Domain: fs-security.com
Stories and comments across the archive that link to fs-security.com.
Comments · 9
-
Re:wait, add-ons don't have a permissions model?
The traditional Unix security model simply doesn't give the level of control I'm suggesting, whence much Unix software even today choosing the lowest common denominator of temporarily becoming root for anything requiring more than regular user privileges.
SELinux does go way beyond the traditional model but it's a royal pain to get distributors/developers/users moved over to thinking in its terms. It's not helped that - for whatever reason - genuinely skilled security types are almost universally bad at making accessible interfaces and documentation.
Well, for systemwide installations you pretty much have to grant root (or its equivalent) on any OS. Everything else can generally be handled by appropriate group and permissions assignments. (Granted, that assumes appropriate group configuration in the first place.) What other example are you thinking about?
BTW, SELinux tends to be avoided not because people can't think in its terms, but because configuring it correctly is nearly impossible for mere mortals and still difficult for security specialists.
This isn't an org sysadmin granting privileges to users, it's a user granting privileges to apps. Apps tend not to change their scope so frequently.
Ideally[tm] all data collected by a web page using a client machine is, as others have suggested, tagged with a level of importance. As the data passes through the browser it can be walled off from any apps which are not given permission to see that class of data. For example, a default for any data collected in an input type="password" entry to be regarded as a login which requires third party password collection privilege to find its way into any other app, whether that's by keystroke listeners or login db readers.
IOW, buidling off something like Firestarter for all apps? That, I agree, would be great to have.
-
Re:Linux needs a "Zone Alarm" like program
Linux already has one - it's called Firestarter and it's great. Integrates with the gnome desktop and let's you specifiy a per-process inbound and outbound access policy. It's in the main ubuntu repos last time I checked, but that was Hoary... Check out it here.
-
Re:The best
Exactly. We got one of these for work: Supermicro Flex Atom 330+ Intel 945GC
Draws about ~16W of power with a laptop 2.5" sata harddrive and full ram slots. Pair it with either CentOS or a prepackaged firewall setup like Clarkconnect, M0n0wall, shorewall, or firestarter (IP tables gui for full linux install). You can even setup something like Asterisk NOW! and pair in an IP Tables firewall and OpenVPN support for a very robust, small, silent, and low power solution.
-
Re:I switched at home
FireStarter
http://www.fs-security.com/
I'm sure there maybe others, as well as logs & displays you can build with iptables & things like snort & squil etc -
Re:Start with Slackware ... I did!
I'm a slack user since 7, IIRC.
>>> "... you have to write your own iptables firewall script."
This simply isn't true. And in my poll (http://www.linuxquestions.org/questions/showthrea d.php?t=530208&highlight=firewall) of just over 100 slackers (not statistically significant but hey) there were slightly more using script generators than writing their own scripts.
I like firestarter (http://www.fs-security.com/) and it seems others do too.
FWIW.
Oh and re the car analogy - having driven a stick shift since 17 at 26 I learnt and passed my test on a full geared motorbike, the first time I got on the fully-automatic twist-and-go scooter I crashed. My first proper crash. This pretty much mirrors my use of "easier" linux distros, which I find harder to use. -
Re:Not enough software for Linux ?
The whole thing reminds me of how I felt in my first couple of months using linux, when I really, really wanted Linux versions of GetRight and ZoneAlarm. Shows how much I knew then, really.
In all fairness, you've struck onto something here. That is, application-level network rules on Linux. Example: a self-sensing firewall like ZoneAlarm, which pops up and tells you that application Foo is trying to connect to the Internet. The closest thing I've seen is FireStarter, which has a panel (no popup) which shows blocked connections (but not per application). You have to hunt for them and mentally associate blockage with what you're trying to do and figure out which application uses what ports. This requires quite a bit of knowledge about networking and firewalls.
A second example which is sorely missed is the likes of NetLimiter. That is, a tool that can do per-application (or global) bandwidth shaping. I have no idea why this can't be done. From my (feeble) knowledge of kernel networking internals, it's a matter of using network QoS and marking a certain way, then slapping a pretty interface on once the kernel support is there. Yet Linux doesn't have anything like this. The closest I've seen is trickle, which uses a trick: you have to preload its own networking library onto programs you want to shape. -
Re:Sure it can play flash movies
Here you go, an X terminal emulator for the Nokia 770.
-
What's wrong with Firestarter?
Firestarter gives you the same security as IPTables (netfilter) but it is point and click easy. Actually, it is really just a front-end for IPTables.
The fact that Firestarter also allows me to use the firewall as a gateway and DHCP server was all I needed to run it on my network.
http://www.fs-security.com/
-
Re:at the risk of getting flamed into submission..
Or if iptables give you the heebie-geebies, you might look at Firestarter: http://www.fs-security.com/. It gives you a nice GUI interface to the linux firewall. This on an old PC with two ethernet cards running redhat would work. Or get a Netgear FVS318 for less than $100; we have been using one of those for awhile now and it seems to offer resonable protection.