OS X Leopard Firewall Flawed 300
cycoj writes with a report in the German IT magazine Heise, taking a look at the new OS X Leopard firewall. They find it flawed. When setting access to specific services and programs to only allow SSH access, for example, they found that a manually started service was still accessible. From the article: "So the first step after starting Leopard should be to activate the firewall. The obvious choice to do so is the option to 'Set access to specific services and programs,' which promises more control over network traffic. Mac OS X automatically enters all shared resources set up by the user, such as 'Remote login' for SSH servers, into the list of accessible resources... However, initial functional testing quickly dispels any feeling of improved security. A service started for testing purposes was able to be addressed from outside without any difficulty. The firewall records this occurrence... Even with the firewall set to 'Block all incoming connections' ports to netbios, ntp and other services were still open... Specifically these results mean that users can't rely on the firewall."
Never put your eggs in one basket. (Score:5, Informative)
Never Trust Software firewalls. Software firewalls are only should be used in protection against "internet static" attacks. Where just random worms and viruses are trying to get in. Software Firewalls
Are normally bad against direct attacks from real hackers. Because there are so many ways to trick the user to install software to get around it...
Lesson 2.
Never trust anyone to keep security up. Apple, Microsoft, Linux Distributions, even Open BSD they are all made by humans and humans make mistakes and forget to check out things...
Lesson 3.
Always keep a hardware firewall even if it is a cheap Linksys Firewall/Router they will double up protection and keep your system relatively safe.
Lesson 4.
Never assume that you are 100% safe. There are always ways around things...
Little Snitch anyone? (Score:5, Informative)
Re:Never put your eggs in one basket. (Score:5, Informative)
That would only apply if breaking one link in the chain is as good as breaking all the links in the chain - ie, if they give special accomodations to one another because they are all part of the "same network" or one contains passwords to the others or something of that nature. In this case that should not happen, thus you must break each link in succession to get through.
Also, FYI, a hardware firewall is just a dedicated software firewall.
The key word here is "dedicated". A dedicated firewall means you are not installing other software on it which could compromise the firewall itself (either intentionally or through poor design), and it also means that should a hacker somehow break into the firewall, your losses are limited as they have not also gained entry to your files, your passwords, your keyboard, your browser, etc and they cannot rootkit your PC. They only get a tiny, wimpy processor with little-to-no storage and complete network access. Dangerous, yes, but not a complete disaster.
Re:Never put your eggs in one basket. (Score:5, Informative)
Re:Never put your eggs in one basket. (Score:5, Informative)
Re:As any new OS (Score:1, Informative)
Re:Investigation flawed, more like (Score:5, Informative)
Re:As any new OS (Score:5, Informative)
Re:Investigation flawed, more like (Score:5, Informative)
That said, according to what I've read from some people, the security might not even be that rigorous; it might be more about making sure that only the developer of an application can update it automatically (so it's more difficult for an attacker to create an update that 'fixes' your copy of Mail.app or some other approved program to do evil things) than making sure each developer has been vetted by Apple or some other Higher Authority.
There is a posting from someone who supposedly has access to the Leopard previews over at ThinkMac basically saying this: (source [thinkmac.co.uk])
Re:"defective by design" (Score:3, Informative)
Re:Investigation flawed, more like (Score:3, Informative)
"Software firewall" != "firewall" (Score:1, Informative)
Ideally, a firewall also
Although I loathe analogies, in cars a real firewall sits between the dangerous (engine) and habitable (passenger) compartments, has a few holes poked in it to allow certain things through (throttle controls, wiring, etc.), and hopefully blocks everything else. The counterpart to a "software firewall" in such a case would be a piece of sheet metal between the engine and passenger compartments that spontaneously opened new holes whenever someone turned on the A/C, played a CD, or unfastened their seat belt. That's NOT A FIREWALL!
Re:Little Snitch anyone? (Score:3, Informative)
Re:All tests were run on localhost (Score:5, Informative)
I run all tests from a linux machine. Look at the packet dumps. It shows two machines communicating over a network.
Look at the IP address given as an argument to ntpdate -- it is a public IP of an ISP that I queried from our company network.
Look at the quoted logfile entries. All of them show that the tests have been run from external machines.
bye, ju
I am not convinced (Score:5, Informative)
Which it appears to do if you look at the quote below. They show a deny in their logs. Seems to work so far.
They are now basing an assumption (or marketing spin) because of output from an Nmap scan. This just indicates a flaw in the signature Nmap has (or the lack thereof) for this particular firewall implementation.
