From owner-freebsd-stable Mon Sep 11 15:26: 7 2000 Delivered-To: freebsd-stable@freebsd.org Received: from cmh-dial.columbus.rr.com (cmh-dial.columbus.rr.com [204.210.252.23]) by hub.freebsd.org (Postfix) with ESMTP id C4EAD37B422 for ; Mon, 11 Sep 2000 15:26:04 -0700 (PDT) Received: from columbus.rr.com (dhcp26130024.columbus.rr.com [24.26.130.24]) by cmh-dial.columbus.rr.com (8.9.3/8.9.3) with ESMTP id SAA03956 for ; Mon, 11 Sep 2000 18:25:16 -0400 (EDT) Message-ID: <39BD5D43.9231594B@columbus.rr.com> Date: Mon, 11 Sep 2000 18:31:31 -0400 From: Bill Moran X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 4.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 Cc: freebsd-stable@FreeBSD.ORG Subject: Re: firewall rules for applications References: <200009112201.SAA26880@misha.privatelabs.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG mi@aldan.algebra.com wrote: > > I wonder how feasible would it be to implement firewall rules > that would take into consideration the program (on the local machine) > sending/receiving the packets. I know, I can now base the rules on > the user/group id, but I may want to go further. Technically, this is what ports are for. Port 80 is for http, 23 for telnet, etc. In a better world, this would be all that's needed. But ... > Identifying a program to the kernel may not be simple -- perhaps a > regexp of the executable's name or an md5 of the /proc/file? Or the > executable's (or script's) inode-filesystem? If I understand it correctly, this is what they're trying to do with certificates. > I just read a description of a Windows product, that attempts to fight > software offered by sneaky vendors, that tries to contact the vendor > over the Internet to send back user's data. The blocking software, > supposedly, blocks applications from accessing certain sites. This is > not an immediate problem for FreeBSD, but... Why not prevent the user from installing the trojan to begin with (that's basically what that is) Fact is ... as long as people think they can use computers without knowing anything about them, they'll be open to this kind of attack. You can put all the software guards in place you want, but if they fall for the old "I'm from Compuserve support and we're having some trouble with your account. If you'd just give me your password we can straighten everything out." You may laugh, but remember that most security holes are "socially engineered" The untrained security guard that falls for some lie or another. Or just someone who's become complacent because they haven't had any trouble ever before. I used to laugh when I worked at Bank One because they made such a big deal about network security. Meanwhile, they were having hundreds of laptops stolen each month because the building I worked in was so insecure. Anyone could just walk in. If you could break in and steal a laptop, how much harder would it be to break in, get to the server room or something like that. The best security will always be trained individuals who are paranoid. (Self employed: The opinions expressed here do not reflect those of my employer) -- FreeBSD ('BSD'): No battles to the death are recalled. It is a small Daemon wearing sneakers. It is normally found on Internet servers and powerful desktops, and moves very quickly. A kill of this poweful creature is enough to tick off any sysadmin. It is highly magical, having the power to serve. It resists DoS and SYN flood attacks. Nothing is known about its attack. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message