Re: firewall securing outgoing traffic?

From: Dimitri Maziuk (dima@127.0.0.1)
Date: 01/29/02 

From: Dimitri Maziuk <dima@127.0.0.1>
Date: 29 Jan 2002 19:54:40 GMT

On Tue, 29 Jan 2002 05:06:11 -0500, Yan Seiner wrote:
> In article <3c55ca7a.21999844@news.online.de>, "Joe"
><NO!SPAM!hte123@gmx.net> wrote:
>
><snip>
>> Linux has IMHO no implicit protection from that behaviour? As far as i
>> know by now, a program for example data can read out data from the tmp
>> dir of the current user.
>>
>
> Yes and no. While an app may read from /tmp, very little actual data is
> in temp. Most of the information that spyware would want is in log files
> in /var/log; these are (or should be) only readable by root. So the job
> is much harder for spyware. In fact, most of the time /tmp is empty.
>
> As for software that "calls home" - that's much harder to block. Typical
> firewalls only block ports; the assumption is that you want to protect
> services.

This doesn't really work: presumably the code that calls home is
hidden inside some application that _you've_installed_because_you
_wanted_to_use_it. If it needs network access for legitimate
reasons, you can't block it (or you can't use it).

Similarly, it can use a "legitimate" port when it calls home (e.g.
it calls a CGI script), so trying to block on per-port basis won't
work either.

The solution is not technical: if an open-source app calls home
behind the scenes, I'd expect to see a lot of stink in usual places
(plus a patch to disable that behaviour) pretty soon after the app
is released. If it's a closed-source app, well, you get what you
paid for.

> I like the SGID idea - set up a special group that is the only group
> allowed access out. Then run the few programs that need to communicate
> with the outside SGID that group. Of course, this offers NO protection
> if you have win boxes NATed behind your linux firewall.

Debian does this with access to devices, like floppy, audio, cdrom.
Unfortunately, unix u/g/o model doesn't work too well here:
1. you can easily get to the point where an app must have >1 different
[E|S]GIDs at the same time,
2. administration nightmare -- too many groups, too many SGID binaries.

Dima

Relevant Pages

  • Re: Cost of ownership: MV vs. SQL Server
    ... >>app server independent, etc, but you cannot be all of those at once. ... > mention that .NET seems to satisfy all of the business requirements ... (both Macs & Linux), so my criteria are different from yours. ... > and this market has never expressed a real need for Mac, ...
    (comp.databases.pick)
  • Re: Query to the Linux community....Follow up...
    ... There were analogies to cars and PC hardware. ... > distributions of Linux may not be much of an issue. ... If the OS doesn't break on them, they'll only care what the app is doing. ... But then again, strictly speaking, Oracle doesn't sell databases. ...
    (alt.os.linux)
  • Re: Is VMS losing the Financial Sector, also?
    ... Is VMS losing the Financial Sector, ... different Dev/Test/Prod Linux environments. ... For small-med shops, its not so much as big an issue if you have ... According to my company's development group, our app runs ...
    (comp.os.vms)
  • Re: Is VMS losing the Financial Sector, also?
    ... Is VMS losing the Financial Sector, ... different Dev/Test/Prod Linux environments. ... For small-med shops, its not so much as big an issue if you have ... According to my company's development group, our app runs ...
    (comp.os.vms)
  • RE: Is VMS losing the Financial Sector, also?
    ... Is VMS losing the Financial Sector, ... different Dev/Test/Prod Linux environments. ... With Windows / Linux the sheer volume of these monthly security patches ... According to my company's development group, our app runs ...
    (comp.os.vms)