Slashdot Mirror

← Back to Stories (view on slashdot.org)

OS X Leopard Firewall Flawed

Posted by kdawson on from the block-what-i-say dept.

cycoj writes with a report in the German IT magazine Heise, taking a look at the new OS X Leopard firewall. They find it flawed. When setting access to specific services and programs to only allow SSH access, for example, they found that a manually started service was still accessible. From the article: "So the first step after starting Leopard should be to activate the firewall. The obvious choice to do so is the option to 'Set access to specific services and programs,' which promises more control over network traffic. Mac OS X automatically enters all shared resources set up by the user, such as 'Remote login' for SSH servers, into the list of accessible resources... However, initial functional testing quickly dispels any feeling of improved security. A service started for testing purposes was able to be addressed from outside without any difficulty. The firewall records this occurrence... Even with the firewall set to 'Block all incoming connections' ports to netbios, ntp and other services were still open... Specifically these results mean that users can't rely on the firewall."

6 of 300 comments (clear)

  1. Never put your eggs in one basket. by jellomizer · · Score: 5, Informative

    Leson 1.
    Never Trust Software firewalls. Software firewalls are only should be used in protection against "internet static" attacks. Where just random worms and viruses are trying to get in. Software Firewalls
    Are normally bad against direct attacks from real hackers. Because there are so many ways to trick the user to install software to get around it...

    Lesson 2.
    Never trust anyone to keep security up. Apple, Microsoft, Linux Distributions, even Open BSD they are all made by humans and humans make mistakes and forget to check out things...

    Lesson 3.
    Always keep a hardware firewall even if it is a cheap Linksys Firewall/Router they will double up protection and keep your system relatively safe.

    Lesson 4.
    Never assume that you are 100% safe. There are always ways around things...

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Never put your eggs in one basket. by Zenaku · · Score: 5, Informative

      If the the layers of security are really layers of security, then no you couldn't argue that. You have to breech the outtermost layer before you can even attack the second layer, and you have to breech that layer before you can attack the third, etc.

      --
      If fate makes you a motorcycle, you become a motorcycle.
  2. Little Snitch anyone? by solosaint · · Score: 5, Informative

    most powerusers I know use Little Snitch ... its better than the firewall apple includes

  3. Re:As any new OS by croddy · · Score: 5, Informative

    "Defective by design" is not typically used to refer to "any defective technology, har har", except by a few folks here on Slashdot. "Defective by Design" is a campaign of the FSF, referring specifically devices or software that are deliberately crippled with DRM. see defectivebydesign.org.

  4. I am not convinced by avatar4d · · Score: 5, Informative
    This article is a bit fishy in its interpretation. They don't list their expectations vs the results.. They just make assumptions. For instance:

    Users who want to raise their security level might choose the option "Block all incoming connections" - in the hope that this really will reject all incoming queries to network services.


    Which it appears to do if you look at the quote below. They show a deny in their logs. Seems to work so far.

    The initial tests looked promising. The SSH server activated for testing purposes and the primitive demo backdoor could no longer be accessed from outside. The firewall even blocked access to a test server on a UDP port:

    Oct 29 11:26:49 Qf98e Firewall[44]: Deny nc data in from 193.99.145.XXX:28524 uid = 0 proto=17

    However, a simple port scan was enough to destroy our misplaced optimism:

    # nmap -sU 192.168.69.21
    PORT STATE SERVICE
    123/udp open|filtered ntp
    137/udp open|filtered netbios-ns
    138/udp open|filtered netbios-dgm
    631/udp open|filtered unknown
    5353/udp open|filtered zeroconf
    MAC Address: 00:17:F2:DF:CD:B3 (Apple Computer)


    They are now basing an assumption (or marketing spin) because of output from an Nmap scan. This just indicates a flaw in the signature Nmap has (or the lack thereof) for this particular firewall implementation.

    Then straight from NMAP's documentation:

    "Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port." -(http://insecure.org/nmap/man/)

    And as for the NTP response being received, well that goes back to what we should expect to see. Apple is about usability. I would suspect that "Block all INCOMING connections" to not refuse information that I request. Basically this just does ingress filtering and not egress.

    I haven't read the entire article yet, but from my brief scan I don't see how this is not a "functioning" firewall.
    --
    Confucius say: "Man who associates with smarter men than himself is smarter than the men he associates with."
  5. Re:A hardware firewall explained by Anonymous Coward · · Score: 5, Informative

    Actually, no, the literal definition of a firewall is a wall built to block the spread of fire, like the wall between the engine and passenger sections of a car. Not a wall made of fire, lol.