Firewall confusion
in [Suse]
|
Prev: Do I have a Virus?
Next: making an rpm package
From: Stephen Horne on 28 Dec 2009 05:39 On Mon, 28 Dec 2009 10:06:39 +0100, houghi <houghi(a)houghi.org.invalid> wrote: >Stephen Horne wrote: >> The trouble is, it only takes one exception to that rule. > >Not really. > >> The scenario I have in mind is a trojan. I download it, mess around >> with it within a user account, and don't realise that it has (e.g.) >> scanned the files in my user account, spotted some passwords/bank >> details/personal info, and phoned home. > >Well, it can also just maill home and thus use the programs where you >already have opend the ports for. It could use firefox or whatever And these are also things that it shouldn't be allowed to do without my explicit permission. >If you get a warning each and every time, you are bound to click on OK >one day. What makes you think there's a warning each and every time? As I said, you get the option to apply your choice automatically in the future, or to directly edit what amounts to a whitelist in advance. At present, my ZoneAlarm has a dozen or so apps permitted internet access. That's a dozen or so times in the last couple of years that I clicked "OK". The real habit is to click "no", and that isn't exactly so frequent that it's a problem. And as I said in another post, password aside, this is no different to having a script run sudo and pop up a request for extra priviledges. I only wish ZoneAlarm asked for a password rather than just yes / no. >I have seen administrators (not me, but real ones) press the wrong >answer to yas/no. Yes - as I said in that other post, that's why I wish ZoneAlarm would ask for a password. The odds that you just happen to be typing your root password at that moment must be pretty small. >> Even if you could engineer a perfect O/S, >> there's always the fallible human element. > >And that is why you must take *out* the human element and not put it >back in. And that's why you should be able to say "no applications other than those I've explicitly agreed to should be allowed internet access". Saying it in advance in a whitelist is fine - but allowing all applications internet access because, otherwise, with a request system, some applications might inadvertently get internet access... >Sure you can play arround and even have a user account, but do it with >moderation and limitation. e.g. see that that user does not have access >to the outside world. Wether sandboxing is enough or using a virtual >manager (or both) I am not sure. Finally, we are getting somewhere ;-) Right - so are you saying that it's possible to set up a "sandbox" user account with no internet access allowed? >I would say that a virtual manager with no network is the most safe >enviroment in your case as well as the easiest to do. Maybe, but on my less than awe inspiring machine, I want to limit the number of layers of virtualisation if possible.
From: Stephen Horne on 28 Dec 2009 06:33 On Mon, 28 Dec 2009 10:56:43 +0100, DenverD <spam.trap(a)SOMEwhere.dk> wrote: >-so, you say you want to anyway, ok then don't 'mess around' with >untrusted programs while logged into your personal account > --instead do it in a 'sandbox' (with ZERO access to bank records etc) > --EASY to make > ---add new user (say: Sandy) > ---log into new account > ---'mess around' in safety as Sandy I'd still want to block internet access. Even if the only possible risk is that the malware might run a DDOS attack or exhaust the limits on my "unlimited" broadband, I'd still prefer that it couldn't. >-consider putting your bank records/etc in a crypto protected directory It's amazing what an identity thief can do with, e.g., a few bits of text from a couple of e-mails or a few saved web pages. Identify enough about your interests and social networks, for example, to fool someone into believing he knows you and thus revealing more, for instance. Paranoid - well, yes. Windows users have often considered the idea of root passwords and "sudo" to be absurdly paranoid. I'll have the root passwords, thanks, but I'd still like a side-order of restricting internet access to trusted apps only. >> *BUT* - with a ZoneAlarm-style firewall - that trojan *cannot* phone >> home, and so the security issue is minimised. Being told that the >> program tried to phone home even gives you the warning that it is / >> may be a trojan, or spyware or whatever. > >ah...bad idea...a well designed trojan can 'know' to look for and >DISABLE ZoneAlarm, and will if it wishes to call home. And a wrongly trusted app might get root permissions in Linux, and so on. We all know that trust has to start somewhere, and that sometimes it starts in the wrong place. Never claimed Windows was perfect - just described my starting point and desired ending point, in the hope of getting some guidance on getting from one to the other. >> I don't claim to be perfect. Since I am not perfect, I'd like my >> software to warn me about that fatal error when I make it, and >> hopefully prevent the "fatal" aspect of it. > >zonealarm does not warn even after a trojan *has* changed its settings >and sent your info to Beijing.. I wasn't intending to start a "my OS is better than yours" religious war. After all, I *am* moving more and more to Linux, or else I would never have asked the question in the first place. It's therefore a no-brainer that I'm not exactly happy with the Windows way.
