News, Reviews and more from Australia's Macintosh Authority
News, Reviews and more from Australia's Macintosh Authority
ADVERTISEMENT
Firewalls monitor and regulate the data moving on and off your computer or network. They can keep criminals out while allowing legitimate network traffic in. Mac OS X comes with not one but two firewalls of its own. However, those two aren’t always enough.
The Threat. Years ago, a bug (long-since fixed) let attackers send Macs a so-called “ping of death”—specially designed network traffic that could crash a system. There aren’t any such network vulnerabilities on Macs (that we know of) now, but many of Apple’s security updates specifically address network vulnerabilities. Clearly, Macs aren’t inherently immune.
With millions of computers in the world, it might seem that the odds of your Mac being targeted are awfully small. But there are computers out there that do nothing all day but probe Net-connected machines for vulnerabilities; it’s certainly possible that one will find yours. And don’t forget that any time you’re on a network—a coffee shop’s Wi-Fi system, for example—you’re exposed to anyone else on that network.
The risks—the loss of private data and the hijacking of your Mac’s computing power—are great enough, and the cost of prevention low enough, that implementing a good firewall on your Mac and your local network is a no-brainer.
OS X’s Firewalls. All versions of OS X through 10.4 (Tiger) have included a Unix-based firewall called ipfw. In security parlance, ipfw is a packet-filtering firewall: it checks each packet coming or going through the Mac’s network interfaces against a set of rules, and allows it to pass or blocks it.
Packet-filtering firewalls like ipfw classify network traffic two ways: by type, using port numbers, and by origin and destination, using IP addresses. For instance, a packet-filtering firewall could accept file-sharing connections from IP addresses of your work network but not from other addresses on the Internet.
To ipfw, Leopard adds a new socket-filter firewall (also known as an application firewall). Rather than using network ports and IP addresses to decide whether to allow a packet, it bases its decision on the application making the network request. When a program asks to accept network traffic, a socket filter checks a list of programs that have been authorised to do so. If the program is on the list, the firewall allows the connection. If the program isn’t on the list—as in the case of new or upgraded software—OS X asks you whether to allow the program to accept incoming traffic.
The Security preference pane lets you configure OS X’s built-in socket-filter firewall, which filters network traffic by application.
You enable Leopard’s socket firewall by selecting Set Access For Specific Services And Applications in the Firewall tab of the Security preference pane. When you select that option, you’ll see a list of allowed and blocked programs. If you’d like to block all nonessential traffic, you can select Allow Only Essential Services, but beware: doing so will break some applications. You’ll still be able to browse the Web and use e-mail, but other inbound connections will be blocked.
Socket filters are less flexible than a packet filter like ipfw. Applications that are allowed to accept network connections will accept them from anywhere on the Internet; they can’t be told to distinguish trusted from untrusted Net addresses. The Leopard firewall also blocks only inbound connections; it won’t prevent programs from making outbound connections. This has become a big problem in the Windows world: spyware programs lodge themselves on hard drives and then “phone home” with sensitive private information.
While OS X 10.5
still includes ipfw, it’s effectively disabled by default. But you can
enable and configure it from the command line or through a third-party
application such as Hanynet’s free WaterRoof 2.0 (
) or NoobProof 1.1 ().
And ipfw is compatible with Leopard’s socket filter, so you can combine
the two to block untrusted applications from accepting connections and
simultaneously restrict inbound and outbound traffic by ports and IP
addresses.
Third-Party Firewalls. So why would you want to buy and install a third-party firewall when OS X’s seem to cover the bases pretty well? The primary reasons are more flexibility and better protection.
For example, Intego’s $US50 NetBarrier X5 ()
lets you set rules based on where connections are coming from. You can
get similar firewall control from free tools such as WaterRoof, but
they don’t offer those extra privacy features.
Another
limitation of Leopard’s built-in socket filter is that it can’t change
rules when you change locations. For example, you might want to leave
your laptop’s iTunes sharing turned on at home but shut it off when you
use your laptop on the road. Open Door Networks’ $US80 DoorStop X Security Suite ()
lets you define locations and quickly set the firewall to preset rules
for where you are. NetBarrier also allows you to create different rules
for local network addresses and for addresses on the Internet—a
remarkably simple and useful distinction.
If you want
fine-grained application control—defining not only which applications
can send and receive information to and from the Internet, but also
which Net addresses they can contact—you can use Objective
Development’s $US30 Little Snitch(); it’s particularly effective against spyware.
Third-Party Firewalls
| Product | Vendor | Price | Rating |
|---|---|---|---|
| DoorStop X Security Suite 2.2 | Open Door Networks | $79 |  |
| IPNetSentryX 2.2 | Sustainable Softworks | $60 |  |
| Little Snitch 2.0.3 | Objective Development | $25 (multiuser and upgrade licenses available) | |
| NetBarrier X5 | Intego | $50 |  |
| NoobProof 1.1 | Hanynet | free (payment requested) |  |
| Norton Personal Firewall 3.0.3 | Symantec | $50 | |
Our Advice. For most users, the firewalls built into OS X are enough. Enable OS X’s basic socket-filter firewall via the Security preference pane (we recommend that you choose Set Access For Specific Services And Applications); if you want the extra protection of OS X’s ipfw firewall, use the excellent and free NoobProof to configure it.
[Rich Mogull is the security editor atTidBitsand runs Securosis LLC, a security consulting practice. Chris Pepper, a systems administrator, is a TidBits contributor.]
A pair of installation-related problems involving the new release of Microsoft’s Office 2008 won’t cause damage to your data or prevent the productivity suite from running. But the issues, discovered by a user, pose potential security and administrative headaches. Microsoft is vowing fixes for both.
Dan Frakes and Rob Griffiths | Jan 27, 2008
This month, I'm looking at Leopard's Quick Look function, which is sort of "preview on steroids" yet super-simple to use. Quick Look is worth reviewing because of how much it can do "out of the box" and how flexible it is. At its simplest, Quick Look provides you with a high-resolution preview of the contents of a file without you having to open an application. Have a .jpg file you'd like to quickly check before e-mailing? Click on the file, press the space bar and a black window opens showing the file's contents (press the space bar or small x to close the preview).
Sean McNamara | Apr 24, 2008
On July 31, 2008, Apple released an overdue patch for a major vulnerability in the way Mac OS X Server handles turning the names in web sites and e-mail addresses into the numeric addresses used for connections. The vulnerability is a fundamental flaw in the Domain Name Service (DNS) protocol and affected all but a handful of DNS servers built into operating systems and released as stand-alone server software packages.
Glenn Fleishman and Rich Mogull | Aug 5, 2008
An ongoing topic of discussion for Mac users is the ever-increasing size of updates, both for the Mac OS itself and for third party applications like Microsoft Office and Adobe Creative Suite. There are a few snares for the unwary directly related to updates' sizes, however, which are worth considering to make updates as painless an experience as possible.
Sean McNamara | Aug 14, 2008
As I type these words, I am waiting for Apple's Developer Connection web site to ease up sufficiently for me to download the long-awaited Software Developer Kit for the iPhone (and iPod touch, just by the by). In a way, I hate developer-oriented announcements — "here's a really cool thing we're working on, and it's available now, and hoi polloi can have it in about six months". Actually, it's the six months I hate.
