IPCop and application control?

That's only applicable to personal FW solutions running on the Windows platform.

Duane :)

It depends on what you mean by application control. If you want to prevent an application running on a particular PC then make sure it is not installed on that PC. If for some reason that's not possible (perhaps you can't trust others not to try to install certain applications) then allow your PCs to connect only to an internal proxy for the Internet protocols they need and don't allow them to make any direct outbound connection to the Internet at all. Set the proxy/proxies to allow/disallow protocols as necessary for each machine. Most users will happily email and surf and will think you must have used NAT. If that's not good enough (the application uses http) then disallow http to the destination IP address that unwanted applications try to connect to.

Jason

IPCoP is a packet-filter, how should a packet-filter (something that the highest layer it can inspect is the transport layer) know which application runnng another machine has created a certain packet?

AFAIK that is another packet-filter.

And even on the application layer a separate filter (which is a Application Proxy in that case) has no information aboput the aplication that created a packet. An ALG understands the protocol but knows nothing about the client.

Personal firewalls cannot control applications either. If you want to control applications, don't install or run them.

Wolfgang

Thanks for the responses.

I was trying to think of a solution for a home network where my kids can have freedom to install their personal stuff but provide something that would minimize damage in case they installed a 0day trojan or something. A personal firewall on their machines wouldn´t be a good idea because they could accidently (or intentionally) disable it as they explore the machine (kids are very curious creatures...).

Going a little off-topic here, what kind of security arquitecture/solution do you guys implement at home so everyone can have a safe experience with the Internet?

Kid machines are placed in a separate network segment and the packet-filter blocks all traffic between important machines (mine) and the kid machines. Traffic control between kid machines and internet is not so strictly limited as it is between kid machines and my machines. I will let them surf but I won't let a single packet from their network into my network. More subnetting and filtering between the subnets might make sense for other environments (girl-net must not access boy-net etc.).

Wolfgang

X-No-Archive: Yes

In news: snipped-for-privacy@4ax.com, speeder typed || On Mon, 06 Jun 2005 13:42:33 -0300, speeder || wrote: || ||| Can IPCop do application control on different machines? Would ||| m0n0wall do it? ||| ||| I don´t think so, but wanted to confirm. thanks || || Thanks for the responses. || || I was trying to think of a solution for a home network where my kids || can have freedom to install their personal stuff but provide || something that would minimize damage in case they installed a 0day || trojan or something. A personal firewall on their machines wouldn´t || be a good idea because they could accidently (or intentionally) || disable it as they explore the machine (kids are very curious || creatures...). || || Going a little off-topic here, what kind of security || arquitecture/solution do you guys implement at home so everyone can || have a safe experience with the Internet?

I use IPCop on my home network. Why don't you ask your questions in the ipcop furum? There you'll get responses from people who use the product.