Constructing "ZoneAlarm for Linux"?
Posted 02-02-2006 at 07:13 PM by unSpawn
Once in a while a question like is there a "ZoneAlarm for Linux"? pops up in LQ-SEC. Usually members tend to tell OP's any firewall handling matters should be done using a front-end if Netfilter-fu is low, but basically that's it. IIRC that too LInux-centric a view: it is not all ZoneAlarm provides. As far as I can remember it checks if the binary has changed, looks up if it's allowed to use the network and if it is allowed to act as server and/or client.
//OK, first ask if we really need this or what or whom should it protect?
Anyway, could we use existing GNU Linux/FOSS tools to accomplish the same? Just a heads up: if we can then because of the way Linux works this won't be a single binary fest. But OK, rather 1K tools that work than one that doesn't, aight? Below is a table of functionality matching anything I could think of using. First of all we need a sound basis. I would recommend the GRSecurity kernel patch if only because you can easily enforce users to only use "known good" binaries using Trusted Path Execution (you'll have to protect those binaries though by making them immutable or mounting the tree read-only) and deny users to run services or even clients.
- Binary checksum match. While GRSecurity's TPE essentially is a basic "mask" sealing off users trying to run "foreign" binaries it doesn't do on-access validation. A more tight ACL should come from using (any) RBAC or maybe a Dazuko plugin.
- Check config for application attribute: type server/client: use GRSecurity compile/sysctl options.
- Check config or application attribute: allowed to connect: use GRSecurity compile/sysctl options.
What kind of Linux-specific tools could we add?
- Network connection, firewall: host/port/owner. Default Iptables modules, NuFW?
- Stream check: IDS. Snort+BlockIt/Guardian using Cutter for dropping connections OTF.
- Stream check: AV. Dazuko)+ClamAV.
Also-look-at:
Systrace - Interactive Policy Generation for System Calls: http://www.citi.umich.edu/u/provos/systrace/
Program Guard - Specify which applications are allowed TCP/IP connections to the Internet: http://pgrd.sourceforge.net/ TuxGuardian
Tuxguardian - Application-based firewall using ACL's to control applications that try to access the network: http://tuxguardian.sourceforge.net/
L7 inspection for P2P protocols
Timing policies from POM? "Regular" users don't usually use Netscape (argv[0]!) at 03:00AM local time.
I'm sure I missed a lot and most of this is "basic" hardening stuff, but maybe this gives an idea how anyone could tighten the noose wrt to users you can't "talk to" or use the infamous sucker rod on :-]
//OK, first ask if we really need this or what or whom should it protect?
Anyway, could we use existing GNU Linux/FOSS tools to accomplish the same? Just a heads up: if we can then because of the way Linux works this won't be a single binary fest. But OK, rather 1K tools that work than one that doesn't, aight? Below is a table of functionality matching anything I could think of using. First of all we need a sound basis. I would recommend the GRSecurity kernel patch if only because you can easily enforce users to only use "known good" binaries using Trusted Path Execution (you'll have to protect those binaries though by making them immutable or mounting the tree read-only) and deny users to run services or even clients.
- Binary checksum match. While GRSecurity's TPE essentially is a basic "mask" sealing off users trying to run "foreign" binaries it doesn't do on-access validation. A more tight ACL should come from using (any) RBAC or maybe a Dazuko plugin.
- Check config for application attribute: type server/client: use GRSecurity compile/sysctl options.
- Check config or application attribute: allowed to connect: use GRSecurity compile/sysctl options.
What kind of Linux-specific tools could we add?
- Network connection, firewall: host/port/owner. Default Iptables modules, NuFW?
- Stream check: IDS. Snort+BlockIt/Guardian using Cutter for dropping connections OTF.
- Stream check: AV. Dazuko)+ClamAV.
Also-look-at:
Systrace - Interactive Policy Generation for System Calls: http://www.citi.umich.edu/u/provos/systrace/
Program Guard - Specify which applications are allowed TCP/IP connections to the Internet: http://pgrd.sourceforge.net/ TuxGuardian
Tuxguardian - Application-based firewall using ACL's to control applications that try to access the network: http://tuxguardian.sourceforge.net/
L7 inspection for P2P protocols
Timing policies from POM? "Regular" users don't usually use Netscape (argv[0]!) at 03:00AM local time.
I'm sure I missed a lot and most of this is "basic" hardening stuff, but maybe this gives an idea how anyone could tighten the noose wrt to users you can't "talk to" or use the infamous sucker rod on :-]
