linux robust?can build application layer firewall on linux?

i am learning about the robust firewall technique. however,i could't found
any package for linux to build a application layer firewall
for example with CBAC/IDS functions
free license
thanks a lot

happy wrote:

> i am learning about the robust firewall technique. however,i could't found
> any package for linux to build a application layer firewall
> for example with CBAC/IDS functions
> free license

What (the heck) is a application layer firewall?
You think of the "personal desktop firewalls" for windows?
Actually, they are working only because the "firewalled" applications run on
the same host as the "firewall". Well, that's a big mistake in unix/linux
terms: a firewall is a firewall is a firewall. Hardened as can be, with as
little vulnerable stuff as possible. No x-windows, no other applications
except a ssh or maybe webmin access from the inside only (bound to the
local zone interface). A real firewall cannot distinguish which application
sends out packets. If you need "application level filtering", you need
proxies for your applications and block direct outgoing access.
Even that cannot hinder a application calling home via web across the proxy,
or using tunnels.
--
Longhorn error#4711: TCPA / NGSCB VIOLATION: Microsoft optical mouse
detected penguin patterns on mousepad. Partition scan in progress
*to*remove*offending*incompatible*products.**Reactivate*your*MS*software.
Linux woodpecker.homnet.at 2.6.8reiser4pkt*[LinuxCounter#295241]

happy wrote:

> i am learning about the robust firewall technique. however,i could't found
> any package for linux to build a application layer firewall
> for example with CBAC/IDS functions
> free license
> thanks a lot

IPCop firewall is a self installing firewall CD with secure browser
control interface.
http://www.ipcop.org/
You might want to take that apart to see how all that works as a guide.

Walter Mautner wrote:

> What (the heck) is a application layer firewall?

A firewall that operates at the top ("application") layers of the OSI or
TCP/IP stacks, respectively.

> You think of the "personal desktop firewalls" for windows?

No, he isn't.

> Actually, they are working only because the "firewalled" applications run on
> the same host as the "firewall". Well, that's a big mistake in unix/linux
> terms: a firewall is a firewall is a firewall.

What you are calling a "firewall is a firewall is a firewall" (sic) is
actually a /stateful packet filter/.
It can be /part/ of a firewall, it can even be the only thing *running*
on the firewall, but it is /not/ the only kind of firewall.

It isn't even a firewall in and of itself - a stateful packet filter
only *becomes* a firewall in combination with a /router/.

> Hardened as can be, with as
> little vulnerable stuff as possible. No x-windows, no other applications
> except a ssh or maybe webmin access from the inside only (bound to the
> local zone interface). A real firewall cannot distinguish which application
> sends out packets.

An application-layer firewall can certainly distinguish between
different application-layer protocols, and scan the contents of the
packets to filter on application protocol content.
HTTP(S), FTP, SMTP, POP3, IMAP4, SSH are all application protocols.

They are not applications.

> If you need "application level filtering", you need
> proxies for your applications and block direct outgoing access.

No, you don't.
A proxy likewise does not interact with any application - it interacts
with network protocols used by applications.
Which specific application this is (e.g. a web browser) is completely
irrelevant to the proxy server.

> Even that cannot hinder a application calling home via web across the proxy,
> or using tunnels.

You are so confused.

That's exactly what a packet filter can and does prohibit.

--
J

All your bits are belong to us - again.

Walter Mautner wrote:

> A real firewall cannot distinguish which application
> sends out packets. If you need "application level filtering", you need
> proxies for your applications and block direct outgoing access.

Any firewall should be able to filter on port numbers, if it's to be any
good. Most apps, such as telnet, browsers etc., rely on standard port
numbers, which can be easily filtered.

--

(This space intentionally left blank)

7 wrote:
> happy wrote:
>
>
>>i am learning about the robust firewall technique. however,i could't found
>>any package for linux to build a application layer firewall
>>for example with CBAC/IDS functions
>>free license
>>thanks a lot
>
>
> IPCop firewall is a self installing firewall CD with secure browser
> control interface.
> http://www.ipcop.org/
> You might want to take that apart to see how all that works as a guide.
>
>

Trex should do the work you want, it's an firewall proxy and it
was released under GPL. But it's a nightmare to compile it, I haven't
got the time to make it compile properly, so I couldn't try it.

You can also try fwtk (The firewall toolkit) that it's another
application firewall, but a little old now.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
(E-Mail Removed)
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

Jeroen Geilman wrote:

> Walter Mautner wrote:
>
>> What (the heck) is a application layer firewall?
>
> A firewall that operates at the top ("application") layers of the OSI or
> TCP/IP stacks, respectively.
>
That would be an application level gateway or proxy?

>> You think of the "personal desktop firewalls" for windows?
>
> No, he isn't.
>
.....
> What you are calling a "firewall is a firewall is a firewall" (sic) is
> actually a /stateful packet filter/.
> It can be /part/ of a firewall, it can even be the only thing *running*
> on the firewall, but it is /not/ the only kind of firewall.
>
Hmm, I also thought about (transparent) squid proxy, email and news
gateway/servers like postfix/fetchmail, leafnode running on the firewall
host, if necessary. And blocking direct access to http/pop/imap/smtp from
inside.
But then, new applications using the same protocol won't popup a more or
less warning window, or get logged otherwise, as long as they adhere to the
protocol and correct target ports.
A transparent proxy cannot help against other programs using http access,
or am I really confused?

