Re: The state of firewall management...

[Dan Williams <dcbw redhat com>]

On Thu, 2009-06-18 at 21:35 +0100, Graham Lyon wrote:
> Hi,
> 
> I'm wondering what the plan of action is towards management of
> firewalls on the desktop. Is this something that NetworkManager should
> do? I think so. Firewalls, for the average end user, should "just
> work". A great many linux distros don't come with a firewall
> configured by default and there is no default mechanism for
> interfacing with a firewall and opening ports etc for any software to
> use. I'm interested in developing a system to allow NM to identify a
> network, ask the user to classify this network if it has never been
> visited before, and then act accordingly (users of Windows Vista will
> recognise this process). I think it's needed as the average enduser
> will not give themselves a proper firewall configuration. Ever.

Ideally yes, average users shouldn't have to care about ports or
anything, they should care about *services*.  However, the approach that
ZoneWall takes on Windows isn't great either, because for every popup,
you have to as "is the user informed enough to make this decision?".
And it turns out that even I'm not informed enough about some of the
junk that wants network access on Windows, despite my having done a
*lot* of Windows system administration in my time.

Firewall UI is a hard problem, and the current Linux stuff just doesn't
make sense for most users, because they are fundamentally trying to
provide a UI shell around a simple list of port-based allow/deny rules,
or worse, a UI shell around every option that iptables provides.  That's
not how you create a usable interface for 85% of the people out there.

In any case, it's also not a battle I think NM should by trying to
fight, nor is it entirely within NM's area of responsibility.  Firewalls
are a level above NM, and the risk of becoming an amoeba gets pretty
large when talking about adding Firewall, proxy, Captive Portal, etc to
NM itself.

What I think *should* happen is fairly intelligent integration between
NM and some other firewall manager.  NM can provide information that a
firewall definitely wants; if you connect to a WPA or 802.1x protected
or 3G network, then you can worry a lot less because you're on a fairly
secure network.  If you connect in a public coffee shop with no
encryption at all, then you definitely want higher security policy in
the firewall.

Thus, I think that a firewall should interact with NM on a pretty
fundamental level, and after getting details about the current network
connection from NM, the firewall manager could make some intelligent
policy decisions about what security level to enforce.

I think there's a lot of room to improve on Vista's "what location are
you in" dialog that comes up every time you connect to something new.  I
think it both over-simplifies the problem *and* mis-characterizes it at
the same time, but I didn't do any UI research that Microsoft presumably
did.  Note that Apple doesn't do this at all, they appear to run with
maximum firewall at all times, and let specific services punch through
the firewall automatically (like file sharing) with appropriate warnings
when you start the service up.

We could certainly store some sort of "security level" tag on a
per-connection basis in NetworkManager that would be available to apps
like a firewall manager, which users could set either in the connection
editor, or via some other method which we should get user-interaction
experts to think about.  We can even set that tag to reasonable defaults
based on the connection type.

Does that sound anything like what you were thinking about?

Dan

> I have some thoughts about how this might be implemented (several
> possibilities, infact) and I'd be happy to share/discuss them here
> before I actually start working towards an implementation. So, before
> I go ahead and write a long email detailing all my thoughts I'm just
> curious as to what the overall state of firewall management is as far
> as NM is concerned (is someone working on it, is it considered not the
> duty of NM, etc)?
> 
> -Graham
> _______________________________________________
> NetworkManager-list mailing list
> NetworkManager-list gnome org
> http://mail.gnome.org/mailman/listinfo/networkmanager-list