[Cialug] Networking Isolation Granularity Question

Sean Flattery sean.r.flattery at gmail.com
Fri Oct 24 12:31:53 CDT 2014


There are a few ways to tackle this problem.  Are you wanting to secure a
single system or a network?

If you just want to secure one system from one app (Adobe) you might be
able to leverage your host based firewall, apparmor, selinux, or a host
file entry to 127.0.0.1.

If you're looking to secure several hosts in a network, a web proxy does a
fairly good job at restricting these kinds of applications while also
allowing you to log, monitor, and restrict web site access to unsavory
places.  I hear good things about Squidproxy, and if you combine that with
firewall settings to only allow web traffic out from the proxy you'll go a
long ways towards stopping these info leaks.  You'll also block most
malware phoning home from infected hosts.

BTW if you're a Mac user there's a program called Little Snitch that
watches your outgoing traffic and lets you know when this is happening.  It
can block traffic by application too.

------------------------------------------------------

Date: Fri, 24 Oct 2014 11:57:48 -0500
From: jim kraai <jimgkraai at gmail.com>
To: Central Iowa Linux Users Group <cialug at cialug.org>
Subject: [Cialug] Networking Isolation Granularity Question
Message-ID:
        <CANoA21DS--Nt+DhRWwuSKbG9BUsUf68GNXNQu9zcsCCrZqWiyQ at mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

So, with lots of consumer software out there phoning users' usage and
content back to the software publisher, what can we do where on the network
to kill streams of traffic?

Feel free to point it out if the way I'm framing the question is too
limited.

Here's an example:  The latest word on Adobe's Digital Editions 4 desktop
ebook reader is that they 'fixed' the problem where it was sending
unencrypted data on usage and file listings back to Adobe by encrypting the
traffic rather than not spying on their users.  (
http://soylentnews.org/article.pl?sid=14/10/24/0912208 )

So, what are some options to tell the OS to not let traffic from processes
that fit certain criteria (name?) access endpoints that fit certain
criteria?

Thanks!

--jim


------------------------------


More information about the Cialug mailing list