Log in

No account? Create an account
Tinkering, FF Sparks (Madgirl)

[Geek] Mac OS X Security Thoughts

(Yes, I still need to do two weeks of horse posts. It's been chaos.)

Okay. Most of you know that I use both Mac and PC on a day-to-day basis, but that I vastly prefer my Mac to my PC for a variety of reasons. Most of you also know that I consider Mac OS X to be rather more secure than Windows. However, I vehemently disagree with the people who feel 'well, I'm on a Mac, I don't need to really take security into consideration.'

I am a firm believer that no operating system -- not Windows, not Mac OS X, not even Linux -- is inherently 'secure.' Windows exploits are of course the most common: partly because Windows has a really abysmal security model, but also quite a bit because it hits the largest slice of computer users unaware of security considerations. But there have been critical bugs in Apple before. Rarely actually exploited for malware, but there are nonetheless. And, of course, there are always Linux exploits out there.

Even a Linux user who just goes 'well, I'm on Linux, I'm secure!' and then just runs an out-of-box configuration is eventually going to be vulnerable. Computer security relies very heavily on both user awareness and user action.

So, back to Mac OS X. Most of us would never consider giving an only semi-computer-literate person a Windows box without installing something like ZoneAlarm Pro and McAfee Antivirus. Most of us who run Linux servers have things like LogWatch, Tripwire, Splunk, and so on installed to keep an eye on our servers, as well as subscribing to security lists. So why is it that so many Mac OS X folks scoff at running security programs?

"Why do I need anything more than Apple's firewall? Why do I need antivirus software?" Because you do. Every OS does.

Antivirus on Mac OS X is something to be examined another day. Today, we'll be talking about firewalls!

Apple's firewall is decent -- but it doesn't (by default) block UDP traffic, and it kind of obscures a lot of things. I rate it slightly higher than the default Windows firewall for letting me open specific ports (so I can serve a website or whatever), but it gets major negative marks for the UDP thing. ESPECIALLY leaving mDNS open to the world, which is my pet-peeve when it comes to Apple security. (I don't really want Joe Random Hacker being able to ask my machine's mDNS server what things I'm running, thanks. That's just like handing out a menu of exploits.) In addition -- like the Windows firewall -- it makes no checks on outgoing traffic.

Many people on Windows love ZoneAlarm Pro for its ability to control access even outgoing as well as incoming. On Mac OS X, I've found the closest equivalent to be NetBarrier X. This is unfortunate in some ways, since it's a $70 commercial product, and I haven't found a good free equivalent. Still, it's worth the $70. I recently upgraded my machines to NetBarrier X4, the most recent version.

First of all, NetBarrier X's core is a very small and efficient kernel module firewall. I don't notice any performance hit from it on my Mac mini or Powerbook. It stays behind the scenes, it logs whatever I tell it to, and it gives me all kinds of control. Like ZoneAlarm Pro, it allows content filtering -- you can add your e-mail addresses, your credit card information, and so on, and any time it spots that string in network traffic, it flags for your attention. Also like ZoneAlarm Pro, it protects against unexpected or unwanted connections going OUT from your machine.

However, while it lives down in the UNIX kernel layer, it has a really lovely GUI that hooks into it and gives you a great deal of freedom in configuring it. In fact, the reason I first stumbled onto it was the wonderful degree of control I get from the firewall portion. Here is a screenshot of my firewall rules in NetBarrier X4.

Those who know firewalls can probably piece most of it together, even though I've given things (like ppp0, the USB ppp connection my PocketPC makes when docked) friendly names. I can do more advanced blocking than just ports, as you can see; I block all ICMP traffic save the reply packets I need to run ping and traceroute on other machines. I can compose some pretty complex rules, every bit as powerful as I could with the ipfw command line tool. I just get to also give stuff friendly names and icons to make it easier to read. ;)

For those who don't know firewalls, though, it can come up with some very nice defaults ('client, local server' is a particularly sane one for desktop machines, and 'client only' for wireless-roaming laptops). If you want to customize, it has an assistant and a drag-and-drop template, so you can do things like drag, say, 'Skype' or 'Quake II' from the drag-and-drop template and voila, rules appear to let Skype or Quake II be used.

It also will keep track of outgoing connections from programs, and ask if they're allowed to connect to that port. Most programs, I have a list of ports for them (if you 'approve' or 'deny' a port for a program, it automatically adds to the list), but -- for instance -- my FTP program, Transmit, is set to 'Approve' so that it doesn't ask me every single time it tries to open an FTP data port. ;)

When a program hits a previously un-authorized port, it pops up an alert dialog asking for the user to approve or deny. I removed 'port 80' from the list of authorized ports for Xjournal before opening it to make this post, so that I could get a screenshot; as you can see, NetBarrier immediately asked me to authorize or deny it.

It also keeps quite detailed log files. As you can see from where I highlighted, if you're portscanned or ping-flooded or any number of other things, it will prompt you to add a host to the block list. If you do not reply before the dialogue times out, it can be set to automatically block. As in this case, where I was not at the computer at 5:45 in the morning, and so it auto-blocked someone portscanning me. Most Mac users wouldn't even be aware they HAD been portscanned. And while it's not a huge issue right now since there's not many Mac OS X exploits really out in the wild, as the Mac market share grows (because it /has/ grown in the past year), the idea of Mac malware will become more attractive to malware authors.

Overall, NetBarrier X has some very sane defaults; the medium security setting in the wizard is sufficient for most users. Once you've approved programs, you never even need to really see it again; the majority of the time it's just there, out of sight and out of mind, doing its job. It actually intrudes on me less than ZoneAlarm Pro does over on Windows. :)

However, despite the 'get it set up and get out of my way' factor, for those used to administering UNIX servers and writing their own firewall rules, it also gives a degree of control I quite appreciate. This is why I use it as a firewall.

There are a number of other good Mac OS X firewall programs, but I consider NetBarrier by far the 'best of breed,' hence why I used it to discuss this. :)
Tags: ,


Yep. Been there, seen it. We didn't have much trouble in the longrun with trojans and viruses on our macs in the lab back way when, but that was mostly because the machines were re-imaged every night by Assimilator. I <3 Assimilator. *_*
I use Little Snitch - nowhere near as much control, but it's enough for the average user. It pops up a dialog when a new outgoing connection is detected, with the choices to allow/deny connections to the given port, the given server, the given port & server, or any connection from that program, and lets you specify "Once", "Until program quits", or "Forever".
Good, informative post. Mind if I point people at it?
Feel free!