Re: [newbie] Linux Apps - Firewalls
On Friday 29 August 2003 11:34 am, rikona wrote: > Hello Bryan, > > Thursday, August 28, 2003, 3:46:20 PM, you wrote: > > BP> Requires some hardware but this is doable. Simply run a proxy > BP> server on a dedicated machine, in the router or ipchains using > BP> netfilter, allow only that machine's IP to initiate http traffic > BP> on port 80 and then all the local machines have to be configured > BP> to use the proxy server. Now, local machines can't surf at will, > BP> they must go through the proxy server and you can make the port > BP> of that whatever you want. > > If I understand you, each local machine would have to use a non-80 > port to surf, with the translation done by the proxy. I'm then > assuming, say, Mozilla would have to be set up to use a non-80 port to > get to the proxy. Otherwise any app on the machine could use port 80. > You are, in effect, blocking port 80 from any local machine. Is this > correct? Yes, pretty much exactly the way that a corporate proxy server works. You can't get any traffic out on port 80 with any application. You have to specify a proxy server, say port 8080 or 8118. The proxy server sits on that port and accepts traffic, sends it out to the Internet and routes the packets back to you when they come back. The only applications that can get out are ones that use the proxy server. On the proxy server, or with a router, you basically run a firewall and disallow all traffic on port 80 from all IP addresses except the proxy server. So, no one else can send anything out or get anything in on port 80 unless they go through the proxy server. You can even set it up and install it from a CD only distribution, so no changes, no rootkits or anything else is possible because a reboot restores the system right back. Benefits include being able to restrict some sites for everyone, being able to filter out harmful traffic like java, banner ads, etc., and finally caching. Because the proxy server serves all requests, if you have already requested something and five minutes later someone else requests the same thing, it gets pulled from the proxy cache, speeding up surfing for some people in some cases. > Windows users are giving us a glimpse of the future, should linux be > used by the masses. I'm just trying to get ready. :-))) Also, much of > the functionality is for privacy, not just security. Well, you can pretty much make your own browser as private as you want, so I am not sure that the proxy adds that much. Admittedly, I run a proxy server on my own computer but it is a local one called privoxy. It filters out the worst of the garbage on the web, including pop-ups, pop-unders, redirects, some banner ads, known scumvertiser cookies, etc. So, I do understand the desire to increase privacy and security, I just think that a dedicated proxy and cutting off port 80 access is overkill for that. > BP> Open Source apps make it very difficult to create little one off > BP> scumware applications, trojans too. > > As linux gets more popular, some deviant will take an app, add some > malware, and create easy-to-get-and-use or otherwise attractive lures > to get people to load it. Apparently this has already been done for > some 'reputable' distribution apps in linux. Some folks are inherently > evil. I haven't heard of any, however, penetration is still going to be difficult given the requirement for almost all Linux apps to release the source code. People DO look at the source code. Granted, I am not a developer myself, but I am very active in the community (forums, message boards, etc.) and am likely to see something. I constantly see people hashing apart code within the community, discussing it, pointing people to improvements, etc. Just a for instance. An anonymous proxy service in Germany was recently contacted by Federal Police there and asked to monitor traffic from a suspected criminal. They served a subpoena, etc. The group running the service released a patch that included code to monitor this one specific connection. Within 24 hours, someone had dissected the patch and noticed the suspect code and Usenet was all abuzz about how the service had been compromised and they were installing monitors in the software. This all happened within the last week or two weeks. It is a lot easier to sneak stuff in with proprietary closed source. Open source, even the lack of actual posted open source when it is expected, automatically raises the red flags and is likely to hamper any suspect apps from being distributed. For those that pay attention. There was a highly recognized ftp site that was compromised and they matched all the code back to the original contributors to make sure that there were no compromised pieces of code floating around. From what I heard, nothing was touched. Again, if someone is going to install software without being fairly sure, including checking md5 sums, etc., then they are boun
Re: [newbie] Linux Apps - Firewalls
Frankie wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Richard Smith Sent: Friday, 29 August 2003 9:40 PM To: [EMAIL PROTECTED] Subject: Re: [newbie] Linux Apps - Firewalls HaywireMac wrote: On Fri, 29 Aug 2003 20:10:43 +0800 "Frankie" <[EMAIL PROTECTED]> uttered: Disabling cookies outright is generally a bad idea.. I prefer to block any cookies with expiry dates that are over a week in the future. Also, I block any cookies coming from domains different from the page you are on. If you disable all cookies, many interactive pages will not work properly if at all, like shopping carts, and many other similiar scripts. I also set any cookies from doubleclick and the other spam/add organisations to blocked. Actually, that's something I've never really thought about. What are the potential dangers with cookies, besides someone knowing what sites I visit. I don't visit any porn sites, so no chance of embarassment, not that I'd give a rat's ass anyway, but what other threats are there? Isn't it a way in for virus writers to get inside your protection systems ? How safe is a cookie directory ? And in anycase why do we want to let other folk plant things on our hard drive. Sure some email