faq  flatforty  contribute  subscribe  configure  search  rdf  main  parent	Protection against Trojans? by ZoneAlarm user on Thursday 02/May/2002, @19:06 I'm just wondering if this is the type of firewall that just blocks incoming traffic or if it also can force network access rules onto specific programs on an app-per-app basis? The latter is just as important in high security environments like military institutions where the "enemy" is not just your average script-kiddie.	Related Links  ·   Articles on Applications  ·   Also by ZoneAlarm user  ·   Contact author Thread Threshold: 10 comments 20 comments 30 comments 40 comments 50 comments 60 comments 70 comments 80 comments 90 comments 100 comments 110 comments 120 comments 130 comments 140 comments 150 comments 160 comments 170 comments 180 comments 190 comments 200 comments 300 comments 400 comments 500 comments 1000 comments
	The Fine Print: The following comments are owned by whomever posted them. ( Reply ) Re: Protection against Trojans? by Stig on Thursday 02/May/2002, @23:34 I like to know this too. Norton Personal Firewall 2002 also has this feature, and it is very comfortable to be able to control and watch which applications tries to access the Internet. [ Reply To This | View ] Re: Protection against Trojans? by fler on Friday 03/May/2002, @00:46 yeap but you're not supposed to have spyware and trojans on your linux box :) From the screenshot it looks like by default you have to open in and outgoing ports which is a pain compared to good old statefull [ Reply To This | View ] Re: Protection against Trojans? by fler on Friday 03/May/2002, @00:56 btw you can block specified apps /pids / users from accessing the network with iptables's owner match support For ex to prevent mozilla from going anywhere iptables -A OUTPUT -m owner --cmd-owner mozilla -j DROP you could of course do it the other way around and block all outgoing traffic by default and allow only specified apps to access the network [ Reply To This | View ] Re: Protection against Trojans? by Ian Monroe on Friday 03/May/2002, @08:13 So a good idea would be to have a program which blocks all outgoing traffic by default, and then prompts you to let programs access the internet or open up a port, like ZoneAlarm. It would be complicated, because it really should prompt in an anogistic fashion, whether your in KDE, gnome, console whatever. Though having a program which prompts you say, only in KDE, and requires editing a text file otherwise would still be handy. Though is the only way it differenates programs is by their name? Couldn't someone write a trojan named Mozilla and then bypass the rules? [ Reply To This | View ] Re: Protection against Trojans? by theorz on Friday 03/May/2002, @09:19 Yes a zonealarm type system would be nice. Guarddog is a great piece of software, but it is made to work with, ipchains and iptables. This prevents them from getting the most out of iptables. It would be nice if ipchains support is dropped in the future. Though I do not have any spyware problems with linux now, so guarddog is more than adequate for now. [ Reply To This | View ] Re: Protection against Trojans? by Simon Edwards on Friday 03/May/2002, @00:43 It blocks incoming *and* outgoing traffic. Unfortunately it doesn't work on an app by app basis. Linux doesn't support that kind of security out of the box (yet), and implementing that now would require quite a bit of kernel hacking, and the results wouldn't work easily on stock distros the way Guarddog does now. I believe Linux is getting a more pluggable security architecture in the next kernel series, which should make this kind thing much easier to do. Also bear in mind that blocking on a per app basis only works for apps running on the same machine as the firewall. i.e. it won't work for packets that didn't originate on the firewall machine. -- Simon [ Reply To This | View ] Re: Protection against Trojans? by Evan "JabberWokky" E. on Friday 03/May/2002, @03:48 :: Linux doesn't support that kind of security out of the box IIRC, that was one of the advantages of iptables over ipchains, which is why iptables are the new preferred Linux network control method. -- Evan [ Reply To This | View ] Re: Protection against Trojans? by Simon Edwards on Friday 03/May/2002, @05:10 iptables doesn't really let you do per app stuff. The big advantage of iptables over ipchains is the connection tracking features. Besides, if wanted to block a local application from sending data, the obvious place to do that is on the kernel call level, and not down at the packet level. -- Simon [ Reply To This | View ] Re: Protection against Trojans? by Dude on Friday 03/May/2002, @05:53 Fler wrote: btw you can block specified apps /pids / users from accessing the network with iptables's owner match support For ex to prevent mozilla from going anywhere iptables -A OUTPUT -m owner --cmd-owner mozilla -j DROP you could of course do it the other way around and block all outgoing traffic by default and allow only specified apps to access the network So it looks like you can filter on an app by app basis. [ Reply To This | View ] Re: Protection against Trojans? by Michael on Saturday 04/May/2002, @23:42 Only if it's running on the same machine though - and you're better having a separate firewall Remember ZA is fiction-ware, if you run malware code on windows 98 you are toast as there's no security model to prevent bypassing ZA. It's only that numerous malware hasn't yet appeared to demonstrate that, which means you even gain any benefit from ZA yet. A few things you need to think about if you really want to stop apps connecting to the internet a) `mv malware mozilla-bin` - you need crypto to prove that mozilla is mozilla and that it hasn't changed. b) export LD_LIBRARY_PATH=~/malware-libs / export LD_PRELOAD=~/malware/lib - lets me use mozilla's access to run my program. c) ... thousands of others... If you want to stop an app doing something - and there's a lot more an app might do than access the network, a bigger problem that you can't really expect a front-end to packet filtering to solve, look at running it under a chrooted user-mode-linux environment - give it root then if you like ;o) [ Reply To This | View ] Door Locks by Ian M on Sunday 05/May/2002, @18:02 Just because you can break in through the window, doesn't mean you shouldn't lock your door. When GRC was talking to Microsoft about the full implementation of TCP/IP in Windows XP Microsoft had a hard time grasping this concept. They argued that because drivers could be installed in current machines giving windows machines raw sockets (and thus ip-spoofing capablity), what could be so bad about giving alll windows machines this by default? Having ZoneAlarm-like functionality would be nice in Linux because the crackers would have to go through the extra effort to get a program to connect to the internet without user permission. Though your right, checksums would be needed to verify programs or else getting around the firewall would be way to easy. Ian http://ian.webhop.org [ Reply To This | View ] Re: Door Locks by Simon on Monday 06/May/2002, @14:16 This is a good comment. Zone-alarm is protecting us from "legitimate" software calling out without our knowledge ie spyware. Further the spyware is only really hostile in the same sense that Mcdonalds is hostile, it's just something you want to keep under control before it does do you harm This software can only crawl so far up the hostility ladder before the principals will fall foul of anti-hacking laws. Commercial spyware that renames itself as mozilla to dial out would probably be illegal. Light protection could be quite effective against spyware. [ Reply To This | View ] Re: Door Locks by Michael on Tuesday 07/May/2002, @04:45 If you don't trust your applications, you need sandboxing. Sandboxing, as I hinted above, is more than a 'yes/no' question to "can program X connect to x.x.x.x on port Y". By definition, that's a lot of questions to answer for your web browser - or else you allow your web browser all access on port 80? In which case, what are you protecting by asking the question? Perhaps you really want your web browser not to send personal info? "Protect the info" then seems a better idea than pretending you've secured the network against information leakage, no? You have to learn from the mistakes windows software has made, not copy what they do to try and reach the same unsatisfactory point. [ Reply To This | View ] Re: Door Locks by Michael on Tuesday 07/May/2002, @04:19 No, simply put, ZA doesn't make anything harder for code running on the same machine as ZA. Period. (I would expand further on the performing moustaches stuff about raw sockets, but there's plenty of that elsewhere - suffice to say linux tcp/ip has them and I doubt you'll get far trying to get them removed - certainly not with cliched statements about doors and windows) [ Reply To This | View ] Re: Protection against Trojans? by Bloke on Saturday 22/Jan/2005, @09:53 No, you're wrong. You don't need "crypto". You need the OS to tell you the path to the program that is trying to access the internet, or it to tell you the path to the program that is originally calling the library. Crypto. Wtf! [ Reply To This | View ]   The Fine Print: The previous comments are owned by whomever posted them. ( Reply )

		"Would you believe that this little program actually annoys some people?" -- Martin Jones
KDE®, "K Desktop Environment", "KDE Dot News", "got the dot?" and the KDE Logo® are trademarks or registered trademarks of KDE e.V. in the European Union, the United States and other countries. All other trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the poster. The rest: Copyright © 2000-2008 KDE e.V. for The KDE Project. For further information or comments on this site, please contact the Webmaster.

[ home | post article | flat forty | subscribe | search | rdf ]