Leopard's Firewall Criticized

[Phil A.]

As long as you connect through a NAT router you're pretty safe whatever the state of a software firewall (at least to external attacks - if you use a shared internet connection you are still vulnerable to other clients behind the router). Software firewalls were only really useful when everyone used dial up connections and your computer effectively was the router.
Also, in spite of scare stories from sites such as grc.com, it's simply not true to say that any open ports mean you are exposing yourself to anyone who wants to having a look around: if that were the case then there would be no servers on the internet! As long as you're sensible about passwords, all you are risking is the exploit of any security holes in services you may be exposing
I've never run the software firewall in OSX (or windows for that matter) and sit behind a wireless NAT router with a tunnel through for ssh so I can connect to my mac over the internet. With ssh configured properly I feel pretty secure in doing that.

 

[MacRumors]

Leopard's Firewall Criticized



A security research firm is criticizing Leopard's security, namely the new system's firewall.

Heise Security was highly critical of the firewall and declared that it failed every test. The tests centered around Apple's default configuration and whether the firewall configured correctly due to user input.

[Leopard's firewall] is not activated by default and, even when activated, it does not behave as expected. Network connections to non-authorised services can still be established and even under the most restrictive setting, "Block all incoming connections," it allows access to system services from the internet.

The company does acknowledge that the system services that it communicated with in its tests did not seem immediately exploitable (though one, ntpd was out of date). However, the company does advise that the issues be addressed by Apple and users beware of the shortcomings.

Apple has been touting Leopard's security as one of the many features of Leopard.

Article Link

 

[Eidorian]

I never really knew OS X for it's Firewall GUI.

 

[flopticalcube]

Does anyone use software firewalls anymore?

 

[Eidorian]

Does anyone use software firewalls anymore?

I'm behind NAT but I at least like to know when an application is trying to establish a connection ala Little Snitch.

 

[darthraige]

Has anyone ever gotten a virus on an Apple product? lol

 

[Eidorian]

Has anyone ever gotten a virus on an Apple product? lol

I'd prefer not to have unsolicited connections having access.

 

[darthraige]

I'd prefer not to have unsolicited connections having access.

It's just weird. When I owned a PC, I'd get like 1-5 viruses a day. On a Mac, never got one, never, never, never got one. Very impressive. lol

 

[Eidorian]

It's just weird. When I owned a PC, I'd get like 1-5 viruses a day. On a Mac, never got one, never, never, never got one. Very impressive. lol

I can say that never got a virus on my PC as well.

 

[darthraige]

I can say that never got a virus on my PC as well.

No viruses on your PC? Were you even connected to the net? lol Never cared to use a Virus protection program. That's probably why though. lol But, I've been loving the Mac for 6 years now.

 

[SiliconAddict]

Yah I started looking at how to configure the firewall in 10.5 and lo and behold up there really isn't anything to configure.

I've been using a PC at home now for nearly 5 months. (e.g. right now)

I got nothing.

I've used Windows since win 3.0 days. I've had ONE virus back in 95 on 3.11. It was a master boot record virus. Since then NOTHING. a little proactive security goes a long way. AV software\Firewall\Firefox\Solid E-mail client\patches will generally keep you protected on windows. OS X. *shrugs* Just make sure to have the firewall turned off\patches\limited account.

That should be more than adequate.

Yah until you are off network with a laptop.

 

[Eidorian]

No viruses on your PC? Were you even connected to the net? lol Never cared to use a Virus protection program. That's probably why though. lol But, I've been loving the Mac for 6 years now.

I've been using a PC at home now for nearly 5 months. (e.g. right now)

I got nothing.

 

[darthraige]

I've been using a PC at home now for nearly 5 months. (e.g. right now)

I got nothing.

Ahhh, I got ya. When are you going all Mac?

 

[Eidorian]

Ahhh, I got ya. When are you going all Mac?

When Apple releases hardware worth buying?

 

[harmless]

Heise is *not* a security research firm

A security research firm is criticizing Leopard's security, namely the new system's firewall.

Heise is a publisher.

They sell several computer magazines. While those are among the best the market has to offer in Germany, sadly that doesn't mean a lot. Especially c't has become more of an consumer related magazine with a focus on Windows, Linux and stuff like digital cameras and (HD/flat panel) TV sets.

They try to broaden their market by opening up several sub sections on their web site, which include 'Heise Security' - but also 'Heise Autos' (cars).

While their news *reporting* is generally reliable, the same can not be said about their own 'research'; especially regarding Macs.

Unfortunately, they have a broad audience anyway.

 

[Masquerade]

good news in time for IT managers that are willing to install mac os x 10.5 server on their machines.

 

[JNB]

I would have concerns about the accuracy of that test then.

