OS X Leopard Firewall Flawed 300
cycoj writes with a report in the German IT magazine Heise, taking a look at the new OS X Leopard firewall. They find it flawed. When setting access to specific services and programs to only allow SSH access, for example, they found that a manually started service was still accessible. From the article: "So the first step after starting Leopard should be to activate the firewall. The obvious choice to do so is the option to 'Set access to specific services and programs,' which promises more control over network traffic. Mac OS X automatically enters all shared resources set up by the user, such as 'Remote login' for SSH servers, into the list of accessible resources... However, initial functional testing quickly dispels any feeling of improved security. A service started for testing purposes was able to be addressed from outside without any difficulty. The firewall records this occurrence... Even with the firewall set to 'Block all incoming connections' ports to netbios, ntp and other services were still open... Specifically these results mean that users can't rely on the firewall."
Never put your eggs in one basket. (Score:5, Informative)
Never Trust Software firewalls. Software firewalls are only should be used in protection against "internet static" attacks. Where just random worms and viruses are trying to get in. Software Firewalls
Are normally bad against direct attacks from real hackers. Because there are so many ways to trick the user to install software to get around it...
Lesson 2.
Never trust anyone to keep security up. Apple, Microsoft, Linux Distributions, even Open BSD they are all made by humans and humans make mistakes and forget to check out things...
Lesson 3.
Always keep a hardware firewall even if it is a cheap Linksys Firewall/Router they will double up protection and keep your system relatively safe.
Lesson 4.
Never assume that you are 100% safe. There are always ways around things...
Re:Never put your eggs in one basket. (Score:5, Insightful)
I'll agree with most of that. I've got a Mac, and it's running Leopard (yeah!). At work I surf behind a real firewall, a Watchguard I think. At home, I'm behind my Linksys. I could run no firewall and be OK. That said, I leave it on for one simple reason: I can go to other people's networks without having to think about turning the firewall on. This way if I were to go to Starbucks or something, I'd be much more safe from so guy a few tables over (malicious or just bot-infested). I don't expect things to be perfect. I don't expect a software firewall to be as good as a hardware one. It's just one more layer.
So what do I think of all this? I don't know. I saw comments somewhere the other day that claimed that these guys were just misunderstanding, but I'm not sure. I expect a firewall to block things if I tell it to though.
Re:Never put your eggs in one basket. (Score:4, Insightful)
Regardless, if I am on a network where I dont have control of all the machines on it 24/7, then I think running the machine's OS (or add-on) Firewall is still a must. It really doesnt matter how great a hardware firewall is if someone infects their machine via a CD, DVD, USB Drive, etc from something they bring from their infected home machine or friend's machine or whatever. Since most direct network traffic doesnt (try to) pass through the hardware firewall, one should always be protected from the other machines on their network. For instance, in my office, we have a couple WinXP machines - and though they are not infected, they are constantly broadcasting nonsense trying to find their brethren (to EVERY machine on the network). Our "hardware" firewall does nothing to stop that - even though it does block the traffic from going OFF our network. I block that traffic on my other machines at their firewalls (no need to waste sockets or OS time handling the packets at all). If those XP machines were infected... well, you see the point.
Having one machine on the network, or a few machines that only you use (with taking precautions not to infect them from an external source), then yeah, a hardware firewall is probably all you need.
Re: (Score:2, Offtopic)
Re:Never put your eggs in one basket. (Score:5, Informative)
Re: (Score:2)
Re: (Score:3, Informative)
Re:Never put your eggs in one basket. (Score:4, Informative)
If you pick up one of the models with a USB port, you can trivially expand its storage capacity, although the built-in RAM and Flash is usually sufficient.
Re: (Score:3, Informative)
Anybody still running an old standalone computer as a Linux software firewall probably pays enough in electricity to buy a new WRT54G or similar router every few months.
Re:Never put your eggs in one basket. (Score:5, Insightful)
I made my initial post pretty quickly, and likewise screwed up some things.
What is the difference between a software and a hardware firewall anyways? Heck, what is a firewall? There are so many countless ways of defining a 'firewall' that the average home router you can pick up at your local grocery store is advertised as a "router/firewall." Just because it's embedded suddenly makes it less of a software firewall, and more of a hardware one?
As mentioned, my router has a read-only root file system. It's also running a complete linux distro. Is this a hardware or software firewall?
Further, it does stateful packet inspection (four-ish lines of iptables commands? Worth $40+ on 'firewall' devices?), QoS (both host and service based), and it does this all through a transparent ethernet bridge. Then I have an admin ethernet jack, which requires IPSEC connectivity before you can touch the internal ports (22, 80).
It's a complete linux distro, so it's software. It's 100% embedded, so it's hardware.
As mentioned, other routers are embedding linux. Cool. Hardware or software? More secure, or less? More capable? Or less capable?
Classifying 'software firewalls' as 'insecure' and classifying 'a cheap Linksys Firewall/Router' as 'secure' is kinda scary in all truth. Well, mostly just wrong. Firewalls are too generic now - just because it says 'firewall' on the front, you're supposed to think that you're safe from 'hackers.'
Re: (Score:3, Insightful)
The real benefit of an external firewall is that if your system is compromised, the firewall itself is not compromised, whereas in a firewall embedded in an O/S, if the O/S is hacked then the firewall is useless.
Re: (Score:3, Insightful)
Re: (Score:2, Insightful)
Seriously though, he's right. People in both camps should realize that no matter how great you think your software is, it's not perfect.
Re: (Score:3, Insightful)
Re:Never put your eggs in one basket. (Score:5, Interesting)
Also, FYI, a hardware firewall is just a dedicated software firewall.
Re:Never put your eggs in one basket. (Score:5, Funny)
I don't know if I buy that. I mean, one has the word "hard" in it, while the other has "soft" in it. Given the choice of the two, the "hard" one sounds far more secure.
Re:Never put your eggs in one basket. (Score:5, Funny)
Re: (Score:2, Funny)
remind me never to borrow your computer.
Re: (Score:3, Funny)
Yeah, but that happens asynchronously if your null device can use DMA, so while it's transferring, your CPU can run the next bit of code out of cache, instead of wasting time executing emulator code. Also, if you have multiple busses, you can always hook up more null devices, and stripe them, to spread the load out.
Re: (Score:3, Informative)
And then what does a fire wall do? If the computer is configured corectly there is no need for a firewall. Firewals are just the "suspenders" part of a "belt and suspenders" security system. And even then the virus comes in via email and the web which your fire wall lets in.
That said, I use redundant layers of protection
Re: (Score:3, Interesting)
Re:Never put your eggs in one basket. (Score:4, Insightful)
Re:Never put your eggs in one basket. (Score:5, Informative)
That would only apply if breaking one link in the chain is as good as breaking all the links in the chain - ie, if they give special accomodations to one another because they are all part of the "same network" or one contains passwords to the others or something of that nature. In this case that should not happen, thus you must break each link in succession to get through.
Also, FYI, a hardware firewall is just a dedicated software firewall.
The key word here is "dedicated". A dedicated firewall means you are not installing other software on it which could compromise the firewall itself (either intentionally or through poor design), and it also means that should a hacker somehow break into the firewall, your losses are limited as they have not also gained entry to your files, your passwords, your keyboard, your browser, etc and they cannot rootkit your PC. They only get a tiny, wimpy processor with little-to-no storage and complete network access. Dangerous, yes, but not a complete disaster.
Re: (Score:2)
This depends on what you use as a dedicated firewall. Some of the dedicated commercial firewalls are actually fairly powerful systems.
Re:Never put your eggs in one basket. (Score:5, Informative)
Re: (Score:2)
As for more layers equalling more attack vectors; that is complete hogwash. The second firewall doesn't open holes in the first in order to function. It just filters the traffic that actually makes it throug
Re: (Score:2)
Firewall A has all ports blocked
Firewall B has all ports blocked
Breaking Firewall A doesn't effect Firewall B Tequnique for Firewall B is different the Firewall A. It is like having 2 Locked Doors with different Keys and lock types. It is like saying if you have More Keys and Doors that are locked the less time it will take for a burgler to break into you house...
Yes a Gardware furewakk us a det=ducated software firewall but that is all it is dooing you don't go install software on it
Re: (Score:3, Funny)
Quick, call 911! Dude's having a stroke!
Re: (Score:2)
I've never heard of a firewall bug creating a new attack vector, though in theory I guess it could happen. Still, I'd argue that multiple firewalls is safer. If there are two firewalls between you and the bad guys / bots, they would have to get past BOTH firewalls.
Lesson 5 - Belt and suspenders (braces) (Score:2)
Good post, but hardware firewalls are not infallible as they are also affected by Lesson #2 (made by humans who make mistakes) and can be hacked, as per Lesson #1.
So, rather than have an either/or solution, why not apply all the tools at our disposal?
* If you have a hardware firewall, use it.
* If you have a software firewall, use that, too.
And regardless, run a service such as "Little Snitch" which requires each application explicitly ask permission before communicating with external resources (
Re: (Score:2, Interesting)
Re: (Score:2)
I think the distinction you're trying to make is between dedicated appliances and general purpose computers. Well, there's a security advantage to having your firewall device be on a separate host than the machine you use for web and mail - but most of that advantage is that you've got a separate device tel
Investigation flawed, more like (Score:4, Insightful)
You could argue that the 'Block all incoming connections' is badly worded, but you could argue that reading the documentation for a new firewall would be a useful thing to do as well.
And, FWIW, if I set the firewall to 'Set Access for specific services and applications', then disable SMB sharing, I can't connect using nmblookup. I can only get through when the service has been enabled (which seems reasonable).
Simon
Re:Investigation flawed, more like (Score:5, Insightful)
The default configuration represents the situation where the user defers to Leopard's estimation of what can be trusted. If the user starts modifying the configuration, then the question of what Leopard trusts or doesn't trust, should be irrelevant.
But sure: they documented the bug, thereby causing it to be merely lame design, rather than a bug.
Re:Investigation flawed, more like (Score:5, Insightful)
Re: (Score:2)
If you don't trust Father Steve, you don't deserve an Apple, Heathen Infidel!!
Re:Investigation flawed, more like (Score:4, Informative)
Well technically, the only examples this article provides are of UDP services listening. So there's no evidence that the firewall is allowing 'connections'
I agree that to the end user connections probably means something different, but in the world of network protocols it has a very specific meaning, which doesn't include UDP services by definition. The only way for the firewall to deny inbound UDP sessions would be to fake connection state for these protocols. Many popular commercial enterprise class firewalls do just this, but I'm not surprised that a desktop firewall isn't doing it.
Re:Investigation flawed, more like (Score:5, Insightful)
Sure, if DNS isn't 'all that much'
Disallow all incoming UDP/53 traffic, and you'll lose the ability to resolve names. More secure? Maybe. Practical? Absolutely not.
Re:Investigation flawed, more like (Score:4, Funny)
Sure, if DNS isn't 'all that much'
Disallow all incoming UDP/53 traffic, and you'll lose the ability to resolve names. More secure? Maybe. Practical? Absolutely not.
Re: (Score:3, Interesting)
I know what a stateful firewall is.. but the fact is that for UDP, there's no such thing. Some stateful firewalls were do protocol inspection to fake state by figuring out when to expect a DNS packet, but UDP is by defini
Re: (Score:2)
If the situation is indeed as you describe (that the problem here is just that the firewall is allowing certain connections that it "knows" are okay) then you're right: this isn't a security vulnerability, but rather a case of poor UI design. The UI is saying "I'm blocking all connections" even though it isn't.
Eh - I don't know if I buy even that.
I know a car's engine makes a "vroooom" sound but I'm not going to try and replace the flywheel. People need to know what they are doing, not "think" they know.
Re: (Score:3, Interesting)
Apple is the one company on the market who I trust to actually do user tests. I'm also fairly sure they found out that Joe Average clicks on "block incoming connections" and still expects stuff to work. Which is why they made it behave that way, put the info into the help file for those of us who RTFM and give you commandline access and ipfw if you really know what you're doing.
Re: (Score:2, Interesting)
If you are testing software and don't want it accessible from the outside world, Leopards trust be damned, you want it blocked. I agree with the author here, even if he managed to miss the obvious text: any hole in the firewall should be put there explicitly via the administrator of said firewall (or the machine it is on), not left default by the OS and it's own preferences. If MS didn't the same thing everyone would get pissed. If Linux did the same thing [I'd hope]
Re: (Score:2)
So, this firewall, it just blocks remote access to applications who don't open TCP or UDP ports for listening? Awesome! I've been running a firewall for years and I didn't even know it!
Don't backpedal too much, or you'll fall over. (Score:4, Insightful)
Re: (Score:3)
I think you missed a huge point in your haste to make a point against Apple. When the "Block all incoming connections" it blocks all user applications, not root applications.
now for a legitimate complaint -- Why did it disable my firewall during the upgrade? or did it??
So I decided to do an EXTERNAL port scan to see what was happening. Admittedly, I'm too lazy right
Re:Investigation flawed, more like (Score:5, Interesting)
Er, yeah, but... these are Mac users you're talking about. The people who've been sold a computer that ordinary people can use without being computer experts, and which doesn't get viruses like Windows does. (Not counting the Linux refugees, of course.)
Re: (Score:2)
I *think* the only entity who can acceptably sign something at the moment is Apple themselves, but I wouldn't bet my life on it...
Simon.
Re:Investigation flawed, more like (Score:5, Informative)
Re:Investigation flawed, more like (Score:5, Informative)
That said, according to what I've read from some people, the security might not even be that rigorous; it might be more about making sure that only the developer of an application can update it automatically (so it's more difficult for an attacker to create an update that 'fixes' your copy of Mail.app or some other approved program to do evil things) than making sure each developer has been vetted by Apple or some other Higher Authority.
There is a posting from someone who supposedly has access to the Leopard previews over at ThinkMac basically saying this:(source [thinkmac.co.uk])
Re: (Score:2)
The signing, from what I can see, is only about trust. If install acrobat (an example, I don't know if acrobat is being signed or not) it will ask you if you want to run it the first time, tell you its signed by Adobe. From then on it will run just fine.
If some hacker manages to get you to run a script that changes the acrobat executable then the signature wont match up and the app will no longer just run. Thats the only protection it provides you beyond asking you the first time if you trust the applica
Re: (Score:2)
Well, that's the thing, you see. It *does*block connections to applications. Did you miss that part ?
There are some processes that are allowed to punch through the firewall, and Heise found those. I'd not argue against reporting those p
Re: (Score:2)
A firewall that allows unrestri
Re: (Score:2)
You're making a distinction where none exists. If root starts a process that listens on a certain port, then it's logical to assume that root wanted to bypass the firewall for that process. Since root also has full control over the firewall, it doesn't make sense to touch root's processes. If you don't want to accept incoming connections, than yo
Re: (Score:3, Insightful)
Welcome to the real world, it's not so rosy as you seem to think.
Re: (Score:2)
Here's another thought-experiment: How do you stop a root process from modifying the firewall on any unix box ?
You set kern.securelevel=3:
3 Network secure mode - same as highly secure mode, plus IP packet
filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
changed and dummynet(4) or pf(4) configuration cannot be adjusted.
Ok, not "any unix box", but should work on OS X since that's using ipfw. At least I assume they're still using it, anyone running the Leopard firewall fancy showing us what ipfw show looks like?
Re: (Score:3, Informative)
Re: (Score:3, Funny)
If it's warm and fuzzy, it should be "I has a firewall (what I do wif it?)"
Lolz,
--Rob
As any new OS (Score:4, Interesting)
Re: (Score:2)
Re:As any new OS (Score:4, Insightful)
Re:"defective by design" (Score:3, Informative)
(Offtopic-ish) Re:"defective by design" (Score:2)
They were asking people(don't know if they still do) as part of a astroturfing campaign to help out by tagging all Vista stories as defectivebydesign. Thus, it has lost its meaning and is just mindless people doing off topic tagging.
I once attended a talk by Stallman, it was fun and all, and the hall was jampacked. But seriously, FSF needs to close that site, it's full of meaningless and mindless half-true FUD and
Re: (Score:3, Funny)
Out in hall, wasn't it? No, don't get up...
Re:As any new OS (Score:5, Informative)
OS Firewalls (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Such as an un-patched laptop that is totally infested with malware... Work in any corporate environment and these things eventually find there way in... So what you do is only allow "trusted" machines on your "trusted" VLAN. A machine has to pass certain tests to maintain trust every time it is connected to the network. Untrusted "outsider" machines can still get to the internet and a "guest printer" though. This is what Network Access Control is all about. Furthermore, I
Re: (Score:2)
Re:OS Firewalls (Score:4, Interesting)
Unfortunatly, Apple's apparently company line (based on what I've heard from Apple sales reps) is that you don't need any "3rd party security software". Specifically, I overheard a salesperson speaking to a customer who was buying a notebook computer for his daughter (who was going to college), saying that the customer didn't need to purchase any of that kind of software, because OS X had no security holes. I did restrain myself from taking the salesperson to task for this in front of the whole store - but only because I didn't want to get kicked out of the store - as I hadn't completed my purchase yet. If I'd already gotten my iPod, I would have, as least, brought this to the manager's attention. As it is, it'd been a long day, and I wanted to get my iPod and go, so didn't make a deal about it.
In retrospect, I should have made a bit of a fuss about it, and were the situation to happen today, especialy with what I learned from TFA, I would certainly have called the salesperson on this (albeit after I'd gotten my iPod - I'd rather not get kicked out of the store before I made my purchase).
Re: (Score:3, Insightful)
Yes they SHOULD be used, in ADDITION to external dedicated firewalls.
Anyone plugging in an infected laptop behind your LAN's firewall now has a shot at your firewall-free computer.
Use both hardware and software firewalls. Layers of protection are good.
Hm (Score:2, Funny)
and now for something completely different... (Score:5, Funny)
"Finest on this subnet, sir!"
"And how to you come to that conclusion?"
"Well, it's so *clean*!"
"It's certainly uncontaminated by security!"
Little Snitch anyone? (Score:5, Informative)
Re: (Score:3, Informative)
Re: (Score:2)
Anyone tested this? (Score:3, Interesting)
Re: (Score:2)
Re: (Score:3, Interesting)
Do a
sudo lsof -iUDP
and you will see all the services listening on UDP ports.
bye, ju
Wait a second... (Score:5, Interesting)
All tests were run on localhost (Score:5, Insightful)
It looks like every test that was ran was run from the local machine. The tester set "block incoming connections" not "block local connections" and/or "block outbound connections"
If you lsof, you're going to see ports open to localhost, unless the firewall is specifically dropping packets to 127.0.0.1.
ntpdate is an ntp client tool, so it makes an outbound connection instead of an inbound connection.
nmblookup actually warns the guy testing this - it realized that 192.168.69.21 was the local interface, so it responded as "localhost" instead of the samba name!
The nmap test was the only tool that specifically checked a non-localhost IP, and it's not clear to me if it actually checked the localhost interface cleverly or actually sent packets out and through the firewall.
As I said, perhaps I missed some critical fact. However, I would put more credibility in the tests if the tester had used a 2nd machine on his subnet to nmap the leopard firewall.
Re:All tests were run on localhost (Score:5, Informative)
I run all tests from a linux machine. Look at the packet dumps. It shows two machines communicating over a network.
Look at the IP address given as an argument to ntpdate -- it is a public IP of an ISP that I queried from our company network.
Look at the quoted logfile entries. All of them show that the tests have been run from external machines.
bye, ju
I am not convinced (Score:5, Informative)
Which it appears to do if you look at the quote below. They show a deny in their logs. Seems to work so far.
They are now basing an assumption (or marketing spin) because of output from an Nmap scan. This just indicates a flaw in the signature Nmap has (or the lack thereof) for this particular firewall implementation.
Then straight from NMAP's documentation:
"Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port." -(http://insecure.org/nmap/man/ [insecure.org])
And as for the NTP response being received, well that goes back to what we should expect to see. Apple is about usability. I would suspect that "Block all INCOMING connections" to not refuse information that I request. Basically this just does ingress filtering and not egress.
I haven't read the entire article yet, but from my brief scan I don't see how this is not a "functioning" firewall.
Re: (Score:3, Interesting)
The NTP port is easy enough to explain. NTP is a UDP-based protocol, so there aren't any connections. When operating properly, the time interval between packet exchanges with the time servers is long so maintaining the equivalent of a TCP masquerading map isn't feasible (you either need unreasonably long timeouts leading to odd behavior when the entries become invalid but aren't timed-out, or you tend to time out active entries). Since NTP packets are fairly simple and, being UDP, arrive in a single message
Misleading descriptions (Score:5, Informative)
I notice in their report that they complain about services Nmap lists as "open/filtered". Nmap reports that result when it encounters a port that elicits no reply whatsoever to a probe. This happens only when a firewall is dropping all traffic to a port and not generating any ICMP error packet for the attempt. The TCP spec says if a port isn't open the client should get an ICMP error, so Nmap knows that there's something there even if access to it's being blocked. If this is any indication of the quality of this "analysis", we can discount the article.
Re: (Score:2)
Huh? ICMP doesn't relay any information about ports. It's not even part of TCP but a completely different ip protocol. You'll get ICMP redirects or unreachables at layer 3 based on routing, but never based on port.
If a port isn't listening, the destination will reply with a TCP RST. If it's firewalled, most firewalls will silently discard it and the source gets no response their SYN just goes off into the ether. If it's open, t
A hardware firewall explained (Score:4, Informative)
[Rant]
There is no such thing as a purely hardware firewall in modern times.
The hardware like a Cisco pix has software (i.e. firmware) running on top of a simple (usually Linux or bsd architecture). A true hardware firewall is John or Jane sitting at a switchboard plugging in and unplugging cables, like way back when telephones first existed. You could also theoretically unplug the networking cable every-so-often to get a firewall-like effect, but the bottom line is that there is something (a brain) that decides what goes in and what goes out. The brain is a bunch of code (software) that is the firewall.
Hell, create a searing flame capable of burning anyone to death who dare walks through it- that's the literal definition of a firewall. The heat caused by the burning of wood or something else is a "hardware" firewall.
[/Rant]
Re:A hardware firewall explained (Score:5, Informative)
Re: (Score:2)
Personally I'd call that a vaporware firewall.
Re: (Score:2)
Also, as far as Leopard's firewall functionality goes I think they have struck quite a nice balance betwee
Why isn't this story also tagged as "haha"? (Score:3, Insightful)
Why isn't this story also tagged as "haha"?
If this was a story about a Windows Firewall, as well as defectivebydesign you'd also have the "haha" tag. Do I detect bias?
Solution? (Score:2)
Given that Apple may or likely has a flaw to fix in its Firewall, what solutions are there for additional protection? I'd been using PortSentry (a former Cisco package, now OSS on Sourcefo
Don't depend on services being disabled. (Score:3, Informative)
It sounds like if you don't enable a service, it doesn't enable the firewall rules for that service. If you do enable the service, then it turns on the firewall rules for that service. This is not a problem unless you install a third-party program that provides the same network service, *and* you want to restrict access to it.
The argument in the article that the firewall would prevent a trojan from opening a listener on
Firewalls are for wimps! (Score:2, Funny)
Might also be a flawed analysis... (Score:4, Interesting)
Specifically that the open|filtered may mean the ports are in a stealth mode... which is what you want!
I did a port scan of my Leopard machine from a Tiger machine and didn't see any open ports at all. I'm not running the firewall either -- but I don't have any services turned on right now. That's the way OS X ships by default (and has since as least 10.2).
Not arguing that things couldn't be better communicated by Apple, but I think an article claiming they're taking a Microsoft-esque tact toward security is more than likely politically loaded.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
This is on OSX 10.4. I wanted to share an internet connection (internet to eth0, then the airport card serving as a gateway for 2 laptops and an iphone to access the internet). All peachy, but this stupid OS does not let me do it unless I also setup an apache webserver?!?!?!
What the fuck are you smoking?
I'm sitting here on my Macbook sharing my 3G connection from my phone over WiFi to a few of my coworkers' laptops, and Apache is certainly not running. Currently I'm on 10.5, but I never had to turn it on with 10.4 either.
Re: (Score:3, Informative)
No. It means that the firewall's black-holing (dropping without generating any ICMP response) all packets to ports 80 and 443. It can do this whether or not a Web server's running.