OS X Leopard Firewall Flawed

cycoj writes with a report in the German IT magazine Heise, taking a look at the new OS X Leopard firewall. They find it flawed. When setting access to specific services and programs to only allow SSH access, for example, they found that a manually started service was still accessible. From the article: "So the first step after starting Leopard should be to activate the firewall. The obvious choice to do so is the option to 'Set access to specific services and programs,' which promises more control over network traffic. Mac OS X automatically enters all shared resources set up by the user, such as 'Remote login' for SSH servers, into the list of accessible resources... However, initial functional testing quickly dispels any feeling of improved security. A service started for testing purposes was able to be addressed from outside without any difficulty. The firewall records this occurrence... Even with the firewall set to 'Block all incoming connections' ports to netbios, ntp and other services were still open... Specifically these results mean that users can't rely on the firewall."

Investigation flawed, more like

[Space cowboy]

From the 'help' button available on the same screen (emphasis mine),

In addition to the sharing services you turned on in Sharing preferences, the list may include other services, applications, and programs that are allowed to open ports in the firewall. An application or program might have requested and been given access through the firewall, or might be digitally signed by a trusted certificate and therefore allowed access

IMPORTANT: Some programs have access through the firewall although they don't appear in the list. These might include system applications, services, and processes (for example, those running as "root"). They can also include digitally signed programs that are opened automatically by other programs.

... so if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem - if Jo(e)-evil-cracker already has 'root' on the system, the firewall isn't going to help save the system, after all... Perhaps Heise are just used to using Linux, where the firewall trumps all ?

You could argue that the 'Block all incoming connections' is badly worded, but you could argue that reading the documentation for a new firewall would be a useful thing to do as well.

And, FWIW, if I set the firewall to 'Set Access for specific services and applications', then disable SMB sharing, I can't connect using nmblookup. I can only get through when the service has been enabled (which seems reasonable).

Simon

OS Firewalls

[nurb432]

Shouldn't be used in the first place. You really need an external dedicated firewall if you want to pretend to be safe.

Re:Never put your eggs in one basket.

[MBCook]

I'll agree with most of that. I've got a Mac, and it's running Leopard (yeah!). At work I surf behind a real firewall, a Watchguard I think. At home, I'm behind my Linksys. I could run no firewall and be OK. That said, I leave it on for one simple reason: I can go to other people's networks without having to think about turning the firewall on. This way if I were to go to Starbucks or something, I'd be much more safe from so guy a few tables over (malicious or just bot-infested). I don't expect things to be perfect. I don't expect a software firewall to be as good as a hardware one. It's just one more layer.

So what do I think of all this? I don't know. I saw comments somewhere the other day that claimed that these guys were just misunderstanding, but I'm not sure. I expect a firewall to block things if I tell it to though.

Re:Never put your eggs in one basket.

[JCSoRocks]

Never trust anyone to keep security up. Apple, Microsoft, Linux Distributions, ...

Do you see that apply fanboys!? Quick! Attack! GO GO GO!

Seriously though, he's right. People in both camps should realize that no matter how great you think your software is, it's not perfect.

Re:As any new OS

[east coast]

Apple may not be a monopoly but they certainly act a lot more like one than Microsoft does.

Re:Never put your eggs in one basket.

[nharmon]

Fine. Just don't have your main firewall be on the same machine as the data you're trying to protect.

Re:Investigation flawed, more like

[Sloppy]

so if Leopard trusts the service .. it will have access through the firewall.

The default configuration represents the situation where the user defers to Leopard's estimation of what can be trusted. If the user starts modifying the configuration, then the question of what Leopard trusts or doesn't trust, should be irrelevant.

But sure: they documented the bug, thereby causing it to be merely lame design, rather than a bug.

Re:Investigation flawed, more like

[kebes]

if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem

The problem is that the user asked the OS for a certain action ("block everything") and the OS didn't implement that action. This is basically a case of the OS saying "don't worry, I'm smarter than you and I know what to do"... which isn't a good policy when it comes to security. If a user tries to activate a firewall policy (because they happen to know a certain service is insecure, or not needed, or whatever), then the firewall should implement that policy.

