Results 1 to 10 of 10

Thread: Revisited: "Zone Alarm" (tm) for Linux?

Hybrid View

  1. #1
    Join Date
    Oct 2008
    Location
    Birmingham. AL
    Posts
    858

    Default Revisited: "Zone Alarm" (tm) for Linux?

    You'll see this pop up from time to time: "is there something like ZoneAlarm(tm) for Linux?"

    I'll admit, one thing I liked about Zone Alarm was its ability to tell me if a newly-installed program was trying to access the network. Perfect example: you'd install Adobe's Acrobat Reader under Windows with Zone Alarm active, and it would instantly warn you: "This thing is trying to access the Internet." You get no such warning under Linux. I have to admit, I miss that. (Badly.)

    However ... after looking into this in more detail than I thought I would, I know now *why* there's not a "Zone alarm" for Linux. The kernel's innards have to be patched for this sort of thing, primarily because Linus himself considers it very insecure to allow just anyone to patch it. There are specifically-defined places where patches are allowed, and only by "approved" Linux Security Modules.

    (Simply put: the same patches that Zone Alarm tacks into Windows could easily be bypassed, or used by a malicious program in some other way. In the case of Linux, you'd basically have to build your own custom kernel, so you'd have to repatch and recompile everytime there was an update!)

    The most common alternatives to Zone Alarm for Linux appear to be AppArmor and SELinux. For example, you could simply make it a policy that Acrobat couldn't access the network and that would be it.

    SELinux really isn't an option for me, at least, not until someone develops better config tools for it. It's just too difficult to get working, and it's very easy to render a system unusable (speaking from experience!).

    AppArmor looks a little more "user-friendly" (relatively speaking), but I'm worried about relying on it. Immunix, the original creator, is long gone. Since Novell laid off the developers, is any work being done on it? Is it Abandonware? Looking at the forge page for it, no updates have been issued for over a year.

    Novell AppArmor - apparmor

    Does anyone know if 11.2 will support AppArmor?

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Revisited: "Zone Alarm" (tm) for Linux?

    You could use something like this for your gateway.

    NuFW - The Identity based Firewall

    Honestly though I find Zone Alarm style notifications too low-level and annoying. I think they are also useless. If an Internet app is pointed to a poisoned resource on the net, it would look like a normal web access.

  3. #3
    Join Date
    Oct 2008
    Location
    Birmingham. AL
    Posts
    858

    Default Re: Revisited: "Zone Alarm" (tm) for Linux?

    Quote Originally Posted by ken_yap View Post
    No, I had NOT seen that! Thanks for the link. That may be just what I'm looking for.

    Honestly though I find Zone Alarm style notifications too low-level and annoying. I think they are also useless. If an Internet app is pointed to a poisoned resource on the net, it would look like a normal web access.
    They never really bothered me. I *liked* knowing if a newly-installed ap wanted to access the Internet. In the Windows world especially, so many of them do it -- often without informing you. From my experience, you'd get the warning, decide whether to allow or deny it, and Zone Alarm generally wouldn't bother you again (unless the application tried to do something else fishy).

  4. #4
    Join Date
    Mar 2008
    Location
    Phuket, Thailand
    Posts
    26,548
    Blog Entries
    37

    Default Re: Revisited: "Zone Alarm" (tm) for Linux?

    Quote Originally Posted by smpoole7 View Post
    They never really bothered me. ..... From my experience, you'd get the warning, decide whether to allow or deny it, and Zone Alarm generally wouldn't bother you again (unless the application tried to do something else fishy).
    I'm with Ken Yap on this.

    The necessity to have a Firewall, where one observes this sort of behaviour, is one of the reasons why I have always found installing MS-Windows apps more difficult than installing Linux apps (in particular I am referring to Linux apps from a solid/respected repository - not a custom Linux compile nor from some unknown repos).

    Often my wife gets 3 to 6 zone alarm popups when installing an MS-Windows app. I often get called, ... and I get asked what it means ?? ... we end up surfing for 5 to 10 minutes (sometimes more) to try figure out , ... for each firewall popup. Over 1/2 the time we have no idea what is happening. What a royal PITA. Anyway, its a MAJOR pet peeve of mine about Windoze software installation.

  5. #5
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    19,763
    Blog Entries
    14

    Default Re: Revisited: "Zone Alarm" (tm) for Linux?

    I tend to say that any linux firewall is better than any Windows firewall. Just spent two days on what was reported as a 'hacked website'; it appeared to reside on a firewalled Windows server, it wasn't the website that had been hacked, it was the server.....including the firewall.
    My son uses a paid version of ZoneAlarm, he knowd exactly how to get rid of the popups: allow anything. I don't think the average user will be any different after a week of popups: 'Allow' is the one-click-solution.
    On webservers I use CSF. Very nice.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  6. #6

    Default Re: Revisited: "Zone Alarm" (tm) for Linux?

