Hello HaywireMac, Thursday, August 28, 2003, 8:16:59 AM, you wrote:
H> Trojans are better checked with chkrootkit (sp?) anyway, IMHO. That's a good way, but you may not know it until you do the check. Besides, suppose the trojan is inside a program you thought you wanted? YOU installed it not knowing it would 'call home'. If it calls home on 80, it will go right through your firewall. Not all intrusions are break-ins. The app-aware approach alerts you the moment anything tries to do an access, and would catch the above. The app-aware approach also alerts you to snoopware. Protecting privacy is not necessarily the same as 'security'. H> The problem with this so-called application awareness in something H> like ZoneAlarm is: what if the Trojan disguises itself as Mozilla? Well, it would have to be in the exact same location and have the same md5 signature - pretty difficult disguise. :-) H> Or "infects" Mozilla? Same md5? Not likely. The need to do some kind of check like this is probably why app-aware is not done in linux - it's not in iptables. There may be good historical reasons too. H> ZoneAlarm is a joke, but it's better than *no* joke I guess, except H> in the sense it might give one a false sense of security. I prefer other FW's, but I'm curious as to what's so bad about it? H> If you have shorewall installed (I don't so I can't check), go into H> Webmin and look, I'll betcha dollars to donuts that you can assign H> application "awareness" of some kind, but...see above. I do have shorewall, and there isn't [I'll send the address for the dollars :-)]. AFAIK, you can't even do this with hand coding of iptables, and thus no front end would be able to do it either. -- Thank you, rikona mailto:[EMAIL PROTECTED]
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com