3 application-level “firewalls” for Linux distributions

Tomoyo Enforce

A packet filtering firewall, designed to regulate incoming and outgoing packets from a network or an operating system, is akin to security personnel guarding the entrance to a commercial or residential property. Such a system has very little authority, unless given additional powers, in what applications inside the operating system or network are able to do.

That is where an application “firewall” comes into play. It is designed to ensure that applications in an operating system (or in some instances, a network) adhere to access control rules that govern their “activities.” It should be noted that an application firewall, like a stateful packet filter, is not a one-shot security solution. It merely adds an extra layer of security to a system, complementing other security protocols and systems in place. That idea also formed the main point of why your computer needs a firewall enabled.

This crude sketch shows applications in an operating system when there is no application firewall to regulated their actions. They are free to wander as they please.
Without Tomoyo in Linux

And here is what it looks like with an application firewall activated. By the way, this screen shot and the one above, were taken from Tomoyo’s website, an application firewall featured in this article:
Tomoyo Enforce

There are three such applications built into the Linux kernel, and they are available as loadable modules. While they tend to be described using slightly different terminologies, and may even differ in how to operate, once activated, they have the same effect – intelligently enforcing access rights for applications they are configured to monitor. In alphabetical order, the three application firewalls are:

Related Post:  Manual disk partitioning guide for Kubuntu 11.04

AppArmor, or Application Armor, is currently maintained by Canonical, and is activated by default in Ubuntu. It is officially described as:

An effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours.

SELinux, or Security-Enhanced Linux, was contributed to the Linux kernel by the National Security Agency. It is the application firewall activated by default in Fedora, and it has a reputation as being a bit more difficult to manage and configure than the others. The following is a brief description of SELinux from its Fedora project page.

Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in Fedora. A general purpose MAC architecture needs the ability to enforce an administratively-set security policy over all processes and files in the system, basing decisions on labels containing a variety of security-relevant information. When properly implemented, it enables a system to adequately defend itself and offers critical support for application security by protecting against the tampering with, and bypassing of, secured applications.

MAC provides strong separation of applications that permits the safe execution of untrustworthy applications. Its ability to limit the privileges associated with executing processes limits the scope of potential damage that can result from the exploitation of vulnerabilities in applications and system services. MAC enables information to be protected from legitimate users with limited authorization as well as from authorized users who have unwittingly executed malicious applications.

Tomoyo was launched in 2003 and its development is sponsored by Japan’s NTT DATA Corporation. It is, as far as I know, the only one that is not used by default on any Linux distribution. However, that should change when the next edition of Chakra Edn is released. According to the official description, Tomoyo is a:

Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool.

TOMOYO Linux focuses on the behaviour of a system. Every process is created to achieve a purpose, and like an immigration officer, TOMOYO Linux allows each process to declare behaviours and resources needed to achieve their purpose. When protection is enabled, TOMOYO Linux acts like an operation watchdog, restricting each process to only the behaviours and resources allowed by the administrator.

Most distributions have one of these applications activated by default. If yours does not, talk to the developer(s) about it. Sometimes, all you need to do is install the userland utilities for managing it.

Related Post:  How to Install Ubuntu 13.10 on an external hard drive

Share:

Share on facebook
Facebook
Share on twitter
Twitter
Share on pinterest
Pinterest
Share on linkedin
LinkedIn

Hola! Did you notice that LinuxBSDos.com no longer run network ads?  Yep, no more ads from the usual suspects that track and annoy you across the Internet. But since I still need to pay to keep the site running, feel free to make a small donation by PayPal or your favorite cryptocurrency.

  • Bitcoin
  • Ethereum
  • Xrp
  • Bitcoin cash
  • Bitcoin sv
  • Litecoin
  • Binance coin
  • Cardano
  • Ethereum classic
Scan to Donate Bitcoin to bc1qzvlte2m224zkayhdc7fdfjkp2rsgt0l5a496ua

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x0F4362DFF77F3Ba0Dc637F5f3Eba35D09a2fA60C

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Xrp to r4ggjvL36njsMCYTkJ3S7cTHscPsMsSGQv

Donate Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Bitcoin cash to qrs0dedzp9t55af3nfwypydghp29r0xguy9s20fz2k

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Bitcoin sv to 15K9TLyVDBtLuG9cYvXCX9SSkq9C9oUKHK

Donate Bitcoin sv to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin sv

Scan to Donate Litecoin to LetJ9QQMb7u2LMZ9Tu6rtHwcBcQFW98fbG

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Binance coin to bnb1ga8trq08ssqepd90v6225nzfgy448pu5pw8gxp

Donate Binance coin to this address

Scan the QR code or copy the address below into your wallet to send some Binance coin

Scan to Donate Cardano to addr1qx2354yw49etstfljpdhwja3ajjlt487lg95vu9ngy2q6vu4rf2ga2tjhqknlyzmwa9mrm997h20a7stgectxsg5p5esq5l7d9

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Ethereum classic to 0xcD6CC972a2297FcafACDcfE042C55C69516a9264

Donate Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic

Subscribe for updates. Trust me, no spam!

Sponsored links

1. Attend Algorithm Conference, a top AI and ML event.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
4. Axo Finans.

Upcoming events

11 Responses

  1. Nice little writeup, but I agree with the other folks. This is MAC,not an application-level “firewall” (quotes or not). Check Wikipedia’s impression of what a firewall is.

    Also, way too close to name collision with an application-layer firewall. (And that’s what I thought I would be reading about when I visited here.)

    1. Since you mentioned Wikipedia, here’s a nice little quote from a Wikipedia page on “Application Firewall” (under “Host-based application firewalls”):

      Because of these limitations, application firewalls are beginning to be supplanted by a new generation of application firewalls that rely on mandatory access control (MAC), also referred to as sandboxing, to protect vulnerable services. Examples of next generation host-based application firewalls which control system service calls by an application are AppArmor[3] and the TrustedBSD MAC framework (sandboxing) in Mac OS X.

      From the same article, comes this line: “The application firewall is typically built to control all network traffic on any OSI layer up to the application layer.”

      It’s a very nice article. You may read the whole thing here.

    1. These are not firewalls in the traditional sense, but they work at the application level in very much the same manner that packet filtering firewalls work. They are better known as Mandatory Access Control applications.

      Firestarter or GUFW are just frontends for IPTables/Netfilter, a real packet filtering firewall.

  2. This isn’t really a “firewall” any more than /bin/login and file permissions are. This is really more about access control on the box, i. e. once you’re already on there. That said, mandatory access control (MAC) certainly can help guard against certain types of attacks. Haven’t gotten around to AppArmor yet due to my environment, but I can confirm the general benefits from my experience with SELinux. Once I learned how to work it, I stopped turning it off and started tuning it to my systems.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the latest

On social media
Via my newsletter

Partner links

1. Attend Algorithm Conference, a top AI and ML event for 2021.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
4. Axo Finans.
Hacking, pentesting distributions

Linux Distributions for Hacking

Experts use these Linux distributions for hacking, digital forensics, and pentesting.

Categories
Archives

The authors of these books are confirmed to speak during

Algorithm Conference

T-minus AI

Author was the first chairperson of AI for the U.S. Air Force.

The case for killer robots

Author is the Director of the Center for Natural and Artificial Intelligence.

Why greatness cannot be planned

Author works on AI safety as a Senior Research Scientist at Uber AI Labs.