A person trying to get through a firewall is going to be checking for specific ports. Their not just going to say "show me what's open".

Gibson Research's tests are very reliable - the "full" port scan hits ports 0-1055 sequentially and gives specific results on each. You can also specifically choose to scan any ports beyond that range (though I don't have the time or real concern to hit all 64K ports!)

I just completed all tests--on a public network--on both 10.5 through Camino and XP through Firefox and have a full stealth posture on each. Much better than my old native Win98 Frankenputer.

On a side (but semi-related) note, I am also now seeing a bunch of other PC's & Macs (at least a dozen different ones so far) out there in the sidebar. Most of the Macs are offering up Screen Sharing. I'm pretty sure they're all on the same network as I am in the hotel, but it's still a little unnerving. ALL of my sharing is now off, to be turned on only as needed. Just a little too much like walking around with my fly unzipped...

 

[darthraige]

I've used Windows since win 3.0 days.

The good 'ol 3.0 days. Commander Keen, The Amazing Spiderman, Hostage, The Original Duke Nukem. Miss those days.

 

[Rodimus Prime]

Does anyone use software firewalls anymore?

it is really a good practice to use both. Software firewalls are much better at stopping outbound connections. Also each one has its own strengths and weaknesses. One might get around a hardware firewall but not get around a software firewalls.

I would say I am behind a hardware firewall but I set my computer to be DMZ host because I am to lazy to figure out what ports I needed to forward (yeah bad practice) but when I lived on campus damn skimpy I sat behind a software and hardware firewall. It was rather annoying coming back to my room my first year and seeing 8+ warning sitting on my screen all from external attacks mostly because people have virus and other crap on there computer.

Hardware firewall and oh so much nicer with a huge drop in messages.

 

[Eidorian]

I've used Windows since win 3.0 days. I've had ONE virus back in 95 on 3.11. It was a master boot record virus. Since then NOTHING. a little proactive security goes a long way. AV software\Firewall\Firefox\Solid E-mail client\patches will generally keep you protected on windows. OS X. *shrugs* Just make sure to have the firewall turned off\patches\limited account.

Shucks, all that I can bring to the table for my Windows experience is MS-DOS 5.0 and Windows 3.1.

I may have gotten one virus but my memory isn't what it used to be.

 

[DavidCar]

What does "Allow Safari Listening" mean. I see that several times in my Leopard firewall log.

Also it appears someone was scanning some of my ports sequentially this morning.

Oct 30 00:19:05 Macintosh Firewall[39]: Allow Safari listening from ::ffff:0.0.0.0:0 uid = 501 proto=6

Oct 30 00:23:17 Macintosh Firewall[39]: Stealth Mode connection attempt to UDP 10.0.1.3:53795 from 10.0.1.1:53

 

[mdriftmeyer]

The entire claim from Heise is getting debated over at Slashdot and OSNews and others.

Let's make it clear. The Security Model Heise it expecting isn't the Security Model deployed by Leopard and until they get the Server Docs and Darwin 9 to see what they claim is skewed you can continue to believe the fear.

Security has vastly improved in the Userspace.

 

[deathshrub]

Software firewalls are basically useless anyway.

 

[mdriftmeyer]

What does "Allow Safari Listening" mean. I see that several times in my Leopard firewall log.

Also it appears someone was scanning some of my ports sequentially this morning.

Oct 30 00:19:05 Macintosh Firewall[39]: Allow Safari listening from ::ffff:0.0.0.0:0 uid = 501 proto=6

Oct 30 00:23:17 Macintosh Firewall[39]: Stealth Mode connection attempt to UDP 10.0.1.3:53795 from 10.0.1.1:53

Case in point on the Userspace Security in Leopard. Read up on sandboxing at the application level. Apple hasn't even released their Documentation for Leopard to further explain the changes in their Security Model.

On User-Level Sandboxing: Technical document on the approach:

http://www.cs.bu.edu/~richwest/sandboxing.html

 

[vitaflo]

I don't get it. They're basing most of their assessment on nmap's output:

# nmap -sU 192.168.69.21
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
631/udp open|filtered unknown
5353/udp open|filtered zeroconf
MAC Address: 00:17:F2F:CD:B3 (Apple Computer)

And saying "open|filtered" means the ports are open. But if know about nmap, and read the documentation on it, it says:

"Filtered" means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. [...] Nmap reports the state combinations "open|filtered" and "closed|filtered" when it cannot determine which of the two states describe a port.

http://insecure.org/nmap/man/

Basically, this means the ports are firewalled, and not only that, but OS X isn't giving *any* info about those ports at all. The fact that it says "open" is just a guess as far as nmap is concerned. It doesn't know.