to deal with the issue.
Stephen Gutknecht
Renton, Washington
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 13, 2000 9:19 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [firewalls] Digest Number 388
> ***
> This strikes me as an overreaction - what exactly should they be doing?
> Unless they perform a checksum on every application every time it
> connects
> to the 'Net, this sort of a problem will likely exist.
> ***
>
> Your statement above about performing a checksum is certainly an avenue
> which needs to be considered. Although some
> processing time would be required at the initiation of each application
> accessing the network, the option of being able to do
> this would be quite valuable (and necessary) to some people. The
> option
> could be disabled on slower machines if someone
> is willing to assume this greater risk.
Yes, it could be a good idea, but where do you store the checksums securely?
Unless you store it in read-only media, it can still be compromised. I'd use
a CD ROM for my server, but your average home user isn't going to want to
have a checksum CD that he has to update each time he installs something
new, and has to keep in his drive whenever he's launching network-enabled
applications.
I still think general common-sense precautions will keep the average user
safe. But then, I disable pretty much all scripting/ActiveX in my web
browsers, and consider that to be "common sense." My level of paranoia
likely exceeds that of the average user.
Mike
----
Michael Owen
IT Security Engineer
NET-TEL Computer Systems Ltd
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
RE: Undesired outbound data "leaking" - the next frontier?
Stephen Gutknecht \(firewalls\) Wed, 13 Dec 2000 10:55:46 -0800
- Undesired outbound data "leaking"... Stephen Gutknecht \(firewalls\)
- RE: Undesired outbound data "lea... Bill Royds
- Re: Undesired outbound data "... Bernd Eckenfels
- RE: Undesired outbound data &... Bill Royds
- RE: Undesired outbound data "lea... Stephen Gutknecht \(firewalls\)
- RE: Undesired outbound data "... Michael . Owen
- RE: Undesired outbound data "lea... Stephen Gutknecht \(firewalls\)
- RE: Undesired outbound data "... Ron DuFresne
- Re: Undesired outbound data &... Martin
- Re: Undesired outbound da... Ron DuFresne
- Re: Undesired outbou... Gary Flynn
- Re: Undesired ou... elvene
- Re: Undesire... Loren Wagner
- RE: Undesired outbound data "lea... Dave Mikulka
- RE: Undesired outbound data "... Ron DuFresne
