11.12. Firewalls Unlike many other operating systems, Mac OS X ships in a secure state with all network services disabled. This means you can be fairly certain that no matter what network you find yourself on, the likelihood of somebody cracking into your machine is very low. However, as you turn on various services, such as file or web sharing, the ports used to support those services on your computer are opened up, which means they can receive data from the network. For the most part, Apple does a good job releasing security updates, making sure that these services are patched as soon as vulnerabilities are discovered. If you are truly paranoid and want to take every step possible to control access to your Mac, you can enable Mac OS X's built-in firewall, based on ipfw , which performs packet filtering at the kernel level. You can turn on the firewall by using System Preferences Sharing Firewall, as shown in Figure 11-17. When you enable the firewall, only packets that correspond to the rules that you set up in the Allow list are allowed into your machine. All other packets are dropped. The default rules are set up so that any services that you share are allowed. However, other ports, such as those needed to use iChat over Bonjour, are closed by default. To allow these ports, you can enable the corresponding rule for the service you want to allow. Figure 11-17. The Firewall configuration panel To open ports for services not listed, you'll need to create rules. Clicking the New button in the firewall pane brings up the sheet shown in Figure 11-18. Several default services are listed in the Port Name pull-down menu for easy selection. However, only a limited number of services that you might want to enable are listed. For example, the ports used by iChat during a voice or video chat aren't listed in the default rules or in the list of rules to add. You'll have to add the ports yourself using the Other option in the pull-down menu. | Information about which ports to open for iChat AV can be found in Apple Knowledge Base article 93208 (http://docs.info.apple.com/article.html?artnum=93208). A list of the well-known ports used by Apple software is contained in Apple Knowledge Base article 106439 (http://docs.info.apple.com/article.html?artnum=106439). You can also find a list of the ports commonly used on Mac OS X in Table 11-1. |
|
Since the firewall is based on ipfw, it is possible to manipulate the firewall and its rules from the command line. However, doing so is dangerous. It is easy to craft rules that look secure, yet can make things worse than they were to begin with. This gives you a false sense of security. It is also easy to lock yourself out of your computer when editing rules remotely or even to put your computer in an unusable state by tweaking the wrong rule. The bottom line is that even though you can go into the depths of firewall configuration using ipfw, you're strongly urged not to. It's an area where it is way too easy to do more harm than good. If you need more flexibility in your firewall than the GUI gives you, you should be using an external firewall. In fact, if you are worried about the security of your system enough to turn on the built-in firewall, you really should be using an external firewall. It is much more effective to have network security performed in a dedicated external device than it is to configure a piece of software on the machine that, if compromised, can give access to the internals of the machine. This is as true of third-party, add-on firewall products as it is of ipfw. When you want to secure your machine in a network environment that you don't control, such as in a café, you should turn off all the services that your machine has on in the Sharing preference pane, make sure that iChat's Bonjour mode is turned off, and make sure that you aren't sharing your iTunes music library. By turning off these services, you've done more to secure your machine than any firewall can do. For Tiger, Apple added a few small enhancements to the built-in firewall. You can find these new options by clicking the Advanced button on the Firewall pane, revealing a sheet with these new options: Block UDP Traffic As was mentioned earlier, UDP is one of the two primary IP protocols used to access a network. When enabled, Mac OS X's built-in firewall blocks all inbound TCP connections except those specifically allowed. However, its default configuration does nothing to block UDP traffic. By enabling this option, the firewall blocks all inbound UDP traffic, except that which has been specifically allowed. Enable Firewall Logging The beauty of Mac OS X's firewall is that, consistent with Apple's other creations, it just works. You enable it and it runs in the background, never to disturb you again. However, it isn't very forthcoming, either. By default, the firewall does not log the connections it denies. Upon enabling this advanced option, Mac OS X logs unauthorized network access attempts to /var/log/ipfw.log. You can view the log by clicking the Open Log button, which opens Mac OS X's Console (/Applications/Utilities) to the appropriate logfile. Third-Party Firewall Software Portable users are quick to point out that there are often times when you have no way to insert a hardware device between your Mac and the Internet. The convenience of wireless networking belies its security risks, especially on public access points. You might find yourself wanting a more configurable software firewall to protect your Mac for those situations when a hardware solution just isn't possible. Luckily, several third-party solutions are available. Two popular packages are FireWalk X (http://www.pliris-soft.com/products/firewalkx/index.html) and BrickHouse (http://personalpages.tds.net/~brian_hill/brickhouse.html). Both offer a variety of enhancements to Mac OS X's built-in firewall at a nominal cost. There are also trial versions available for both of the firewall enhancers, making it easy to decide which one works best for your particular needs. While Mac OS X does a great job of blocking undesired inbound traffic, it does nothing to filter outbound traffic. Egress filteringthat is, filtering outbound connectionshas become a necessary consideration with today's crop of software phoning home to its developers. Even though spyware is virtually nonexistent on Mac OS X, there are still legitimate software applications that may disclose more personal information than you'd like. Once again, a third-party solution is available to enhance this aspect of the Mac OS X firewall. Objective Development's Little Snitch (http://www.obdev.at/products/littlesnitch/index.html) is a System Preferences panel that adds egress filtering to Mac OS X. It works by monitoring which applications are attempting to access network resources and then presenting the user with a confirmation dialog. The user can then allow or deny the application's access to that resource, either for a specific connection or for all connections meeting those criteria. Little Snitch is a shareware application, and a demo version is available from the developer. Finally, packet filter firewalls do a great job of keeping most nasties out, but for those who are a little more security conscious, look no further than HenWen (http://seiryu.home.comcast.net/henwen.html). HenWen is an open source application that aims to make the popular Network Intrusion Detection System (NIDS) Snort (http://www.snort.org/) simple to configure and use on Mac OS X. A NIDS examines traffic that does make it past the firewall, searching for patterns of malicious traffic. HenWen does an excellent job of putting Snort to work protecting your Mac. |
Enable Stealth Mode When Mac OS X blocks a connection, it specifically notifies the offending host that the connection has been denied. With Stealth Mode enabled, the firewall still blocks the connection, but it does not notify the offender. To an attacker, this makes it seem as if your computer does not exist on the network. Figure 11-18. Adding a rule to the firewall | While Stealth Mode deters many attackers, a savvier miscreant will see through the façade. When a host is truly not there, Internet standards require that the last router before the destination host respond with an ICMP message indicating that the host or network is unavailable. Stealth Mode simply doesn't respond, signaling to the attacker that something must still be there. |
|
|