stores insist on having cookies enabled ,else they will not let you shop. Hard luck for them, go some place else, that do let you sho without enabling cookies. FRANKI: Cookies are pretty safe as far as what anyone can use them for.. mozilla doens't even have a cookie directory, it has a cookie file where it stores all cookies. If you have an app that you log into.. a cookie is the most common way for the application can tell you have logged in.. without the cookie you will have to reenter your username and password at each step. There are ways to code around it, but cookies are still hugely favored for this sort of thing. And if you don't allow cross domain cookies, there is not much spying you can do with them either. regards Franki I see, so A cookie directory or file is a kind of firewall in itself, no risk some malignant virus writer can get in and use the cookie file as a base to go do things to your OS and generally reek havoc then ? John -- John Richard Smith [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[2]: [newbie] Linux Apps - Firewalls
Hello John, Friday, August 29, 2003, 6:39:56 AM, you wrote: JRS> Isn't it a way in for virus writers to get inside your protection JRS> systems ? If you have an OS problem, as does M$ with their infamous buffer overruns, then yes. (Ignoring social hacking, of course.) Otherwise, the 'virus' is limited to what can be done in, say, javascript. JRS> How safe is a cookie directory ? The dir is OK, as are the contents, from a security view. From a privacy view, it might have a great deal of info about you. Users who do nothing about cookies and surf for years may have HUGE quantities of cookies. One could learn quite a lot about you from analyzing those cookies. Such detailed dossiers are worth money. JRS> And in anycase why do we want to let other folk plant things on JRS> our hard drive. In general, we don't. JRS> Sure some email stores insist on having cookies enabled ,else JRS> they will not let you shop. Hard luck for them, go some place JRS> else, that do let you sho without enabling cookies. Cookies are very likely required for almost all shopping. Keeping a cookie for a short shopping session is probably not a high risk - just get rid of it when you're done. In Opera, for example, you can flush all cookies automatically at the end of a session. This assumes a trustworthy site, of course. Some merchants can't resist the extra income from selling your info, though. Beware of cookies on supposedly secure pages, for example. JS can read your personal info and send it back to the advertiser, and the merchant collects a fee. Advertisers are especially interested in this because it provides a 'face' to the 'non-personal' info in your huge cookie collection - now they know exactly whose name to put on the dossier. -- rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[2]: [newbie] Linux Apps - Firewalls
Hello HaywireMac, Friday, August 29, 2003, 5:20:17 AM, you wrote: H> I wholeheartedly agree with your perspective, esp. the idea that H> you have to differentiate between something like a firewall *app* H> and a real firewall, one that cannot be compromised like any other H> app. Is an apple better than an orange? Again let me suggest that it is not an either/or situation. They are both useful for different tasks and capabilities and should be used together. Each can do things the other can't. Think through the advantages of using both tools and you might see the utility of having both. The combo can be much more effective than either by itself. -- rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[2]: [newbie] Linux Apps - Firewalls
Hello HaywireMac, Thursday, August 28, 2003, 5:13:16 PM, you wrote: >> As I understand it. There is nothing to stop a virus reconfiguring >> ZoneAlarm so it is undetected. H> Exactly. But this is an OS problem, not a ZA problem. Let's give discredit where it's due. :-) -- rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[2]: [newbie] Linux Apps - Firewalls
Hello Bryan, Thursday, August 28, 2003, 3:46:20 PM, you wrote: BP> Requires some hardware but this is doable. Simply run a proxy BP> server on a dedicated machine, in the router or ipchains using BP> netfilter, allow only that machine's IP to initiate http traffic BP> on port 80 and then all the local machines have to be configured BP> to use the proxy server. Now, local machines can't surf at will, BP> they must go through the proxy server and you can make the port BP> of that whatever you want. If I understand you, each local machine would have to use a non-80 port to surf, with the translation done by the proxy. I'm then assuming, say, Mozilla would have to be set up to use a non-80 port to get to the proxy. Otherwise any app on the machine could use port 80. You are, in effect, blocking port 80 from any local machine. Is this correct? Interesting idea - I'd like to make sure I understand it. BP> Personally, I think that this level of security appears to be wildly BP> overrated. It appears, to me, that someone is trying to solve a Windows BP> problem in Linux. Windows users are giving us a glimpse of the future, should linux be used by the masses. I'm just trying to get ready. :-))) Also, much of the functionality is for privacy, not just security. BP> First, if you are installing applications that you are unsure of, BP> you have far greater security issues than simply whether some BP> malware is phoning home. In general, agreed. BP> Open Source apps make it very difficult to create little one off BP> scumware applications, trojans too. As linux gets more popular, some deviant will take an app, add some malware, and create easy-to-get-and-use or otherwise attractive lures to get people to load it. Apparently this has already been done for some 'reputable' distribution apps in linux. Some folks are inherently evil. BP> Second, a lot of this debate is modified by the "kind" of threat BP> that we want to guard against. The SoBig.F and other types of BP> worms do not use port 80 to communicate, in most cases they have BP> built in smtp or IRC servers that can broadcast. You need some BP> mechanism that can initiate its own connection and