Revisited: "Zone Alarm" (tm) for Linux?

smpoole7 · August 12, 2009, 7:05am

You’ll see this pop up from time to time: “is there something like ZoneAlarm™ for Linux?”

I’ll admit, one thing I liked about Zone Alarm was its ability to tell me if a newly-installed program was trying to access the network. Perfect example: you’d install Adobe’s Acrobat Reader under Windows with Zone Alarm active, and it would instantly warn you: “This thing is trying to access the Internet.” You get no such warning under Linux. I have to admit, I miss that. (Badly.)

However … after looking into this in more detail than I thought I would, I know now why there’s not a “Zone alarm” for Linux. The kernel’s innards have to be patched for this sort of thing, primarily because Linus himself considers it very insecure to allow just anyone to patch it. There are specifically-defined places where patches are allowed, and only by “approved” Linux Security Modules.

(Simply put: the same patches that Zone Alarm tacks into Windows could easily be bypassed, or used by a malicious program in some other way. In the case of Linux, you’d basically have to build your own custom kernel, so you’d have to repatch and recompile everytime there was an update!)

The most common alternatives to Zone Alarm for Linux appear to be AppArmor and SELinux. For example, you could simply make it a policy that Acrobat couldn’t access the network and that would be it.

SELinux really isn’t an option for me, at least, not until someone develops better config tools for it. It’s just too difficult to get working, and it’s very easy to render a system unusable (speaking from experience!).

AppArmor looks a little more “user-friendly” (relatively speaking), but I’m worried about relying on it. Immunix, the original creator, is long gone. Since Novell laid off the developers, is any work being done on it? Is it Abandonware? Looking at the forge page for it, no updates have been issued for over a year.

Novell AppArmor - apparmor

Does anyone know if 11.2 will support AppArmor?

ken_yap · August 12, 2009, 7:36am

You could use something like this for your gateway.

NuFW - The Identity based Firewall

Honestly though I find Zone Alarm style notifications too low-level and annoying. I think they are also useless. If an Internet app is pointed to a poisoned resource on the net, it would look like a normal web access.

smpoole7 · August 12, 2009, 1:47pm

No, I had NOT seen that! Thanks for the link. That may be just what I’m looking for.

Honestly though I find Zone Alarm style notifications too low-level and annoying. I think they are also useless. If an Internet app is pointed to a poisoned resource on the net, it would look like a normal web access.

They never really bothered me. I liked knowing if a newly-installed ap wanted to access the Internet. In the Windows world especially, so many of them do it – often without informing you. From my experience, you’d get the warning, decide whether to allow or deny it, and Zone Alarm generally wouldn’t bother you again (unless the application tried to do something else fishy).

oldcpu · August 12, 2009, 3:39pm

I’m with Ken Yap on this.

The necessity to have a Firewall, where one observes this sort of behaviour, is one of the reasons why I have always found installing MS-Windows apps more difficult than installing Linux apps (in particular I am referring to Linux apps from a solid/respected repository - not a custom Linux compile nor from some unknown repos).

Often my wife gets 3 to 6 zone alarm popups when installing an MS-Windows app. I often get called, … and I get asked what it means ?? … we end up surfing for 5 to 10 minutes (sometimes more) to try figure out , … for each firewall popup. Over 1/2 the time we have no idea what is happening. What a royal PITA. Anyway, its a MAJOR pet peeve of mine about Windoze software installation.

knurpht · August 12, 2009, 4:03pm

I tend to say that any linux firewall is better than any Windows firewall. Just spent two days on what was reported as a ‘hacked website’; it appeared to reside on a firewalled Windows server, it wasn’t the website that had been hacked, it was the server…including the firewall.
My son uses a paid version of ZoneAlarm, he knowd exactly how to get rid of the popups: allow anything. I don’t think the average user will be any different after a week of popups: ‘Allow’ is the one-click-solution.
On webservers I use CSF. Very nice.