    While no OS is bulletproof Linux comes pretty close to it as does BSD.
    If basic firewall is needed I find firestarter handy.
    In any case Linux closes off many incoming ports by default, even without a frontend to a firewall app most linuxes come with many good firewall tools built in.
    If you are overly paranoid though, there is one way to make sure no one hacks into your computer:
    Unplug it from the internet and lock it in a safe deep underground

  7. #7

    Default Re: Revisited: "Zone Alarm" (tm) for Linux?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    You're correct in your original analysis, unfortunately, in that ZoneAlarm
    is only as good as its ability to resist being circumvented or disabled,
    which I imagine is not that great. The only way to be sure you cannot be
    disabled is to run at a ring lower than the malicious disabling apps,
    meaning in the kernel (or below, but ignore that for now) but in
    windows-land everybody runs as Administrator which, while not the kernel,
    has all power over it. So what keeps maliciousWebSiteX from running
    maliciousActiveXScriptY and disabling ZoneAlarm? Next to nothing.

    ZoneAlarm's firewall (incoming) is not better than what Linux offers out
    of the box in my opinion (block all ports, TCP and UDP, but allow ICMP
    basic ICMP) but as you mentioned it did have that outgoing part covered.
    You COULD disable all outgoing stuff except to certain applications with
    NetFilter/iptables but it would probably be a lot of work and may easily
    require a fair bit of scripting on your part to make the firewall nice and
    dynamic. Watching /var/log/firewall could tell you what is sending data
    out from your box though that could easily become a very large file if you
    enabled logging for everything outgoing with no exceptions. The balance
    between knowing your application and allowing it and having ZoneAlarm give
    you a notice that you immediately click 'Yes, Let My Virus Out' in has not
    yet been found, I do not think. AppArmor and SELinux (both of which use
    LSM in the kernel as I recall) are a sweet spot but require that you have
    policy that allow the correct behavior and block the rest. If I write a
    malicious app, though, and give you an AppArmor/SELinux policy that "helps
    keep my malicious app from being malicious" I'm not helping you or hurting
    me even though you now have a warm fuzzy that you're protected (basically
    what ZoneAlarm gives you, plus a small hole in your pocketbook). If you
    only install software that you trust, though, you still have the warm
    fuzzy but without the pocketbook being emptied. Due to a lack of nonsense
    like ActiveX and most malware in the world (plus not running as 'root')
    Linux is fairly immune to what ZoneAlarm is really best at (drive-by
    infections via requested websites) though how well it really stacks up in
    those cases is still debatable (the software is smart enough to get past
    McAfee and Symantec, both which run in the kernel, but not ZoneAlarm?).

    Good luck.





    smpoole7 wrote:
    > ken_yap;2024974 Wrote:
    >> 'NuFW - The Identity based Firewall'
    >> (http://www.nufw.org/-English-.html)
    >>

    >
    > No, I had NOT seen that! Thanks for the link. That may be just what I'm
    > looking for.
    >
    >> Honestly though I find Zone Alarm style notifications too low-level and
    >> annoying. I think they are also useless. If an Internet app is pointed
    >> to a poisoned resource on the net, it would look like a normal web
    >> access.

    >
    > They never really bothered me. I *liked* knowing if a newly-installed
    > ap wanted to access the Internet. In the Windows world especially, so
    > many of them do it -- often without informing you. From my experience,
    > you'd get the warning, decide whether to allow or deny it, and Zone
    > Alarm generally wouldn't bother you again (unless the application tried
    > to do something else fishy).
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iQIcBAEBAgAGBQJKg3CUAAoJEF+XTK08PnB59sQQAKYdkvQV4ltdYG86z2/5RCbS
    hP1tE5qdGjEi0xS8eC5i1kWHHcHWkSyaLh8AISh7jpJj9iSnOynB3bQJ8fZFB5SH
    XWYwqFMgclQtwk7wajTDhox/UEbjf2o3K3nX63CWCHUuomsltOQleRDpWq4+yHgc
    vQ4oh3yMcsZ7c9uryIqw/nWqDx54YsTkg+WkZwf6kcPwToSvldBerrgATEWqbYZL
    N6wpV9b1aT/xv+9MpFG+d0zaMWRPPUaUnZfnrRg97wfzjwgbH1goqHxOFioo5W5f
    j404jfFlm3h+2LR7SEGoHPxT8YWsCe2GHJkRTpx5HWSnneFlnFXCjIqSy31htbDB
    KFsfiBrIcyYQ+DsaT8AdLqObxqEAb4+OwQvEbdOO6Slkja/GroOPYZWF2XgeWlYv
    BemUA0jwRbgPh/Rl/73Q4Uez8okXnUxVthx6OShq/Sgyqan8MCbJazA0RTuJEUCW
    ZomUgLMWtdtMRGWJshg3XI1fmEzqJR9euRovlhFYAmtBnq6CSnnz8SVvW2KCH1QG
    /k7X8qgTDGI05M3FstWspXo0VFne65HDPflvcvlq/tWgey4WQSXkhM2Ms3aWvce9
    eibu9Vwju095wV+E6tUjc7EmJOuGba+DNQTzZoqLjC3adrNG2ya6z4tbApHySH8C
    9d93fGK3z2choAE5Qfnz
    =K9AZ
    -----END PGP SIGNATURE-----

  8. #8
    Join Date
    Oct 2008
    Location
    Birmingham. AL
    Posts
    858

    Default Re: Revisited: "Zone Alarm" (tm) for Linux?