traffic, not BP> something that would be fighting with the browser to send BP> packets. In short, they run their own services so that they do BP> not have to depend on the user to initiate communication. Agreed. Recent malware is increasingly using this technique - unfortunately too easy to do in M$ virusware. BP> Creating a new service, in the Linux environment, BP> And, there are still many ways to guard against that Agreed - it is comfortingly harder. BP> If the application is a scumware (advertisement sort), it would inevitably be BP> installed as part of the browser, so a plugin for Mozilla, Netscape, etc. That's why i don't like the idea of plugins - a foot in the door for the let-anything-do-anything approach that causes so many problems with M$. But it is not inevitable... BP> It won't be a standalone application because it needs to monitor BP> http traffic so that it can track usage for delivering ads. That BP> is its sole value. Not necessarily. There is money to be made in selling information about people. Even if logged on as just a user, I'd guess all your personal is there - email, contact lists, on-line banking info, history files of where you surfed, tax info, calendars, cookie files, perhaps even some info about account names and passwords. Snoopware might like to collect this and send it 'back home'. There's more than just ads. Just putting a name and address onto an extensive cookie history is worth a lot. These are more like privacy issues rather than 'security'. If you want to address both, you should use different tools and techniques. It is a different problem. BP> If it is installed as a plugin, like most scumware in IE, then the BP> app-aware firewall is useless because it would already have BP> permission to phone home as part of Mozilla or whatever browser BP> it is part of. True. Good ol Javascript is ready to snoop on you. BP> So, if I were going to create something of this nature, I can't do it open BP> source because someone would rat me out almost immediately, provided I could BP> even get someone to install it, for even good applications it takes time to BP> build recognition in the Linux community. Perhaps the scenario is to take the open source code and add some more open source code for snooping, etc, and distribute the package. And, no, the author of this malware is not likely to publish the code, open source or not. BP> with all of the different flavors of Linux and the fact that we BP> still don't even have a common installation package mechanism, I BP> don't think it is very likely. One of the most attractive ways to distribute malware is to package supposedly known code for all these versions. "See how much trouble I've saved you - it's ready to go in YOUR rpm." Looks attractive t
Re: [newbie] Linux Apps - Firewalls
On Friday 29 August 2003 06:35 am, John Richard Smith wrote: > Bryan, > > Can I ask you a question, > > Am I paranoid for not wanting to enable cookies ? > > you know, from the security point of view ? > > John Not wanting to have cookies enabled does not make you paranoid, but that doesn't mean that you aren't. ;-} Since a lot of sites do offer content that relies on cookies to work and there is some convenience factor involved in having cookies, I do enable them on my machine but have Opera discard them after each browser session. That way, I gain the convenience of having the content and session persistence that cookies deliver but at the same time, there is no possibility of long-term tracking of my surfing habits. I consider it a moderate middle-road. -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
On Wed, 27 Aug 2003 21:55:48 -0700 Russ <[EMAIL PROTECTED]> uttered: > Hi All, > > Thanks for the responses. Hell, this is the best thread we've had in a long time, thank *you* for starting it! -- HaywireMac Registered Linux user #282046 Homepage: nodex.sytes.net ++ Life can be so tragic -- you're here today and here tomorrow. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
HaywireMac wrote: On Fri, 29 Aug 2003 20:10:43 +0800 "Frankie" <[EMAIL PROTECTED]> uttered: Disabling cookies outright is generally a bad idea.. I prefer to block any cookies with expiry dates that are over a week in the future. Also, I block any cookies coming from domains different from the page you are on. If you disable all cookies, many interactive pages will not work properly if at all, like shopping carts, and many other similiar scripts. I also set any cookies from doubleclick and the other spam/add organisations to blocked. Actually, that's something I've never really thought about. What are the potential dangers with cookies, besides someone knowing what sites I visit. I don't visit any porn sites, so no chance of embarassment, not that I'd give a rat's ass anyway, but what other threats are there? Isn't it a way in for virus writers to get inside your protection systems ? How safe is a cookie directory ? And in anycase why do we want to let other folk plant things on our hard drive. Sure some email stores insist on having cookies enabled ,else they will not let you shop. Hard luck for them, go some place else, that do let you sho without enabling cookies. John -- John Richard Smith [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
