| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: security at brvenik.com (Jason) Subject: YABBT [1] - Re: Zone Alarm This is a dead thread to me. I am replying to list because it adds a little value to the already OFF TOPIC discussion. Ron DuFresne wrote: > [SNIP] > > >>'A HW firewall can only block at the protocol level for an entire >>machine but can not reliably deny access for one program and allow >>access for another program when they are using like protocols from the >>same machine.' >> > > > Still incorrect, as it seems folks are talking about packet filters only > of one type or another. No one seems to be considering the high end in > the firewall realm, and this might be due to the 'homeuser' tone of the > thread, but, what about firewalls with application proxies? Of course > these are not very common on a desktop or home machine... > [snip large sig block] There are many application proxies in use on the host these days, they are often transparent as well. An easy example might be any modern virus scanner which intercepts a communication stream and emulates the application protocol to inspect it for virii. While I see what you are trying to say you are incorrect. There is no _off system_ firewall, hardware or software, that can differentiate like protocols and the representation of those protocols simply by being inline. Let me illustrate.. $ wget www.yahoo.com ...output $ nc www.yahoo.com 80 GET / HTTP/1.0 User-Agent: Wget/1.8.2 Host: www.yahoo.com Accept: */* Connection: Keep-Alive ...output Barring a subtle difference in the way wget and nc build the tcp connection there is no way off system to differentiate the above two HTTP requests and there is no off system method to identify the requesting application. Something that might make this mildly on topic for the list would be a discussion of the next logical statemets about enforcing access to the internet for specific applications using this method of thinking. You can do anything that does not require a change on the host system. Some suggestions: * configure User-Agent validation * only allow specific protocols, limited to HTTP for example. * require user authentcation Now, with all the products out there the list has, attempt these methods of restriction and then show us how it can be evaded or otherwise rendered useless by an application other than the intended. If you believe it cannot be evaded please show your work and defend your position. Failing this type of discussion I too SCREAM NAZI -Jason
Powered by blists - more mailing lists