From: Stephen Horne on 28 Dec 2009 06:59 On Mon, 28 Dec 2009 09:52:23 +0100, houghi <houghi(a)houghi.org.invalid> wrote: >Also Linux is a multiuser platform with different types of programs. >e.g. at this moment I am logged in as user 'houghi' via CLI. What if I >do a telnet on port 7265 on a server. How should the program warn me and >ask if I want an outgoing connection? Refuse by default, log the issue, leave it to you to edit the whitelist if you want to give permission in future. >So in CLI it won't work. Now this is just me. Next is my little sister >who has no idea what she does and clicks on OK all the time. It is asked >if she wants to give Vi/\grA.sh access to whatever port and she says >yes. You're taking the ZoneAlarm example too literally. I already said in another post that I wish ZoneAlarm would ask for a password, similar to sudo, rather than just a yes/no prompt. Likewise, a whitelist prepared in advance, with no prompts, would be great. I'm not asking for a clone. I just want a way to restrict which applications can access the internet. Just for the record, though, which of the following would your little sister be better equipped to cope with... 1. Answering "Thunderbird wants internet access - yes or no?" 2. Configuring the OpenSUSE firewall. >Damn, I now got an infected PC. Just like the guy who left his root password on a sticky note on his monitor ("what the hell - it's my home machine, after all") and then his visiting nephew gets this nice polite request from "gimmicky social network app #20650906589". In principle the only difference is the password, and like I said, the point is to limit which applications can access the internet - not to clone ZoneAlarm. And no, my root password isn't on a sticky note on my monitor, for the record. It fell off - it's behind my desk somewhere ATM ;-)
From: Peter Köhlmann on 28 Dec 2009 07:14 Stephen Horne wrote: > On Mon, 28 Dec 2009 09:52:23 +0100, houghi <houghi(a)houghi.org.invalid> > wrote: > >>Also Linux is a multiuser platform with different types of programs. >>e.g. at this moment I am logged in as user 'houghi' via CLI. What if I >>do a telnet on port 7265 on a server. How should the program warn me and >>ask if I want an outgoing connection? > > Refuse by default, log the issue, leave it to you to edit the > whitelist if you want to give permission in future. And leave the decision to the DAU (dumbest user imaginable). Certainly. Great way. Has worked ooooh so well in the windows world. Just neglect those 500.000 viruses >>So in CLI it won't work. Now this is just me. Next is my little sister >>who has no idea what she does and clicks on OK all the time. It is asked >>if she wants to give Vi/\grA.sh access to whatever port and she says >>yes. > > You're taking the ZoneAlarm example too literally. No,he does not. *Any* "firewall" worth its salt will *never* let a simple user to make such decisions > I already said in > another post that I wish ZoneAlarm would ask for a password, similar > to sudo, rather than just a yes/no prompt. Which does not work as well. How does that user know that it is indeed the program he thinks it is? Short answer: He doesn't. Long one: He still does not > Likewise, a whitelist > prepared in advance, with no prompts, would be great. For doing what? Allow trojans which *masquerade* as firefox/IE/Konqueror to access the internet? Or trojans which simple use thoise apps as vehicles? You don't have the tiniest notion how firewalls work, and it shows. There is a reason why people who have more than a tiny clue think of ZoneAlarm and their likes as "toys for imbeciles" who think they know what they are doing > I'm not asking for a clone. I just want a way to restrict which > applications can access the internet. Then exec them in a VM. Problem solved > Just for the record, though, which of the following would your little > sister be better equipped to cope with... > > 1. Answering "Thunderbird wants internet access - yes or no?" > > 2. Configuring the OpenSUSE firewall. None of those. If she can't configure a firewall, she has no business answering yes/no to such questions. Because she does not *know* if it is indeed Thunderbird. Or any other of those many programs which want internet access >>Damn, I now got an infected PC. > > Just like the guy who left his root password on a sticky note on his > monitor ("what the hell - it's my home machine, after all") and then > his visiting nephew gets this nice polite request from "gimmicky > social network app #20650906589". Something entirely different. Your zeal to make windows look less idiotic is showing > In principle the only difference is the password, No, it is not. > and like I said, the > point is to limit which applications can access the internet - not to > clone ZoneAlarm. For the umpteenth time: Run it in a VM. Problem solved. You will never get any *nix user with a clue to accept ZoneAlarm toys as something which solves security problems. Those apps *create* security problems > And no, my root password isn't on a sticky note on my monitor, for the > record. It fell off - it's behind my desk somewhere ATM ;-) You are a windows user. You don't have admin passwords by default -- I refuse to have a battle of wits with an unarmed person.
From: Stephen Horne on 28 Dec 2009 07:22
On Mon, 28 Dec 2009 10:47:26 +0100, Peter K�hlmann <peter-koehlmann(a)t-online.de> wrote: >This is the dumbest idea ever which came into the windows world: To let >the user handle the decision if some arbitrary program which *claims* to >be program xyz can access the outside world. No - the dumbest idea ever in the Windows world was a lot dumber than that. Given the shear number and scale of the dumb decisions in Windows, I'm not even going to speculate about which features are in the running. On a machine where there is only one user, though, who else are you going to ask? You can question the *way* that the question is asked, certainly. But *someone* has to decide what is permitted and what isn't. >It has not worked a tiny little bit in windows, and it will not work >anywhere else. It is just plain stupid to even try it that way If the idea of asking at the time is really so dumb, then why is it OK for Linux apps to request the root password when they need extra priviledges? And lets be honest - the ZoneAlarm approach, flawed as it is, works a whole lot better than having no restrictions at all on which applications can access the internet. |