On Thu, 28 Aug 2003 18:46:20 -0400 Bryan Phinney <[EMAIL PROTECTED]> uttered: > Sorry for the long message, I get carried away sometimes. ;-} No problemo, I enjoyed every minute of it, and gained a greater understanding of security along the way. I wholeheartedly agree with your perspective, esp. the idea that you have to differentiate between something like a firewall *app* and a real firewall, one that cannot be compromised like any other app. ZoneAlarm and it's like are probably the best the average windows user can do, excepting of course the installation of a dedicated firewall and/or proxy, but not everybody has an extra box just lying around. For anyone that does, I highly recommend that you start tinkering. You do *not* need big-shot hardware, and old P90 like I have will do the trick quite nicely, and in some cases you don't even need to have a harddrive in it. There are floppy-based distros like BBIAgent, which I use and has never let me down (SYN flood and spoofing protection, full stealth mode for the truly paranoid, where even pings and/or ICMP requests are ignored/dropped, and of course port forwarding so only the ports you specify are even visible). For more robust sol'ns (HD reqr'd), there is of course Mandrake, which you can configure as a dedicated firewall, but there are lighter and more specified sol'ns like Smoothwall, ClarkConnect, etc. The other advantage to having a dedicated firewall/router/NAT is that it manages your internet connection and LAN for you, so you never have to worry about configuring your PPPoE or whatever connection, they do it for you, and they automagically hand out network configurations to all your clients, so no messing with DNS, IP, etc. -- HaywireMac Registered Linux user #282046 Homepage: nodex.sytes.net ++ Nothing is as simple as it seems at first Or as hopeless as it seems in the middle Or as finished as it seems in the end. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
On Fri, 29 Aug 2003 20:10:43 +0800 "Frankie" <[EMAIL PROTECTED]> uttered: > Disabling cookies outright is generally a bad idea.. > I prefer to block any cookies with expiry dates that are over a week > in the future. > Also, I block any cookies coming from domains different from the page > you are on. > > If you disable all cookies, many interactive pages will not work > properly if at all, like shopping carts, and many other similiar > scripts. > > I also set any cookies from doubleclick and the other spam/add > organisations to blocked. Actually, that's something I've never really thought about. What are the potential dangers with cookies, besides someone knowing what sites I visit. I don't visit any porn sites, so no chance of embarassment, not that I'd give a rat's ass anyway, but what other threats are there? -- HaywireMac Registered Linux user #282046 Homepage: nodex.sytes.net ++ Execute every act of thy life as though it were thy last. -- Marcus Aurelius Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
On Friday 29 Aug 2003 12:46 pm, Sharrea Day wrote: > Not that ZA can really help much in those situations. Clicking on > the link merely ran the script as the one-and-only user on Win98SE. > I feel much safer in Linux browsing the web as user (not root) - > although sometimes I wonder why, when the most important stuff on > my system in MY DATA. Couldn't give a sh*t 'bout the system, it can > be restored, my data can't. At least the stuff that hasn't been > backed up. Don't get me wrong, I'm not complaining - I LOVE LINUX! > I do feel that the stress on linux security is sometimes misguided. Like you, I feel my data is the most important bit, and that's the part that a virus could trash if it could get in. I know it still has to get in, but once in it could run as user, I guess. When you combine that with the fact that linux is so stable that we forget the need for regular backups, it's time to worry. Under windows I had a rigid backup routine. Now I am careless, and it can be weeks in between. And I'll bet I'm not alone. > Oh now paranoia is creeping in... off to do a much overdue > backup... I swear I'm getting lazier. Yup - me too. I'll do one today. Anne Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] Linux Apps - Firewalls
>-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of John Richard Smith >Sent: Friday, 29 August 2003 6:36 PM >To: [EMAIL PROTECTED]; [EMAIL PROTECTED] >Subject: Re: [newbie] Linux Apps - Firewalls > > >Bryan Phinney wrote: > >>On Thursday 28 August 2003 03:14 pm, rikona wrote: >> >> >> >> >> >> >> >>Hey, if I was running a bank with no vault, no security guard in >the building, >>no alarms and no way to stop someone from walking out with the >money, and the >>only security that I did have was a locked door, it would be a VERY BIG, >>THICK DOOR. I mean, if you are only going to build one wall >between you and >>the enemy, it is probably going to be a pretty big wall. >> >>Sorry for the long message, I get carried away sometimes. ;-} >> >> >> >Bryan, > >Can I ask you a question, > >Am I paranoid for not wanting to enable cookies ? > >you know, from the security point of view ? > >John > >-- FRANKI: Disabling cookies outright is generally a bad idea.. I prefer to block any cookies with expiry dates that are over a week in the future. Also, I block any cookies coming from domains different from the page you are on. If you disable all cookies, many interactive pages will not work properly if at all, like shopping carts, and many other similiar scripts. I also set any cookies from doubleclick and the other spam/add organisations to blocked. rgds franki Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
On Fri, 29 Aug 2003 10:46, Heather/Femme wrote: > Seen all this. ZA got smart, it generates an encrypted sig file for > itself now. Makes sure it can't be compromised either... and it is not > easily killed in newer versions. Sides, that kind of attack is pretty > sophisticated & the avg ZA user won't be affected. Yes its possible it > will get thru...but if you see ZA isn't in your tray anymore wouldn't > you be suspicious? I know I would. Sure hope ZA is a lot smarter these days. Two years ago my Win system was compromised simply by clicking a link on a web page in IE. ZA was disabled but still showing as active in the system tray, the packet sniffer I had running crashed and the AV app was totally fsckd. A file containing web passwords was emptied and a pretty screensaver was installed which kept appearing every minute. That was the day I decided to see what this Linux was all about and I've never looked back since. Not that ZA can really help much in those situations. Clicking on the link merely ran the script as the one-and-only user on Win98SE. I feel much safer in Linux browsing the web as user (not root) - although sometimes I wonder why, when the most important stuff on my system in MY DATA. Couldn't give a sh*t 'bout the system, it can be restored, my data can't. At least the stuff that hasn't been backed up. Don't get me wrong, I'm not complaining - I LOVE LINUX! Oh now paranoia is creeping in... off to do a much overdue backup... I swear I'm getting lazier. Sharrea -- Help Microsoft stamp out piracy - give Linux to a friend today Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