TaraIkeda · August 13, 2009, 3:15am

While no OS is bulletproof Linux comes pretty close to it as does BSD.
If basic firewall is needed I find firestarter handy.
In any case Linux closes off many incoming ports by default, even without a frontend to a firewall app most linuxes come with many good firewall tools built in.
If you are overly paranoid though, there is one way to make sure no one hacks into your computer:
Unplug it from the internet and lock it in a safe deep underground

ab · August 13, 2009, 3:47am

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You’re correct in your original analysis, unfortunately, in that ZoneAlarm
is only as good as its ability to resist being circumvented or disabled,
which I imagine is not that great. The only way to be sure you cannot be
disabled is to run at a ring lower than the malicious disabling apps,
meaning in the kernel (or below, but ignore that for now) but in
windows-land everybody runs as Administrator which, while not the kernel,
has all power over it. So what keeps maliciousWebSiteX from running
maliciousActiveXScriptY and disabling ZoneAlarm? Next to nothing.

ZoneAlarm’s firewall (incoming) is not better than what Linux offers out
of the box in my opinion (block all ports, TCP and UDP, but allow ICMP
basic ICMP) but as you mentioned it did have that outgoing part covered.
You COULD disable all outgoing stuff except to certain applications with
NetFilter/iptables but it would probably be a lot of work and may easily
require a fair bit of scripting on your part to make the firewall nice and
dynamic. Watching /var/log/firewall could tell you what is sending data
out from your box though that could easily become a very large file if you
enabled logging for everything outgoing with no exceptions. The balance
between knowing your application and allowing it and having ZoneAlarm give
you a notice that you immediately click ‘Yes, Let My Virus Out’ in has not
yet been found, I do not think. AppArmor and SELinux (both of which use
LSM in the kernel as I recall) are a sweet spot but require that you have
policy that allow the correct behavior and block the rest. If I write a
malicious app, though, and give you an AppArmor/SELinux policy that “helps
keep my malicious app from being malicious” I’m not helping you or hurting
me even though you now have a warm fuzzy that you’re protected (basically
what ZoneAlarm gives you, plus a small hole in your pocketbook). If you
only install software that you trust, though, you still have the warm
fuzzy but without the pocketbook being emptied. Due to a lack of nonsense
like ActiveX and most malware in the world (plus not running as ‘root’)
Linux is fairly immune to what ZoneAlarm is really best at (drive-by
infections via requested websites) though how well it really stacks up in
those cases is still debatable (the software is smart enough to get past
McAfee and Symantec, both which run in the kernel, but not ZoneAlarm?).

Good luck.

smpoole7 wrote:
> ken_yap;2024974 Wrote:
>> ‘NuFW - The Identity based Firewall’
>> (http://www.nufw.org/-English-.html)
>>
>
> No, I had NOT seen that! Thanks for the link. That may be just what I’m
> looking for.
>
>> Honestly though I find Zone Alarm style notifications too low-level and
>> annoying. I think they are also useless. If an Internet app is pointed
>> to a poisoned resource on the net, it would look like a normal web
>> access.
>
> They never really bothered me. I liked knowing if a newly-installed
> ap wanted to access the Internet. In the Windows world especially, so
> many of them do it – often without informing you. From my experience,
> you’d get the warning, decide whether to allow or deny it, and Zone
> Alarm generally wouldn’t bother you again (unless the application tried
> to do something else fishy).
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJKg3CUAAoJEF+XTK08PnB59sQQAKYdkvQV4ltdYG86z2/5RCbS
hP1tE5qdGjEi0xS8eC5i1kWHHcHWkSyaLh8AISh7jpJj9iSnOynB3bQJ8fZFB5SH
XWYwqFMgclQtwk7wajTDhox/UEbjf2o3K3nX63CWCHUuomsltOQleRDpWq4+yHgc
vQ4oh3yMcsZ7c9uryIqw/nWqDx54YsTkg+WkZwf6kcPwToSvldBerrgATEWqbYZL
N6wpV9b1aT/xv+9MpFG+d0zaMWRPPUaUnZfnrRg97wfzjwgbH1goqHxOFioo5W5f
j404jfFlm3h+2LR7SEGoHPxT8YWsCe2GHJkRTpx5HWSnneFlnFXCjIqSy31htbDB
KFsfiBrIcyYQ+DsaT8AdLqObxqEAb4+OwQvEbdOO6Slkja/GroOPYZWF2XgeWlYv
BemUA0jwRbgPh/Rl/73Q4Uez8okXnUxVthx6OShq/Sgyqan8MCbJazA0RTuJEUCW
ZomUgLMWtdtMRGWJshg3XI1fmEzqJR9euRovlhFYAmtBnq6CSnnz8SVvW2KCH1QG
/k7X8qgTDGI05M3FstWspXo0VFne65HDPflvcvlq/tWgey4WQSXkhM2Ms3aWvce9
eibu9Vwju095wV+E6tUjc7EmJOuGba+DNQTzZoqLjC3adrNG2ya6z4tbApHySH8C
9d93fGK3z2choAE5Qfnz
=K9AZ
-----END PGP SIGNATURE-----

smpoole7 · August 14, 2009, 4:32pm

I agree with that. But I’ve noticed that in the Linux world, because there isn’t a lot of adware/spamware at present, there’s no concern about a way to simply determine whether a freshly-installed application is trying to access the Web.