You could argue that the 'Block all incoming connections' is badly worded, but you could argue that reading the documentation for a new firewall would be a useful thing to do as well.

If the situation is indeed as you describe (that the problem here is just that the firewall is allowing certain connections that it "knows" are okay) then you're right: this isn't a security vulnerability, but rather a case of poor UI design. The UI is saying "I'm blocking all connections" even though it isn't. You're also right that in principle the user should educate themselves about their software. However the software should, as much as possible, not misrepresent what's going on. Saying "blocking all connections" and then allowing something to connect is a recipe for security mistakes.

Re:Never put your eggs in one basket.

[jellomizer]

Looking at your Moderation and the Parents soes that you statement is true... I am using OS X right now and I am hoping my Copy of Leapoard is in the mail and planning to install it as soon as I get home... Even Though I really like the OS right now it is my favorate, I don't want to be a FanBoy and assume that it is flawless perfect system that will protect me from nuclear blasts. And that Steve Jobs is always right... There are things I dislike about the OS but I dislike them less then my dislikes of Other OS's

All tests were run on localhost

[hbp4c]

Perhaps I missed something...

It looks like every test that was ran was run from the local machine. The tester set "block incoming connections" not "block local connections" and/or "block outbound connections"

If you lsof, you're going to see ports open to localhost, unless the firewall is specifically dropping packets to 127.0.0.1.

ntpdate is an ntp client tool, so it makes an outbound connection instead of an inbound connection.

nmblookup actually warns the guy testing this - it realized that 192.168.69.21 was the local interface, so it responded as "localhost" instead of the samba name!

The nmap test was the only tool that specifically checked a non-localhost IP, and it's not clear to me if it actually checked the localhost interface cleverly or actually sent packets out and through the firewall.

As I said, perhaps I missed some critical fact. However, I would put more credibility in the tests if the tester had used a 2nd machine on his subnet to nmap the leopard firewall.

Re:Never put your eggs in one basket.

[RobertM1968]

I'll agree with most of that. I've got a Mac, and it's running Leopard (yeah!). At work I surf behind a real firewall, a Watchguard I think. At home, I'm behind my Linksys. I could run no firewall and be OK. That said, I leave it on for one simple reason: I can go to other people's networks without having to think about turning the firewall on. This way if I were to go to Starbucks or something, I'd be much more safe from so guy a few tables over (malicious or just bot-infested). I don't expect things to be perfect. I don't expect a software firewall to be as good as a hardware one. It's just one more layer.

Regardless, if I am on a network where I dont have control of all the machines on it 24/7, then I think running the machine's OS (or add-on) Firewall is still a must. It really doesnt matter how great a hardware firewall is if someone infects their machine via a CD, DVD, USB Drive, etc from something they bring from their infected home machine or friend's machine or whatever. Since most direct network traffic doesnt (try to) pass through the hardware firewall, one should always be protected from the other machines on their network. For instance, in my office, we have a couple WinXP machines - and though they are not infected, they are constantly broadcasting nonsense trying to find their brethren (to EVERY machine on the network). Our "hardware" firewall does nothing to stop that - even though it does block the traffic from going OFF our network. I block that traffic on my other machines at their firewalls (no need to waste sockets or OS time handling the packets at all). If those XP machines were infected... well, you see the point.

Having one machine on the network, or a few machines that only you use (with taking precautions not to infect them from an external source), then yeah, a hardware firewall is probably all you need.

Re:Never put your eggs in one basket.

[ScytheBlade1]

Really good thing that my linux software firewall is stored on a read-only filesystem then, and only allows login via SSH hostkeys.

I made my initial post pretty quickly, and likewise screwed up some things.

