Re: Leopard Firewall Warning

In article <071120071959574231%nospam@xxxxxxxxx>,
Elliott Roper <nospam@xxxxxxxxx> wrote:
So far your view are pretty logical on this subject. I wonder if you
would care to comment on my dopey ignorant questions interspersed below

I never understood why port-based was secure. At best it makes it
60mumble thousand times more tedious to find a hole. AFAICS it is
normally a long way from "at best". Any given target is listening on
some more or less constant port?

You can do some more useful things with it too - you can say that only
machines on a particular network can access a port. So, for example,
for several of my services at home, I allow access from my wired
network, but not my [less secure] wireless network.


The new scheme is an XP-style application based firewall; in other words
when the request comes in the firewall looks at the application that's
listening, and decided based on whether that application is allowed to
access the Internet.
On the face of it, that is pretty neat. The signatures on the
application, if properly administered would make it several billion
times more difficult to subvert.

Absolutely.

1) You can't control *which* ports a particular app is allowed to use.
It can either use absolutely anything, or nothing.
... and that matters because? Just the hassle for the attacker of
guessing which port?


It doesn't matter so much for *incoming* attacks. It matters hugely for
controlling *outgoing* connections (and therefore stopping trojans from
doing damage to other machines on your network, or out on the internet).

2) Certain applications are allowed to access the network by default,
because they have been signed by apple. One such application is nc, a
command line TCP client. This, as an example, allows an attacker, once
they gain any access to your system at all, to open arbitrary ports on
your system and do more or less whatever they like, with the privileges
of the user running nc.

But but but. if they can only connect those ports to properly signed
applications, (that left home with no weakness) what's the problem
(after denial of service attacks)?

This is *outgoing* again. You can use nc to attack pretty much any
network service on any machine you can see.

3) When you enable an application to access the network, Apple signs the
application. This is in theory a good security measure; if the
application is modified later, the signature will be invalidated, and
the access will be revoked. This is a nice protection against virii and
trojans. However, if the application already does integrity checking on
itself, it will break. This is why World of Warcraft stops working if
you enable it on the new firewall. I dare say many other applications
will similarly be affected.
Surely that only happens if the application writes its signature back
to itself? What if it puts it where it is supposed to, like WoW and
Skype don't?

I'm not saying it's a bad idea. I'm just saying it causes some problems
at the moment.


4) Even when you switch the firewall on completely, there are certain
applications which are always listening and open (ntp is the example the
article gives). This would be bad enough, since it's a root services,
but it's made worse because Apple have shipped an old and known buggy
version.
Of ntp? Pray tell.

That was what Heise was suggesting. But the point still stands; let's
say such a vulnerability is discovered - you have *no* way ot taking
mitigating action and blocking the port until Apple release a patch.

The people who I would worry about are people using laptops on the road
using open Wifi access points, such as at conferences and so on. Unless
they know how to configure the ipfw firewall by hand, I think they are
currently at risk.
What's the risk?

The risk is largely unknown, at present. Questions have been raised,
and until I see a rebuttal from Apple, I prefer to be somewhat paranoid.
Otherwise if we are compromised at work, I lose my job. First rule of
System Administration - cover your arse. :-)

I'd agree that is prudent. After all, there have been bugger all Mac
viruses with the old set-up.

There's a trojan in the wild at the moment, although I think Leopard
should be actually a bit more resistant to it than Tiger, since Tiger's
GUI didn't allow you to set outgoing firewall rules either.

Hmm. I came across as more argumentative than I would have wished. I
really would like to know ? especially the part about why port
filtering is a good thing?.

It helps against back doors, once a non-privileged account has been
compromised. Hacker tries to set up a program listening to a particular
port, but it won't help because the firewall won't let any packets reach
the hacker's service. Admittedly, Apple's new firewall should help in
this regard too, since the new binary won't be signed. <thinks> Ah, but
what about scripting languages? I bet Apple's perl interpreter is one
of the signed binaries, so I will be able to write and run arbitrary
scripts to let myself into the machine...

Tim
.