    Quote Originally Posted by ab@novell.com View Post
    You're correct in your original analysis, unfortunately, in that ZoneAlarm
    is only as good as its ability to resist being circumvented or disabled,
    which I imagine is not that great.
    I agree with that. But I've noticed that in the Linux world, because there isn't a lot of adware/spamware at present, there's no concern about a way to simply determine whether a freshly-installed application is trying to access the Web.

    This doesn't concern the True-GNU(tm) types who insist on running only open-source software, but what if someone wants to download Acrobat Reader (which has been my example throughout)? What about other packages which may not be "free," but might be quite useful to an end user like me?

    Yeah, I know. The True-GNUs(tm) just say, "don't use it." That's unrealistic because it's not always an option. What about software that I must use in my work? Speaking from experience, going to the boss and saying, "this package ain't F/OSS, we ought not to use it!" will rank about a -1 on a 1-10 scale of priorities with him/her.

    So, this isn't strictly a security-related issue. Of COURSE Linux firewalling is better, and of COURSE Linux is more secure than Windows to start with! But just because the F/OSS community hasn't had to put up with adware and "phone home all the time" applications thus far doesn't mean that this will always be true.

    Ergo, the fact that ZoneAlarm might be circumvented doesn't really concern me. The fact that it will, in most common cases, warn me if a freshly-installed package is constantly trying my network connection, makes it worth installing.

    When I was using Windows, I certainly understood that Windows' Firewall and Zone Alarm weren't foolproof. But they were still useful. (An important distinction.)

    At any rate, the reason why I posted this here is because (sigh) in my copious spare time, I'm writing a package that will essentially act as "Zone Alarm" for Linux. We'll see if it takes off.

  9. #9
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,640
    Blog Entries
    15

    Default Re: Revisited: "Zone Alarm" (tm) for Linux?

    Quote Originally Posted by smpoole7
    ab@novell.com;2025424 Wrote:
    > You're correct in your original analysis, unfortunately, in that
    > ZoneAlarm
    > is only as good as its ability to resist being circumvented or
    > disabled,
    > which I imagine is not that great.
    >


    I agree with that. But I've noticed that in the Linux world, because
    there isn't a lot of adware/spamware at present, there's no concern
    about a way to simply determine whether a freshly-installed application
    is trying to access the Web.

    This doesn't concern the True-GNU(tm) types who insist on running only
    open-source software, but what if someone wants to download Acrobat
    Reader (which has been my example throughout)? What about other packages
    which may not be "free," but might be quite useful to an end user like
    me?

    Yeah, I know. The True-GNUs(tm) just say, "don't use it." That's
    unrealistic because it's not always an option. What about software that
    I must use in my work? Speaking from experience, going to the boss and
    saying, "this package ain't F/OSS, we ought not to use it!" will rank
    about a -1 on a 1-10 scale of priorities with him/her.

    So, this isn't strictly a security-related issue. Of COURSE Linux
    firewalling is better, and of COURSE Linux is more secure than Windows
    to start with! But just because the F/OSS community hasn't had to put up
    with adware and "phone home all the time" applications thus far -doesn't
    mean that this will always be true.-

    Ergo, the fact that ZoneAlarm might be circumvented doesn't really
    concern me. The fact that it will, in -most common cases-, warn me if a
    freshly-installed package is constantly trying my network connection,
    makes it worth installing.

    When I was using Windows, I certainly understood that Windows' Firewall
    and Zone Alarm weren't foolproof. But they were still -useful.- (An
    important distinction.)

    At any rate, the reason why I posted this here is because (sigh) in my
    copious spare time, I'm writing a package that will essentially act as
    "Zone Alarm" for Linux. We'll see if it takes off.
    Hi
    What about firestarter? http://www.fs-security.com/

    --
    Cheers Malcolm (Linux Counter #276890)
    SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.25-0.1-default
    up 9 days 18:31, 2 users, load average: 2.33, 2.34, 2.34
    GPU GeForce 8600 GTS Silent - Driver Version: 190.18


  10. #10
    Join Date
    Oct 2008
    Location
    Birmingham. AL
    Posts
    858

    Default Re: Revisited: "Zone Alarm" (tm) for Linux?

    Quote Originally Posted by malcolmlewis View Post
    Hi
    What about firestarter? Firestarter

    --
    Cheers Malcolm (Linux Counter #276890)
    SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.25-0.1-default
    up 9 days 18:31, 2 users, load average: 2.33, 2.34, 2.34
    GPU GeForce 8600 GTS Silent - Driver Version: 190.18
    Thanks, Malcolm. They've really improved Firestarter since the last time I looked at it. I've already downloaded the source code and I'll give it a fresh test run.

    I keep forgetting that 2 years == forever in the F/OSS world.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •