zonealarm type functionality...again

Dear all ... I just posted a similar message to linux networking but
this query applies as much to security (more so in fact)

zonealarm type functionality has been queried in the past on a number
of occasions and the general consensus appears to be that it isn't
available ... although the posts I was looking at were quite old so
maybe the situation has changed.

So I'll try again...........

I would like to gain some zonealarm-like functionality for my linux
desktop.

netfilter/iptables provides a great functional firewall and can even
block based on UID and GID ... but I quite like the interactive nature
of zonealarm - where it prompts the user, asking whether a particular
application can connect to a network resource (also allowing a
permanent entry for that application).

Does anybody know of a shim for the network stack (or iptables) that
provides this functionality?

I guess it would need to spot an application attempting to use a
'monitored' network resource and then check it's own tables to confirm
that the application is allowed (prompting if it doesn't). If the
table has an entry, or the user confirms that the application can use
the network resource then an entry is made in iptables ... but the
service would also need to spot the application closing and remove the
entry.

The reason I want this may not be valid of course...please let me know
if I'm being too paranoid:

iptables can block based on the usual IP data (src and dst IPaddr and
port ... even flags) so I may have a rule in there allowing outbound
initiated traffic to port 80. Normally this rule would be activated by
my web browser ... but what if I inadvertently install malware
(macro/script virus, trojan) and the malware decides to setup a tunnel
to an attacker host (on port 80). Or maybe the malware initiates a DoS
attack on an external web site...

Clearly, if the malware gains root it can probably bypass the shim,
but unless this feature becomes popular it's unlikely that a scripted
attack will take this into consideration. Anyway, I rarely install
applications as root so I'd hope that the malware may be restricted to
a lower capability UID.

Thanks

Bright wrote:

> Dear all ... I just posted a similar message to linux networking but
> this query applies as much to security (more so in fact)
>
> zonealarm type functionality has been queried in the past on a number
> of occasions and the general consensus appears to be that it isn't
> available ... although the posts I was looking at were quite old so
> maybe the situation has changed.
>
> So I'll try again...........

I don't know of a Linux process monitor that can intercept network
calls similar to ZoneAlarm. Such a capability would require rewrite
to library functions. But even this can be bypassed by using
static-linked program code.

Maybe someone else can comment further!

Steve Hathaway

On Fri, 04 Jul 2003 20:26:26 -0700, Steven J. Hathaway, <shathawa@e-z.net> wrote:
> Bright wrote:
>
> > Dear all ... I just posted a similar message to linux networking but
> > this query applies as much to security (more so in fact)
> >
> > zonealarm type functionality has been queried in the past on a number
> > of occasions and the general consensus appears to be that it isn't
> > available ... although the posts I was looking at were quite old so
> > maybe the situation has changed.
> >
> > So I'll try again...........
>
> I don't know of a Linux process monitor that can intercept network
> calls similar to ZoneAlarm. Such a capability would require rewrite
> to library functions. But even this can be bypassed by using
> static-linked program code.
>
> Maybe someone else can comment further!

There's optional stuff under iptables that might help for outbound
stuff. From "man iptables"...

owner
This module attempts to match various characteristics of
the packet creator, for locally-generated packets. It is
only valid in the OUTPUT chain, and even this some packets
(such as ICMP ping responses) may have no owner, and hence
never match.

--uid-owner userid
Matches if the packet was created by a process with
the given effective user id.

--gid-owner groupid
Matches if the packet was created by a process with
the given effective group id.

--pid-owner processid
Matches if the packet was created by a process with
the given process id.

--sid-owner sessionid
Matches if the packet was created by a process in
the given session group.

--cmd-owner name
Matches if the packet was created by a process with
the given command name. (this option is present
only if iptables was compiled under a kernel sup-
porting this feature)


Well, you can block all outbound ICMP ping responses. Assuming that
software runs with non-root permissions, and that the install process
didn't tinker with libraries, iptables can control it. So here's a
scenario...

1) iptables blocks all outbound stuff by default; user mozilla is
allowed to send out
2) create low-privileged user, eg AbiWord
3) user launches a script in sudoers (allowed with no passwords)
that launches AbiWord. sudoers forces it to run as uid AbiWord
4) user will have to chgrp and chmod directories/files to allow
AbiWord to actually do anything useful
5) Assuming there is no iptables rule to allow packets owned by
user AbiWord out, then AbiWord can't send anything out
6) userid for mozilla would presumably have permission to send out
packets

Asking for permission is somewhat different. Making on-the-fly
changes to iptables requires root privileges. Can root launch a daemon
that beeps when unauthorized access is attempted? Can root run some
sort of menu/dialog in say tty2 that asks for permission for an app to
send out data ? Can we be certain that a regular app can't switch to
tty2 and feed "the right answers" to the outbound packet permission
daemon ?

--
Walter Dnes <waltdnes@waltdnes.org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did

You could be right - that zonealarm functionality provides a false
sense of security, but I'd be interested to know the fundamental
weakness ....

If I inadvertently install a trojan on my system and it tries to
connect to an external server (either to DoS another system or to get
instruction...setup a tunnel etc) my standard firewall will stop the
outbound traffic if it's using a non-standard port. But if it decides
to connect to an external host on TCP 80 then my firewall will assume
it's HTTP traffic and let it through.

If I can tie the firewall down so that it only allows my browser out
on that port then I will be alerted about the trojan (unless it
invokes the browser to make the connection)

That's a good thing isn't it?

Taking it a step further, and having the port dynamically opened per
application (by prompting the user when the outbound network traffic
is initiated) will allow me even more control on outbound traffic ...
When I've run zonealarm on a PC I've used this feature and it gives a
warm feeling when you startup an application which appears to
phone-home (ok..it's probably just checking for updates) and I can
block its access to the Internet

I'm sure there is a flaw there somewhere but I can't see that it's
completely false security.

Whoever <nobody@devnull.none> wrote in message news:<Pine.LNX.4.44.0307031428160.25482-100000@c941211-a>...
> On 3 Jul 2003, Bright wrote:
>
> > Dear all ... I just posted a similar message to linux networking but
> > this query applies as much to security (more so in fact)
> >
> > zonealarm type functionality has been queried in the past on a number
> > of occasions and the general consensus appears to be that it isn't
> > available ... although the posts I was looking at were quite old so
> > maybe the situation has changed.
> >
> > So I'll try again...........
> >
> > I would like to gain some zonealarm-like functionality for my linux
> > desktop.
>
> I suspect that the reason this does not exist is that the type of security
> obtained from such a system is rather like a "security blanket" (in other
> words, it gives you a good feeling, but does not really do anything
> useful).