Bryan Phinney wrote: On Thursday 28 August 2003 03:14 pm, rikona wrote: Hey, if I was running a bank with no vault, no security guard in the building, no alarms and no way to stop someone from walking out with the money, and the only security that I did have was a locked door, it would be a VERY BIG, THICK DOOR. I mean, if you are only going to build one wall between you and the enemy, it is probably going to be a pretty big wall. Sorry for the long message, I get carried away sometimes. ;-} Bryan, Can I ask you a question, Am I paranoid for not wanting to enable cookies ? you know, from the security point of view ? John -- John Richard Smith [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
Bryan Phinney wrote: On Thursday 28 August 2003 03:14 pm, rikona wrote: Hey, if I was running a bank with no vault, no security guard in the building, no alarms and no way to stop someone from walking out with the money, and the only security that I did have was a locked door, it would be a VERY BIG, THICK DOOR. I mean, if you are only going to build one wall between you and the enemy, it is probably going to be a pretty big wall. Sorry for the long message, I get carried away sometimes. ;-} Bryan, Can I ask you a question, Am I paranoid for not wanting to enable cookies ? you know, from the security point of view ? John -- John Richard Smith [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
On Thu, 28 Aug 2003 21:59:29 +0100 Derek Jennings <[EMAIL PROTECTED]> uttered: > As I understand it. There is nothing to stop a virus reconfiguring > ZoneAlarm so it is undetected. Exactly. -- HaywireMac Registered Linux user #282046 Homepage: nodex.sytes.net ++ An idea is not responsible for the people who believe in it. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[2]: [newbie] Linux Apps - Firewalls
Hello Oliver, Thursday, August 28, 2003, 3:38:54 PM, you wrote: OM> The shortcoming I have found with ZoneAlarm comes with virtual OM> machine or interpreted apps. e.g. you grant access rights to OM> java.exe, perl.exe, python.exe etc, and then *any* Java, Python OM> or Perl program you run can get through your firewall Yep! Virtual is a big hazard, especially if taken to the M$ extreme. I don't like the trend for apps to get too permissive in what they allow. Nice features sometimes, but it increases the risk too. -- rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[2]: [newbie] Linux Apps - Firewalls
Hello HaywireMac, Thursday, August 28, 2003, 3:07:24 PM, you wrote: >> If all an intruder can see is my router ip, how can it compromise >> my system? H> It cannot, it must see open ports to access. This is the classic "the H> only truly secure computer is one that is locked in a room with no H> outside access". If all your ports are closed, he would have to get in H> with a trojan, a file you bring in yourself and execute. H> This why real security uses more than one defense tactic: firewall H> so your ports are protected, IDS to look for known or suspicious H> hacker activity, and Trojan detection. Actually, the app-aware FW is just another tool too. It should not really be used by itself, but as an additional line of defense behind a stand-alone FW such as in a router. The two kinds of FW's are for different purposes and are complementary, and should be used together for best results. Especially good if you are interested in privacy. -- rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[2]: [newbie] Linux Apps - Firewalls
Hello Derek, Thursday, August 28, 2003, 1:59:29 PM, you wrote: DJ> As I understand it. There is nothing to stop a virus reconfiguring DJ> ZoneAlarm so it is undetected. True - but this is a problem with the OS letting just about anything do anything to anything. :-) ZA is at the mercy of a poor OS design philosophy. DJ> I may be wrong but I believe there is also nothing In Windows to stop a virus DJ> simply bypassing the IP stack and using raw sockets to send packets to the DJ> interface around the firewall. Again true. See the above comment. Especially with the M$ decision to use raw sockets in XP. Yech! They are really asking for it. OTOH, it might be M$ wanting to do something sneaky themselves. Hmmm... DJ> To do the same thing under Linux the virus would have to be running as root, DJ> and of course we *never* run as root do we? When linux becomes as popular as Win, we'll have about as many running as root as we now do running admin. :-) LOTS of them, no doubt. Many XP users I've talked with don't even know what admin means, and don't care either. Beware the unwashed masses :-) DJ> As for a Linux app aware firewall try this one http://www.itshield.com/ Thanks for the pointer. It looks like a service-based FW, not an app-aware FW. Looks like the usual stand-alone FW, not a 'personal' one on the same computer. This would make it even harder to be app-aware. It will stop some service(by some app) if it doesn't obey the rules of the service, but if it does follow the service rules, it looks as though any app using the service correctly would go through. Still searching -- Thank you, rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[6]: [newbie] Linux Apps - Firewalls
Hello HaywireMac, Thursday, August 28, 2003, 1:27:50 PM, you wrote: >> Well, it would have to be in the exact same location and have the >> same md5 signature - pretty difficult disguise. :-) H> ZoneAlarm cannot do this, AFAIK. I haven't used ZA for quite a while, but I believe the latest version does this. Other free firewalls certainly CAN do this. -- rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[2]: [newbie] Linux Apps - Firewalls
Hello Heather/Femme, Thursday, August 28, 2003, 1:21:31 PM, you wrote: HF> for a free firewall its the best one out there for a windows HF> computer IMO. Anything better costs $1000 per liscence HF> (Checkpoint anyone?) & is very hard to configure. I prefer Kerio to ZA myself - used to use ZA but like the flexibility and control of Kerio. It DOES require some knowledge to set it up properly though, and this is why the masses will not likely be using it well. ZA is probably best for the masses - just install it and use it. -- Thank you, rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[4]: [newbie] Linux Apps - Firewalls
Hello HaywireMac, Thursday, August 28, 2003, 1:17:32 PM, you wrote: H> Like I said earlier in the thread, the prob with "app awareness" is H> that a lot of trojans will either: H> a) disguise themselves as the trusted app, say IE, or Mozilla, by H> overwriting the executable. H> b) embed themselves in the executable itself, difficult, but it has been H> done. VERY tough to get the same md5 for either a or b. -- rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
On Thu, 2003-08-28 at 14:59, Derek Jennings wrote: > As I understand it. There is nothing to stop a virus reconfiguring ZoneAlarm > so it is undetected. > > http://securityresponse.symantec.com/avcenter/venc/data/backdoor.tron.html > > I may be wrong but I believe there is also nothing In Windows to stop a virus > simply bypassing the IP stack and using raw sockets to send packets to the > interface around the firewall. > > http://www.securityfocus.com/bid/3647/discussion/ > > To do the same thing under Linux the virus would have to be running as root, > and of course we *never* run as root do we? > > As for a Linux app aware firewall try this one http://www.itshield.com/ > (I have not tried it) > > > derek Seen all this. ZA got smart, it generates an encrypted sig file for itself now. Makes sure it can't be compromised either... and it is not easily killed in newer versions. Sides, that kind of attack is pretty sophisticated & the avg ZA user won't be affected. Yes its possible it will get thru...but if you see ZA isn't in your tray anymore wouldn't you be suspicious? I know I would. ZA Defender, Femme :) Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
On Thu, 2003-08-28 at 14:24, HaywireMac wrote: > On Thu, 28 Aug 2003 20:13:45 +0100 > Anne Wilson <[EMAIL PROTECTED]> uttered: > > > I fail to see the joke, too. When I used to run it I used the on-line > > > > checkers, and got nothing back but my router address. What joke? > > Because it is *on* the machine it is trying to protect. You > compromise the machine with a trojan, you compromise ZoneAlarm. > > Sorry, maybe joke was too harsh a word, but as I've stated, ZoneAlarm > will not protect you as well as a dedicated firewall, or even as well as > Shorewall, simply because it is not designed to deal with sophisticated > attacks like trojans that can execute code on your system, thereby > negating any protection ZoneAlarm would have presumably offered. > > Shorewall/IPTables offers a far more robust and subtle level of > protection because it can actually read the header info of incoming and > outgoing packets. AFAIK, ZoneAlarm cannot. it is designed against trojans. it blocks all traffic in & out by default..and writes a signature for each app. if the apps compromised & tries to connect again, the sig is different. Won't let it out automatically, it stops it & asks if you want to let it. Usually thats good enough to alert a user to look twice at it. is it the best out there? no. Is it still good against trojans & Shit? IMO Yes. Try an compromise a ZA'ed system. You won't get far w/out alot of effort...and that keeps out the majority of the crackers. Femme Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
On Thursday 28 Aug 2003 9:24 pm, HaywireMac wrote: > On Thu, 28 Aug 2003 20:13:45 +0100 > > Anne Wilson <[EMAIL PROTECTED]> uttered: > > I fail to see the joke, too. When I used to run it I used the > > on-line > > > > checkers, and got nothing back but my router address. What joke? > > Because it is *on* the machine it is trying to protect. You > compromise the machine with a trojan, you compromise ZoneAlarm. > > Sorry, maybe joke was too harsh a word, but as I've stated, > ZoneAlarm will not protect you as well as a dedicated firewall, or > even as well as Shorewall, simply because it is not designed to > deal with sophisticated attacks like trojans that can execute code > on your system, thereby negating any protection ZoneAlarm would > have presumably offered. > > Shorewall/IPTables offers a far more robust and subtle level of > protection because it can actually read the header info of incoming > and outgoing packets. AFAIK, ZoneAlarm cannot. If all an intruder can see is my router ip, how can it compromise my system? Anne Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: Re[4]: [newbie] Linux Apps - Firewalls
On Thu, 28 Aug 2003 11:54:45 -0700 rikona <[EMAIL PROTECTED]> uttered: > Well, it would have to be in the exact same location and have the same > md5 signature - pretty difficult disguise. :-) ZoneAlarm cannot do this, AFAIK. > H> Or "infects" Mozilla? > > Same md5? Not likely. > > The need to do some kind of check like this is probably why app-aware > is not done in linux - it's not in iptables. There may be good > historical reasons too. > > H> ZoneAlarm is a joke, but it's better than *no* joke I guess, except > H> in the sense it might give one a false sense of security. > > I prefer other FW's, but I'm curious as to what's so bad about it? For reasons I've already stated. You need a combination of tools for true security: Firewall, IDS, and Trojan detection. Again, tho, with great emphasis, it's better than nothing. -- HaywireMac Registered Linux user #282046 Homepage: nodex.sytes.net ++ For good, return good. For evil, return justice. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
On Thu, 28 Aug 2003 20:13:45 +0100 Anne Wilson <[EMAIL PROTECTED]> uttered: > I fail to see the joke, too. When I used to run it I used the on-line > > checkers, and got nothing back but my router address. What joke? Because it is *on* the machine it is trying to protect. You compromise the machine with a trojan, you compromise ZoneAlarm. Sorry, maybe joke was too harsh a word, but as I've stated, ZoneAlarm will not protect you as well as a dedicated firewall, or even as well as Shorewall, simply because it is not designed to deal with sophisticated attacks like trojans that can execute code on your system, thereby negating any protection ZoneAlarm would have presumably offered. Shorewall/IPTables offers a far more robust and subtle level of protection because it can actually read the header info of incoming and outgoing packets. AFAIK, ZoneAlarm cannot. -- HaywireMac Registered Linux user #282046 Homepage: nodex.sytes.net ++ It does not do to leave a live dragon out of your calculations. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
On Thu, 2003-08-28 at 13:13, Anne Wilson wrote: > On Thursday 28 Aug 2003 7:54 pm, rikona wrote: > > H> ZoneAlarm is a joke, but it's better than *no* joke I guess, > > except H> in the sense it might give one a false sense of security. > > > > I prefer other FW's, but I'm curious as to what's so bad about it? > > > I fail to see the joke, too. When I used to run it I used the on-line > checkers, and got nothing back but my router address. What joke? > Anne for a free firewall its the best one out there for a windows computer IMO. Anything better costs $1000 per liscence (Checkpoint anyone?) & is very hard to configure. Shrugs just my own 3 cents...it also blocks ads & stuff inthe pro version. Simple, effective. REminds me alot of Bastille FW. Femmey Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: Re[2]: [newbie] Linux Apps - Firewalls
On Thu, 28 Aug 2003 12:14:00 -0700 rikona <[EMAIL PROTECTED]> uttered: > Some things, like app-awareness, seem to be better in the Win FW's. Like I said earlier in the thread, the prob with "app awareness" is that a lot of trojans will either: a) disguise themselves as the trusted app, say IE, or Mozilla, by overwriting the executable. b) embed themselves in the executable itself, difficult, but it has been done. -- HaywireMac Registered Linux user #282046 Homepage: nodex.sytes.net ++ One learns to itch where one can scratch. -- Ernest Bramah Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[2]: [newbie] Linux Apps - Firewalls
Hello Derek, Thursday, August 28, 2003, 9:38:41 AM, you wrote: >> Besides, I know next to nothing about various types of connections >> and whatnot. So trying to set this firewall up manually would be a >> disaster. ZoneAlarm was quick and easy "Do you want this program to >> access the net? yes or no" nuff said. DJ> The Firewall GUI in Mandrake Control Centre could not be easier. DJ> On or Off! Russ may be referring to the app-aware access. You can disable port 80, on the fly, for some unknown app that is requesting access, but continue to surf on 80 with, say, Mozilla. Mozilla goes through, denied app does not, even though it is the same port. How can do you do this in Mandrake? DJ> They all work, and are all better than any Windows firewall. Being a paranoid type, :-) I'm trying to understand why it is better. Some Win FW's seem to be pretty good. Granted the OS has many problems, but why is just the FW better? Some things, like app-awareness, seem to be better in the Win FW's. -- Thank you, rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
On Thursday 28 Aug 2003 7:54 pm, rikona wrote: > H> ZoneAlarm is a joke, but it's better than *no* joke I guess, > except H> in the sense it might give one a false sense of security. > > I prefer other FW's, but I'm curious as to what's so bad about it? > I fail to see the joke, too. When I used to run it I used the on-line checkers, and got nothing back but my router address. What joke? > H> If you have shorewall installed (I don't so I can't check), go > into H> Webmin and look, I'll betcha dollars to donuts that you can > assign H> application "awareness" of some kind, but...see above. > > I do have shorewall, and there isn't [I'll send the address for the > dollars :-)]. AFAIK, you can't even do this with hand coding of > iptables, and thus no front end would be able to do it either. I know you have been looking for this for a while, so I assume that you haven't made much progress? Anne Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[2]: [newbie] Linux Apps - Firewalls
Hello Anne, Thursday, August 28, 2003, 12:13:45 PM, you wrote: >> AFAIK, you can't even do this with hand coding of iptables, and >> thus no front end would be able to do it either. AW> I know you have been looking for this for a while, so I assume that AW> you haven't made much progress? Unfortunately, no. I like this capability a lot, and think it is quite good for protecting individual computers, both in the privacy and security senses. I'm hoping the linux community adds this (or the handles to make this work) to iptables in future versions. In the meantime, I keep hoping to find an expert who knows how to do it in the current versions. -- Thank you, rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[4]: [newbie] Linux Apps - Firewalls
Hello HaywireMac, Thursday, August 28, 2003, 8:16:59 AM, you wrote: H> Trojans are better checked with chkrootkit (sp?) anyway, IMHO. That's a good way, but you may not know it until you do the check. Besides, suppose the trojan is inside a program you thought you wanted? YOU installed it not knowing it would 'call home'. If it calls home on 80, it will go right through your firewall. Not all intrusions are break-ins. The app-aware approach alerts you the moment anything tries to do an access, and would catch the above. The app-aware approach also alerts you to snoopware. Protecting privacy is not necessarily the same as 'security'. H> The problem with this so-called application awareness in something H> like ZoneAlarm is: what if the Trojan disguises itself as Mozilla? Well, it would have to be in the exact same location and have the same md5 signature - pretty difficult disguise. :-) H> Or "infects" Mozilla? Same md5? Not likely. The need to do some kind of check like this is probably why app-aware is not done in linux - it's not in iptables. There may be good historical reasons too. H> ZoneAlarm is a joke, but it's better than *no* joke I guess, except H> in the sense it might give one a false sense of security. I prefer other FW's, but I'm curious as to what's so bad about it? H> If you have shorewall installed (I don't so I can't check), go into H> Webmin and look, I'll betcha dollars to donuts that you can assign H> application "awareness" of some kind, but...see above. I do have shorewall, and there isn't [I'll send the address for the dollars :-)]. AFAIK, you can't even do this with hand coding of iptables, and thus no front end would be able to do it either. -- Thank you, rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Linux Apps - Firewalls
