Re: Leopard Firewall Warning

So far your view are pretty logical on this subject. I wonder if you
would care to comment on my dopey ignorant questions interspersed below
In article <87m*G2hZr@xxxxxxxxxxxxxxxxxxxxxxxxxxx>, Tim Cutts
<timc@xxxxxxxxxxxxxxxxxxxxxx> wrote:

In article <fgbdm1$40s$1@xxxxxxxx>, Rolly <none@xxxxxxxxxxx> wrote:
This doesn't look good at all:

http://www.heise-security.co.uk/articles/print/98120

I truly hope the article is inaccurate.

Sadly, it is not. Leopard has a completely new firewall paradigm, which
is application based, not port-based. The old port-based firewall,
ipfw, is still there, but is switched off by default.

I never understood why port-based was secure. At best it makes it
60mumble thousand times more tedious to find a hole. AFAICS it is
normally a long way from "at best". Any given target is listening on
some more or less constant port?

The new scheme is an XP-style application based firewall; in other words
when the request comes in the firewall looks at the application that's
listening, and decided based on whether that application is allowed to
access the Internet.
On the face of it, that is pretty neat. The signatures on the
application, if properly administered would make it several billion
times more difficult to subvert.

There are a number of problems with this new firewall:

1) You can't control *which* ports a particular app is allowed to use.
It can either use absolutely anything, or nothing.
.... and that matters because? Just the hassle for the attacker of
guessing which port?

2) Certain applications are allowed to access the network by default,
because they have been signed by apple. One such application is nc, a
command line TCP client. This, as an example, allows an attacker, once
they gain any access to your system at all, to open arbitrary ports on
your system and do more or less whatever they like, with the privileges
of the user running nc.

But but but. if they can only connect those ports to properly signed
applications, (that left home with no weakness) what's the problem
(after denial of service attacks)?

3) When you enable an application to access the network, Apple signs the
application. This is in theory a good security measure; if the
application is modified later, the signature will be invalidated, and
the access will be revoked. This is a nice protection against virii and
trojans. However, if the application already does integrity checking on
itself, it will break. This is why World of Warcraft stops working if
you enable it on the new firewall. I dare say many other applications
will similarly be affected.
Surely that only happens if the application writes its signature back
to itself? What if it puts it where it is supposed to, like WoW and
Skype don't?

4) Even when you switch the firewall on completely, there are certain
applications which are always listening and open (ntp is the example the
article gives). This would be bad enough, since it's a root services,
but it's made worse because Apple have shipped an old and known buggy
version.
Of ntp? Pray tell.

so what to do about this? Well, you can use one of the old Firewall
GUIs that are around to re-enable the port-based firewall, but that
obviously requires some expertise and knowledge of what ports you need
open. It's a bit fragile anyway, because (as I discovered) Leopard will
keep switching the ipfw firewall off if you do certain things, such as
using Internet Connection Sharing.

My recommendation, at the moment, is that if you have the skills to
configure ipfw, and you don't need to use internet connection sharing,
then to that.

If you're behind some other firewall, like a home router, then you're
also safe.

The people who I would worry about are people using laptops on the road
using open Wifi access points, such as at conferences and so on. Unless
they know how to configure the ipfw firewall by hand, I think they are
currently at risk.
What's the risk?
At my workplace, we consider the firewall problems in Leopard
sufficiently serious that we are not upgrading anyone to it.
I'd agree that is prudent. After all, there have been bugger all Mac
viruses with the old set-up.

Hmm. I came across as more argumentative than I would have wished. I
really would like to know ? especially the part about why port
filtering is a good thing?.

--
To de-mung my e-mail address:- fsnospam$elliott$$
PGP Fingerprint: 1A96 3CF7 637F 896B C810 E199 7E5C A9E4 8E59 E248
.

Relevant Pages

  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
    (comp.security.firewalls)
  • Re: iptables configuration
    ... >> that if a 'virus/trojan' initiated a connection to the net, the firewall ... >> would not protect the LAN. ... The LAN is NATed with private IPs to one public IP. ... the ports that are used by services running on linux. ...
    (comp.os.linux.security)
  • Re: Norton Personal Firewall 2003
    ... |> First thing I would do is put the GRC test site into the Exclusions ... | ports they will not get the same result being in my blocklist, ... the firewall checks unsolicited inbound communications attempts. ...
    (comp.security.firewalls)
  • Re: NetBios Names and SP2
    ... This will tell you which ports are open in the firewall as well as some ... Run the command (note: you must have the Support Tools from the Windows ... Check that "Enable NetBIOS over TCP/IP" is selected in the network ...
    (microsoft.public.windowsxp.network_web)
  • Re: What is broken:McAfeee firewall or my router ????? Urgent, ple
    ... your computer regardless of what McAfee firewall said. ... If your router is ... warned about those ports being available right away if you had any of those ...
    (microsoft.public.security)