[TriLUG] host-based dynamic app/port firewall?
Cristóbal Palmer
cristobalpalmer at gmail.com
Wed Oct 24 11:01:19 EDT 2012
On Wednesday, October 24, 2012 at 12:57 AM, Kevin Hunter wrote:
> Hullo List,
>
> I've found myself pondering the fact that I have intermittent network
> services on my machine. That is to say, sometimes I start Apache,
> disable SSH, or temporarily fire-up a DHCP server.
>
> IPTables is fan-friggin-tastic, but if I at all want to nerd out and
> enable/disable the ports when the service is (not) running I must do it
> manually.
The advantage in the abstract of using something like apparmor or selinux is that the compromise of a user or an application is less likely to cascade to other compromises; the applications are contained to a defined security context. But it sounds like you want part of that defined security context to include enabling or disabling rules on your host-based firewall, correct? For example, if port 80 on the host-based firewall only gets opened for the security context created for your httpd, and only when that httpd is running, the compromise of your snmpd on the box (for example) doesn't allow the attacker to listen on port 80 even if the OS allows the snmpd to bind to port 80. Note that you can do some of this without involving the host-based firewall by restricting the profiles of the applications you run. See:
https://wiki.ubuntu.com/AppArmor
http://www.selinuxproject.org/page/NB_Networking
But (a) that gets rapidly outside my area of expertise, and (b) that only solves problems with known applications where the work of creating profiles has been done. What about the compromise of a user account who could have compiled/started arbitrary code?
Are you basing your question on what the Mac OS X firewall purportedly now does, which is to only allow outbound connections for signed applications?
I know of no specific tool for wrangling iptables based on apparmor profiles or similar, and I especially know of no system that would open and close ports based on what services you've started and stopped. I'd be interested in what your research turns up, however, since every so often organizations and business units revise their policies on host-based firewalls, and the availability and quality of the management tools definitely factors into those decisions.
Cheers,
--
Cristóbal Palmer
cmpalmer.org
P.S. In my group we take this approach: by default, install a host-based firewall that scopes connections. Eg. only certain subnets can see the SSH port. If the machine will /ever/ run an httpd, it gets the scoping rules for the httpd. It's not perfect, but it's relatively easy to implement/manage. You might consider implementing such a host-based firewall, and in your case scoping it for some known networks (eg. RFC 1918, your current workplace network(s), NCSU…).
More information about the TriLUG
mailing list