> It isn't even a firewall in and of itself - a stateful packet filter
> only *becomes* a firewall in combination with a /router/.
>
Damned, yes.

> An application-layer firewall can certainly distinguish between
> different application-layer protocols, and scan the contents of the
> packets to filter on application protocol content.
> HTTP(S), FTP, SMTP, POP3, IMAP4, SSH are all application protocols.
>
> They are not applications.
>
Well, I falsely interpreted the OP had asked about exactly that feature
which only desktop firewalls running on the same host as the application
can provide (scanning for application program names/md5 checksums to
recognize modified programs). It's no firewall then, rather a spyware
detection/blocking tool. Must have been really confused
....
> A proxy likewise does not interact with any application - it interacts
> with network protocols used by applications.
> Which specific application this is (e.g. a web browser) is completely
> irrelevant to the proxy server.
>
>> Even that cannot hinder a application calling home via web across the
>> proxy, or using tunnels.
>
> You are so confused.
>
> That's exactly what a packet filter can and does prohibit.
>
Now tell me, what would you do to protect a LAN from spyware calling home
from the inside across well-known and forwarded/proxied ports using the
proper protocol? I guess it can't be done on the firewall.
Neither can it recognize a tunnel as long as there are no specific patterns
or protocol violations.
It would have to be a content filter, am I wrong again?
--
Longhorn error#4711: TCPA / NGSCB VIOLATION: Microsoft optical mouse
detected penguin patterns on mousepad. Partition scan in progress
*to*remove*offending*incompatible*products.**Reactivate*your*MS*software.
Linux woodpecker.homnet.at 2.6.8reiser4pkt*[LinuxCounter#295241]

i want a feature just like the Content base Access Control(CBAC)/IDS at
CISCO networking

"happy" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> i am learning about the robust firewall technique. however,i could't found
> any package for linux to build a application layer firewall
> for example with CBAC/IDS functions
> free license
> thanks a lot
>
>

Walter Mautner wrote:
> Jeroen Geilman wrote:
>
>>Walter Mautner wrote:
>>
>>>What (the heck) is a application layer firewall?
>>
>>A firewall that operates at the top ("application") layers of the OSI or
>>TCP/IP stacks, respectively.
>
> That would be an application level gateway or proxy?

No, an application *layer* firewall.

A proxy can be used as one, yes, but it isn't one by definition.

>>>You think of the "personal desktop firewalls" for windows?
>>
>>No, he isn't.
> ....
>
>>What you are calling a "firewall is a firewall is a firewall" (sic) is
>>actually a /stateful packet filter/.
>>It can be /part/ of a firewall, it can even be the only thing *running*
>>on the firewall, but it is /not/ the only kind of firewall.
>
> Hmm, I also thought about (transparent) squid proxy, email and news
> gateway/servers like postfix/fetchmail, leafnode running on the firewall
> host, if necessary. And blocking direct access to http/pop/imap/smtp from
> inside.
> But then, new applications using the same protocol won't popup a more or
> less warning window,

No hardware firewall will "pop up" any sort of window - it wil just deny
you access.

> or get logged otherwise, as long as they adhere to the
> protocol and correct target ports.
> A transparent proxy cannot help against other programs using http access,
> or am I really confused?

That depends on how you have configured it.

> Well, I falsely interpreted the OP had asked about exactly that feature
> which only desktop firewalls running on the same host as the application
> can provide (scanning for application program names/md5 checksums to
> recognize modified programs).

If that's what you want, then that's obviously what you need to use.

My point (if I can be said to have one) is this:
I never use workstation-type "firewalls" or protection, apart from a
really good virus scanner (NOD32) and occasionally running Spybot S&D.

If it gets past my Linux firewall (a real one, as in : not used for
anything else) then it won't be able to do uch damage anymore, and it's
welcome to try.

> Now tell me, what would you do to protect a LAN from spyware calling home
> from the inside across well-known and forwarded/proxied ports using the
> proper protocol? I guess it can't be done on the firewall.

It can, yes - if you're prepared to pay for it.

Detecting and filtering this kind of behaviour is really inefficient.
A much cleaner solution is to keep lists of known spyware networks and
deny acces to /them/ from inside - any and all access will be blocked,
be it by spyware calling home or by legitimate programs.
You can pretty safely assume there is no legitimate content at the
addresses the spyware calls home to...

> Neither can it recognize a tunnel as long as there are no specific patterns
> or protocol violations.
> It would have to be a content filter, am I wrong again?

A very, very deep content filter, yes.
For anything up to a 1000 different protocols at once.
At, say, 100mbit throughout.
Do you have any spare Quad-Xeon-4 systems lying around you'd like to
donate ? ;-)


--
J

All your bits are belong to us - again.

James Knott wrote:
> Walter Mautner wrote:
>
>>A real firewall cannot distinguish which application
>>sends out packets. If you need "application level filtering", you need
>>proxies for your applications and block direct outgoing access.
>
> Any firewall should be able to filter on port numbers, if it's to be any
> good. Most apps, such as telnet, browsers etc., rely on standard port
> numbers, which can be easily filtered.

Yes, but that does not anwser his question, which was about applications.

Many different applications can and do use the same WKP numbers.


--
J

All your bits are belong to us - again.