Firewall confusion
in [Suse]
|
Prev: Do I have a Virus?
Next: making an rpm package
From: Stephen Horne on 28 Dec 2009 03:43 On Mon, 28 Dec 2009 07:05:28 +0100, Jan Gerrit Kootstra <jan.gerrit(a)kootstra.org.uk> wrote: >An iptables firewall can be configured to block or log outbound traffic. >This is normally based on ip-addresses and portnumbers. This doesn't seem to allow me to say "only these known and trusted applications can have internet access - all others are blocked". I don't know a great deal about standard IP ports, but what I do know is that they are only a convention - some applications (peer-to-peer stuff mainly) even choose ports randomly. If an application wanted to, it could send out any message it wanted via the port that is normally used for HTTP requests - and if it wanted to, some other box on the internet somewhere could be listening for these messages. That is, it doesn't really matter that a port is *supposed* to be used for web, or for e-mail, or for ftp, or whatever - it *could* be abused for any purpose. I can neither identify all safe IP addresses nor all dangerous ones, and I have neither the knowledge to identify which ports should/should not be blocked, nor any confidence that that would prevent all unwanted traffic getting out anyway. Maybe firewalls allow the data sent through particular ports to be limited to the expected kinds. But even if the traffic conforms to the expected protocols for the ports, it could still be exploited. For example, an app other than my browser might send out page requests with URLs that contain my personal information. Anyway, OK, in general I'm pretty knowledgable about computers. After all, I spent quite a few years as a professional programmer. But I never did learn all that much about the various internet protocols and services. Those iptable documents make only slightly more sense to me than they would to a complete computing novice. The last thing I want to do is dedicate who knows how many hours to trying to figure out all that stuff. Just because my desktop is more likely to display a command prompt with GCC than a web browser with facebook, doesn't mean that I can't be in many ways a clueless newbie who needs his hand held just like any other average desktop user. The one thing I can say for sure is that that new program I'm playing with was definitely not expected to be trying to access the internet. Unlike Windows, if it's trying to get root access, I will (or at least should) know about it and, unless I'm daft enough to enter the root password for it, it will fail. But I'd still like to block it from accessing the internet too. Don't get me wrong. I realise that Linux isn't Windows, and quite possibly I'm obsessing over a purely hypothetical issue. Also, maybe the problem is better solved with some lateral thinking. For example, is it possible to create a user account that is not permitted to access the internet? - a kind of sandbox user account? If so, that would be the perfect place for testing untrusted programs. Especially if it still logs attempts to access the internet, so I can see potential problems. Also, I seem to remember that the old Unix mail programs worked by reserving a "user" account for the mail program itself. The mailboxes were just files in that account. Although the mail program could be invoked from any users account, it basically ran within its reserved account. It had the right to do things that the user didn't (ie read/write the mailbox file), but IIRC didn't inherit all the rights from the user who invoked the mail program. If that's actually correct (it was a long time ago), installing an untrusted program into it's own user account might well be a good way to sandbox it. In fact, it seems like something that should be done as standard for web browsers - display the window on my desktop, but don't let the browser (or it's scripts or whatever) read or write anything outside of its own sandbox account. Of course you reach a point where you may as well just run all untrusted applications in virtual machines. To block unwanted internet access, just don't install any network devices in the guest OS. A bit of a pain, though.
From: Günther Schwarz on 28 Dec 2009 03:49 Stephen Horne wrote: > On Windows, I use the free version of the ZoneAlarm firewall. This > allows me to control access to the internet and to the "trusted zone" on > a per-application basis. > I know that OpenSUSE includes a firewall, but it doesn't seem to follow > this model AFAICT. It seems to filter types of internet traffic, but not > to control which applications have access to the internet or other > resources. This is correct. The SUSE firewall is simply a script that sets up iptables. See the manual page of iptables or other resources in order to learn how this works. Basically iptables controls traffic based on IP addresses and port numbers and is unaware of applications or the content of traffic. If you want to set up a firewall that can handle these things you might want to have a look at tools that provide stateful inspection or even application layer filtering. The Endian distribution can handle some of these things. Günther
From: Peter Köhlmann on 28 Dec 2009 04:47 Stephen Horne wrote: < snip gibberish > > > The one thing I can say for sure is that that new program I'm playing > with was definitely not expected to be trying to access the internet. > > Unlike Windows, if it's trying to get root access, I will (or at least > should) know about it and, unless I'm daft enough to enter the root > password for it, it will fail. But I'd still like to block it from > accessing the internet too. So it will masquerade as the distro updater. Or whatever else which *is* supposed to go outside. This is the dumbest idea ever which came into the windows world: To let the user handle the decision if some arbitrary program which *claims* to be program xyz can access the outside world. It has not worked a tiny little bit in windows, and it will not work anywhere else. It is just plain stupid to even try it that way > Don't get me wrong. I realise that Linux isn't Windows, and quite > possibly I'm obsessing over a purely hypothetical issue. You do < snip > > Of course you reach a point where you may as well just run all > untrusted applications in virtual machines. To block unwanted internet > access, just don't install any network devices in the guest OS. A bit > of a pain, though. No. Extremely simple to do. You can even *have* networking, just not to the internet. Set up the virtual machine with "host-networking" only. It will get access to the files you have opened to the VM, but not to anything else -- Klingon function calls do not have 'parameters' - they have 'arguments' - and they ALWAYS WIN THEM.