What is the difference between a software and a hardware firewall anyways? Heck, what is a firewall? There are so many countless ways of defining a 'firewall' that the average home router you can pick up at your local grocery store is advertised as a "router/firewall." Just because it's embedded suddenly makes it less of a software firewall, and more of a hardware one?

As mentioned, my router has a read-only root file system. It's also running a complete linux distro. Is this a hardware or software firewall?

Further, it does stateful packet inspection (four-ish lines of iptables commands? Worth $40+ on 'firewall' devices?), QoS (both host and service based), and it does this all through a transparent ethernet bridge. Then I have an admin ethernet jack, which requires IPSEC connectivity before you can touch the internal ports (22, 80).

It's a complete linux distro, so it's software. It's 100% embedded, so it's hardware.

As mentioned, other routers are embedding linux. Cool. Hardware or software? More secure, or less? More capable? Or less capable?

Classifying 'software firewalls' as 'insecure' and classifying 'a cheap Linksys Firewall/Router' as 'secure' is kinda scary in all truth. Well, mostly just wrong. Firewalls are too generic now - just because it says 'firewall' on the front, you're supposed to think that you're safe from 'hackers.'

Why isn't this story also tagged as "haha"?

[PipingSnail]

Why isn't this story also tagged as "haha"?

If this was a story about a Windows Firewall, as well as defectivebydesign you'd also have the "haha" tag. Do I detect bias?

Don't backpedal too much, or you'll fall over.

[mattgreen]

... so if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem - if Jo(e)-evil-cracker already has 'root' on the system, the firewall isn't going to help save the system, after all... Perhaps Heise are just used to using Linux, where the firewall trumps all ?

And what happens in the event the trust system is subverted somehow? Either the user accidentally trusts malware, or malware manages to squeeze itself in, what would the user do? The only option they have left is to pull the network connection. At least with a real firewall, a savvy user can lock down their machine and safely investigate further.

You could argue that the 'Block all incoming connections' is badly worded, but you could argue that reading the documentation for a new firewall would be a useful thing to do as well.

I thought the appeal of Apple was that Things Just Work and it is so intuitive you don't have read the documentation? This is a major bug. Don't try to downplay it like its no big deal. Security is always a big deal. I thought we all learned that from the countless Windows worms?

Re:Investigation flawed, more like

[gatekeep]

Simply disallowing all incoming UDP traffick is trivially easy ... and doesn't break all that much.

Sure, if DNS isn't 'all that much'

Disallow all incoming UDP/53 traffic, and you'll lose the ability to resolve names. More secure? Maybe. Practical? Absolutely not.

Re:Investigation flawed, more like

[NNKK]

The Apache parent, the OpenSSH sshd parent(s), the postfix master process (postfix! an SMTP server built for the express purpose of security!), xinetd. These are just a few common network daemons that run as root as standard practice with their author's blessing.

Welcome to the real world, it's not so rosy as you seem to think.

Re:OS Firewalls

[LurkerXXX]

Who the hell modded that insightful?

Yes they SHOULD be used, in ADDITION to external dedicated firewalls.

Anyone plugging in an infected laptop behind your LAN's firewall now has a shot at your firewall-free computer.

Use both hardware and software firewalls. Layers of protection are good.

Re:Investigation flawed, more like

[Anonymous Coward]

When you send a request to a dns server, it's outgoing, not incoming. So it shouldn't matter if you block incoming UDP traffic on port 53... unless you are running your own DNS server.

Re:Never put your eggs in one basket.

[tulare]

A little ARP poisoning, and some sniffing to see what version of what your linux box is running, next time you apt-get update && apt-get upgrade, or emerge world, or whatever mechanism you use, you're pwned. My experience is that the best method of security is a pair of eyeballs attached to a skeptical brain.

Re:Never put your eggs in one basket.

[master_p]

Everything is software, even hardware logic circuits :-).

The real benefit of an external firewall is that if your system is compromised, the firewall itself is not compromised, whereas in a firewall embedded in an O/S, if the O/S is hacked then the firewall is useless.