[Info-vax] Communications security, was: Re: New VSI Roadmap (yipee!)

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Sun Mar 1 08:40:07 EST 2015 

On 2015-02-28, johnwallace4 at yahoo.co.uk <johnwallace4 at yahoo.co.uk> wrote:
> On Saturday, 28 February 2015 21:33:42 UTC, David Froble  wrote:
>> 
>> You're going to make Kerry unhappy ........
>> 
>> You're both right, today's practices are poor to downright bad.
>> 
>> Look at the anti-virus programs.  They may check for known problems, but 
>> otherwise they just let things go through.  Perhaps this is the real 
>> problem.
>> 
>> Now, I'm not saying the following would work.  But it's what I've been 
>> thinking about.
>> 
>> Instead of letting communications happen unless a known problem is 
>> found, perhaps what needs to happen, at least in some cases, is only 
>> letting communications pass that are known and expected.  Yeah, that 
>> would be a lot of work, perhaps way too much.  Sure wouldn't work for 
>> Susie doing Facebook.
>> 
>> Maybe some type of communications manager that controls what traffic can 
>> reach the computer.  Actually knows what the communications are and what 
>> they will be doing.
>> 

It isn't just the traffic reaching the computer you have to worry about.
You also have to plan for the day when a way through your defences is
found and your system gets compromised.

In that case, you also have to worry about unusual _outgoing_ connections.

>> While I don't have what I'd consider an answer, I do feel that the way 
>> things are done now just isn't ever going to work.
>
> Somebody (Simon?) might be along soon suggesting looking at (for example)
> SELinux. And they'd have a very fair starting point.
>

Oh great, Simon's getting predictable. :-)

I have actually done something like this multiple times. For one example,
with Apache I configured a SELinux policy to allow a PHP script to
open an outgoing connection to a specific target port (so it could
access some information) but I banned it from being able to create
outgoing connections to other random ports.

Yes, it's work to setup and it's certainly no silver bullet, but I felt
more comfortable knowing that if that script had ever got compromised,
then, regardless of what it _tried_ to do, this was a good step to try
and cut down the number of ways it could actually be abused and increase
the chances the breach would actually be contained.

SELinux is a good step (and one I use), however in the end, it's only a
step. It's never wise to rely on a single security feature in isolation.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

More information about the Info-vax mailing list