From: DenverD on 28 Dec 2009 04:56 Stephen Horne wrote: [snip] > The trouble is, it only takes one exception to that rule. right, your job as user is to not let that happen, like: > The scenario I have in mind is a trojan. I download it, mess around > with it within a user account, and don't realise that it has (e.g.) > scanned the files in my user account, spotted some passwords/bank > details/personal info, and phoned home. right, that *is* a security problem...a USER induced security problem which is *easily* worked around with safer practices...things like: -don't download from untrusted (non-SUSE repo) sources -so, you say you want to anyway, ok then don't 'mess around' with untrusted programs while logged into your personal account --instead do it in a 'sandbox' (with ZERO access to bank records etc) --EASY to make ---add new user (say: Sandy) ---log into new account ---'mess around' in safety as Sandy --or run the untrusted program inside a VM -consider putting your bank records/etc in a crypto protected directory > If you have the habit of messing around with random programs, one day, > something like this is bound to happen. exactly. even with a great firewall what you describe is a user induced security hazard! > It doesn't matter whether you > download binaries or build from source - unless you inspect that > source line by line, the possibility still exists that there is an > undocumented nasty lurking within. if you trust no one you must self inspect.. but, if you trust some repos, use those...if not, do not use YOUR account unless you have otherwise protected your bank info/etc > *BUT* - with a ZoneAlarm-style firewall - that trojan *cannot* phone > home, and so the security issue is minimised. Being told that the > program tried to phone home even gives you the warning that it is / > may be a trojan, or spyware or whatever. ah...bad idea...a well designed trojan can 'know' to look for and DISABLE ZoneAlarm, and will if it wishes to call home. > I don't claim to be perfect. Since I am not perfect, I'd like my > software to warn me about that fatal error when I make it, and > hopefully prevent the "fatal" aspect of it. zonealarm does not warn even after a trojan *has* changed its settings and sent your info to Beijing.. you need to protect (encrypt) your sensitive info in /home/[you]/ *and* everywhere a Windows 'administrator' account can see.. ymmv. -- DenverD (Linux Counter 282315) via Thunderbird 2.0.0.23 (20090817), KDE 3.5.7 "release 72-11", openSUSE Linux 10.3, 2.6.22.19-0.4-default #1 SMP i686 athlon
From: Stephen Horne on 28 Dec 2009 05:10
On Mon, 28 Dec 2009 09:15:50 +0100, Peter K�hlmann <peter-koehlmann(a)t-online.de> wrote: >Stephen Horne wrote: > >> On Mon, 28 Dec 2009 04:05:29 +0000 (UTC), Paul J Gans >> <gansno(a)panix.com> wrote: >> >>>I think that the basic thing to remember is that in Linux FEW PROGRAMS >>>goe off and connect to the internet by themselves[1]. In general >>>NOTHING connects to the internet without you telling it to do that. >> >> The trouble is, it only takes one exception to that rule. >> >> The scenario I have in mind is a trojan. I download it, mess around >> with it within a user account, and don't realise that it has (e.g.) >> scanned the files in my user account, spotted some passwords/bank >> details/personal info, and phoned home. > >Where do you download that type of programs? *Why* do you do that? And why >don't you get it from the distro site? As for distro sites - as I said, at least one trojan has made it into a major distros repository before being discovered. Besides, from a programmers perspective, many of the most interesting programs out there are far too immature to be included in any repository. Also, you seem to be saying "just don't run any trojans", and that's just nuts. I'm not saying that I'd be running trojans deliberately, after all - the whole point of the word "trojan" is that you don't know that it's malware until *after* you've been fooled into running it. >The "Notepad wants to connect to the internet - allow <yes> <sure> <why >not> type of "user-interaction" is just silly to the extreme Why? The average desktop user has far more chance of knowing that a particular application should or shouldn't be allowed internet access than of even knowing what an IP port is. Of course I've noticed your implication that no user is ever going to click on "no". And of course there are users like that. Just as there are users who will automatically enter their root password just because some script with a "sudo" call or whatever has asked for it. Or for that matter, have their root password as "password", or even leave it blank. The detail of the password aside, I see no philosophical difference between the ZoneAlarm and sudo permission requests - either way, the user has essentially the same issue to deal with, and needs essentially the same knowledge - should the application be allowed the priviledge, or shouldn't it. Of course I wish ZoneAlarm asked for a password in the popup - popping up just as I'm pressing the space bar or whatever, so I get an unintended "Yes", has caused problems in the past and is potentially a fatal security hole. What's more, I'm looking forward to the day when I can disable all my network devices in Windows, dump ZoneAlarm and the rest, and only use Windows for those last few unavoidable apps. My mentioning ZoneAlarm wasn't meant as an exemplar of perfect security - only as a way of explaining what I had in mind. Basically, I just want to be certain that untrusted programs cannot access the internet without my explicit permission. |