On Thursday 28 Aug 2003 5:55 am, Russ wrote: > Hi All, > > Thanks for the responses. > > I tried "https://localhost:1"; but the connection was refused. You need to install the webmin package first. > Besides, I know next to nothing about various types of connections and > whatnot. So trying to set this firewall up manually would be a disaster. > ZoneAlarm was quick and easy "Do you want this program to access the > net? yes or no" nuff said. The Firewall GUI in Mandrake Control Centre could not be easier. On or Off! > > Before I asked I did do a search for firewall programs. There are many. > I was looking at Firestarter and Guarddog. Each seem to want Gnome or > KDE. Are these required simply to configure but still works while logged > into the other (KDE or Gnome)? You can use either under KDE or Gnome. Firestarter is prettier and has a nice wizard. They are both in the 'Contrib' section of Mandrake mirrors. Go here http://plf.zarb.org/~nanardon/index.php and follow the instructions to add a Contrib urpmi software source (add 'update, 'plf' and 'Texstar' sources too while you are there) Your Mandrake Control Centre Software Manager will then have access to hundreds of online packages including Firestarter and GuardDog. > > Is one better than the other? or is it six of one and half a dozen of > the other? Any other possible candidates? They all are just front ends for the same firewall function built into the Linux kernel. They all work, and are all better than any Windows firewall. > > I am on a cable modem with a router that connects 2 computers to the > modem (if that matters) > > Thanks for any help > Russ > derek -- -- www.jennings.homelinux.net Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: Re[2]: [newbie] Linux Apps - Firewalls
On Thu, 28 Aug 2003 07:53:49 -0700 rikona <[EMAIL PROTECTED]> uttered: > I don't think you can get this with ANY configuration in Mandrake > because, as I understand it, iptables is NOT application-aware as are > several firewalls for Windoze. IMHO, this is a great oversight in > protecting individual computers from 'calling home', as trojans or > snoopware might do. Trojans are better checked with chkrootkit (sp?) anyway, IMHO. The problem with this so-called application awareness in something like ZoneAlarm is: what if the Trojan disguises itself as Mozilla? Or "infects" Mozilla? ZoneAlarm is a joke, but it's better than *no* joke I guess, except in the sense it might give one a false sense of security. > OTOH, I might have missed how to or what can do this. If so, perhaps > one of our experts can tell me how to do it. Briefly, for example, I > would like ONLY Opera and Mozilla to be able to use port 80 out, and > to alert me if anything else tries to use this port. How can I do > that? If you have shorewall installed (I don't so I can't check), go into Webmin and look, I'll betcha dollars to donuts that you can assign application "awareness" of some kind, but...see above. -- HaywireMac Registered Linux user #282046 Homepage: nodex.sytes.net ++ Remember, Grasshopper, falling down 1000 stairs begins by tripping over the first one. -- Confusion Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[2]: [newbie] Linux Apps - Firewalls
Hello Russ, Wednesday, August 27, 2003, 9:55:48 PM, you wrote: R> Besides, I know next to nothing about various types of connections R> and whatnot. So trying to set this firewall up manually would be a R> disaster. I would agree. If you can't find a good front end, it would be better to try to track down a pre-configured set of 'rules' with liberal comments, and, if the comments are well done for beginners, adjust them for your particular situation. R> ZoneAlarm was quick and easy "Do you want this program to access R> the net? yes or no" nuff said. I don't think you can get this with ANY configuration in Mandrake because, as I understand it, iptables is NOT application-aware as are several firewalls for Windoze. IMHO, this is a great oversight in protecting individual computers from 'calling home', as trojans or snoopware might do. OTOH, I might have missed how to or what can do this. If so, perhaps one of our experts can tell me how to do it. Briefly, for example, I would like ONLY Opera and Mozilla to be able to use port 80 out, and to alert me if anything else tries to use this port. How can I do that? R> Before I asked I did do a search for firewall programs. There are R> many. I was looking at Firestarter and Guarddog. Each seem to want R> Gnome or KDE. Are these required simply to configure but still R> works while logged into the other (KDE or Gnome)? I believe these are all just front ends for iptables, the actual 'guts' built into the kernel that does the firewalling. As such I don't think they would have to run to get 'firewalling', but please correct this if not true (I'm still rather newbie-ish). R> Is one better than the other? or is it six of one and half a dozen of R> the other? Any other possible candidates? They are all just ways of translating between desired firewall behaviors expressed in a comprehensible language (German, English, etc) and the iptables syntax (an initially incomprehensible language you would have to learn to get iptables to work). Many times, Linux users will insist that everyone learn these new 'languages', but wide acceptance will depend on how easy it is to get desired functionality WITHOUT having to learn these new 'languages'. I think a good set of iptables with EXTENSIVE comments FOR BEGINNERS might be one of the best ways to get a good firewall. R> I am on a cable modem with a router that connects 2 computers to the R> modem (if that matters) Might your router have a 'real' firewall? If so, it matters a lot. :-) You might already be well protected if it does. -- HTH, rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
