Bryan Greer wrote:
Charles,

Just wanted to drop you a quick note regarding the Eiger - Stein version of
the leaf. Seems to be fairly good at keeping the script kiddies out and a
lot of unwanted idiots. My hat is off to you. I do have one question though,
that is, in light of the corruption out there on the web, there seems to be
a lot of system jacking going on with drive by malware. Is it possible to
tweak rules for the leaf for traffic flowing from the private side. By that
I mean, is it possible to set the leaf up as a Proxy with rules that allow
only certain traffic to flow out as well. It would seem that the product
that is already in place, while exceptional at defending us from the masses
of potential hackers and wanna-be's might be just what the Doctor ordered if
it was capable of defending the inner sanctum from the myriad of spy ware,
malware, trojans etc.

What you want is sort-of possible:


Start by blocking all outbound traffic, and only passing your "approved" traffic (like port 80 for web-browsing). This will catch the really stupid mal-ware, and the typical desk-jocky trying to run unapproved apps.

The next step is to pass all allowed traffic through a transparent proxy, to insure http traffic is really following the http protocals. This will stop slightly more advanced mal-ware, and some computer literate desk-jockies.

What you really want to be doing is running an "application level" firewall on each workstation. Something like zone alarm (or the many other commercially available products). A product like this can check for *WHICH PROGRAM* is generating outbound traffic, and verify the program is on an approved list allowed to access the 'net (and do fancy things like keep cryptographic hashes of the program's binary on file, so if your system gets broken into and IE gets replaced, your firewall won't allow the traffic).

Once the packets are out of the originating system, there's really no reliable way to seperate "good" traffic from "bad" traffic, if the bad traffic really wants to hide itself (try content inspection of https:// traffic, for instance, which you probably want to allow).

Again, thank you for brining this tool to us.

I'm glad you found it useful!


--
Charles Steinkuehler
[EMAIL PROTECTED]




------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to