This doesn’t concern the True-GNU™ types who insist on running only open-source software, but what if someone wants to download Acrobat Reader (which has been my example throughout)? What about other packages which may not be “free,” but might be quite useful to an end user like me?

Yeah, I know. The True-GNUs™ just say, “don’t use it.” That’s unrealistic because it’s not always an option. What about software that I must use in my work? Speaking from experience, going to the boss and saying, “this package ain’t F/OSS, we ought not to use it!” will rank about a -1 on a 1-10 scale of priorities with him/her.

So, this isn’t strictly a security-related issue. Of COURSE Linux firewalling is better, and of COURSE Linux is more secure than Windows to start with! But just because the F/OSS community hasn’t had to put up with adware and “phone home all the time” applications thus far doesn’t mean that this will always be true.

Ergo, the fact that ZoneAlarm might be circumvented doesn’t really concern me. The fact that it will, in most common cases, warn me if a freshly-installed package is constantly trying my network connection, makes it worth installing.

When I was using Windows, I certainly understood that Windows’ Firewall and Zone Alarm weren’t foolproof. But they were still useful. (An important distinction.)

At any rate, the reason why I posted this here is because (sigh) in my copious spare time, I’m writing a package that will essentially act as “Zone Alarm” for Linux. We’ll see if it takes off.

malcolmlewis · August 14, 2009, 4:54pm

smpoole7:

ab@novell.com;2025424 Wrote:
> You’re correct in your original analysis, unfortunately, in that
> ZoneAlarm
> is only as good as its ability to resist being circumvented or
> disabled,
> which I imagine is not that great.
>

I agree with that. But I’ve noticed that in the Linux world, because
there isn’t a lot of adware/spamware at present, there’s no concern
about a way to simply determine whether a freshly-installed application
is trying to access the Web.

This doesn’t concern the True-GNU™ types who insist on running only
open-source software, but what if someone wants to download Acrobat
Reader (which has been my example throughout)? What about other packages
which may not be “free,” but might be quite useful to an end user like
me?

Yeah, I know. The True-GNUs™ just say, “don’t use it.” That’s
unrealistic because it’s not always an option. What about software that
I must use in my work? Speaking from experience, going to the boss and
saying, “this package ain’t F/OSS, we ought not to use it!” will rank
about a -1 on a 1-10 scale of priorities with him/her.

So, this isn’t strictly a security-related issue. Of COURSE Linux
firewalling is better, and of COURSE Linux is more secure than Windows
to start with! But just because the F/OSS community hasn’t had to put up
with adware and “phone home all the time” applications thus far -doesn’t
mean that this will always be true.-

Ergo, the fact that ZoneAlarm might be circumvented doesn’t really
concern me. The fact that it will, in -most common cases-, warn me if a
freshly-installed package is constantly trying my network connection,
makes it worth installing.

When I was using Windows, I certainly understood that Windows’ Firewall
and Zone Alarm weren’t foolproof. But they were still -useful.- (An
important distinction.)

At any rate, the reason why I posted this here is because (sigh) in my
copious spare time, I’m writing a package that will essentially act as
“Zone Alarm” for Linux. We’ll see if it takes off.

Hi
What about firestarter? http://www.fs-security.com/

–
Cheers Malcolm °¿° (Linux Counter #276890)
SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.25-0.1-default
up 9 days 18:31, 2 users, load average: 2.33, 2.34, 2.34
GPU GeForce 8600 GTS Silent - Driver Version: 190.18

smpoole7 · August 16, 2009, 5:28pm

Thanks, Malcolm. They’ve really improved Firestarter since the last time I looked at it. I’ve already downloaded the source code and I’ll give it a fresh test run.

I keep forgetting that 2 years == forever in the F/OSS world.