Then straight from NMAP's documentation:
"Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port." -(http://insecure.org/nmap/man/ [insecure.org])
And as for the NTP response being received, well that goes back to what we should expect to see. Apple is about usability. I would suspect that "Block all INCOMING connections" to not refuse information that I request. Basically this just does ingress filtering and not egress.
I haven't read the entire article yet, but from my brief scan I don't see how this is not a "functioning" firewall.
Misleading descriptions (Score:5, Informative)
I notice in their report that they complain about services Nmap lists as "open/filtered". Nmap reports that result when it encounters a port that elicits no reply whatsoever to a probe. This happens only when a firewall is dropping all traffic to a port and not generating any ICMP error packet for the attempt. The TCP spec says if a port isn't open the client should get an ICMP error, so Nmap knows that there's something there even if access to it's being blocked. If this is any indication of the quality of this "analysis", we can discount the article.
A hardware firewall explained (Score:4, Informative)
[Rant]
There is no such thing as a purely hardware firewall in modern times.
The hardware like a Cisco pix has software (i.e. firmware) running on top of a simple (usually Linux or bsd architecture). A true hardware firewall is John or Jane sitting at a switchboard plugging in and unplugging cables, like way back when telephones first existed. You could also theoretically unplug the networking cable every-so-often to get a firewall-like effect, but the bottom line is that there is something (a brain) that decides what goes in and what goes out. The brain is a bunch of code (software) that is the firewall.
Hell, create a searing flame capable of burning anyone to death who dare walks through it- that's the literal definition of a firewall. The heat caused by the burning of wood or something else is a "hardware" firewall.
[/Rant]
Re:A hardware firewall explained (Score:5, Informative)
Re:Investigation flawed, more like (Score:4, Informative)
Well technically, the only examples this article provides are of UDP services listening. So there's no evidence that the firewall is allowing 'connections'
I agree that to the end user connections probably means something different, but in the world of network protocols it has a very specific meaning, which doesn't include UDP services by definition. The only way for the firewall to deny inbound UDP sessions would be to fake connection state for these protocols. Many popular commercial enterprise class firewalls do just this, but I'm not surprised that a desktop firewall isn't doing it.
Re:other quirks with OSX and the services/firewall (Score:3, Informative)
I'm sitting here on my Macbook sharing my 3G connection from my phone over WiFi to a few of my coworkers' laptops, and Apache is certainly not running. Currently I'm on 10.5, but I never had to turn it on with 10.4 either.
Re:Never put your eggs in one basket. (Score:3, Informative)
Re:Never put your eggs in one basket. (Score:4, Informative)
If you pick up one of the models with a USB port, you can trivially expand its storage capacity, although the built-in RAM and Flash is usually sufficient.
Re:Never put your eggs in one basket. (Score:3, Informative)
Anybody still running an old standalone computer as a Linux software firewall probably pays enough in electricity to buy a new WRT54G or similar router every few months.
Re:Default Leopard install NMAP 4.20 scan (Score:3, Informative)
No. It means that the firewall's black-holing (dropping without generating any ICMP response) all packets to ports 80 and 443. It can do this whether or not a Web server's running.
Re:Never put your eggs in one basket. (Score:3, Informative)
And then what does a fire wall do? If the computer is configured corectly there is no need for a firewall. Firewals are just the "suspenders" part of a "belt and suspenders" security system. And even then the virus comes in via email and the web which your fire wall lets in.
That said, I use redundant layers of protection and then tripwire-like detection
Re:Investigation flawed, more like (Score:2, Informative)
Don't depend on services being disabled. (Score:3, Informative)
It sounds like if you don't enable a service, it doesn't enable the firewall rules for that service. If you do enable the service, then it turns on the firewall rules for that service. This is not a problem unless you install a third-party program that provides the same network service, *and* you want to restrict access to it.
The argument in the article that the firewall would prevent a trojan from opening a listener on a low port is bogus, because any program that can open a listener on a low port can also remove the corresponding firewall rule... you have to be root to do either.
The fact that Samba processes were still running after sharing was turned off, however, is a concern. That absolutely should not happen, and Apple needs to fix it.
The workaround is to make sure that after you disable a service, you reboot to make sure it is really disabled. If you don't enable any services that should not be an issue.
UDP blocking requires separate activation (Score:2, Informative)
Blocking UDP traffic in 10.4:
http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh1242.html [apple.com]