I’m not saying that there shouldn’t be security. I just think that security should be one of the main jobs of every service that uses a port. As long as programmers know that there is a firewall, there is little urgency to secure their own code. They may not consciously think about the firewall, but they don’t have to in order for it to affect their work.
First, this assumes that there is such an achievable thing called perfect security. If every user could know where every piece of information came from at all times and had the ability to terminate any inbound or outbound communication, then not even the OS would need to be involved.
Second, this treats a built-in firewall as distinct from the OS; however, the line between application and operating system is far less clear. Think back to cases against MS: Is the browser a piece of software or part of the operating system and necessary for navigating the file tree?
In other words, we need software (add-on or part of the OS itself) to manage the massive volume of data being moved to and from our computers. It is not the browser or some other software that is the problem; rather, it is the probability that Apple’s servers, Akamai’s servers, and a dozen other companies’ servers are feeding data together to let you shop at the Apple store or visit this site (you didn’t think “Ads by Yahoo!” meant that Yahoo sent its ads to Mac360 for them to host, right?).
Yes, one app may use one port, but a firewall manages what is done with the connection on that port, which goes beyond what any programming team can anticipate, especially when standards can change so rapidly. If you really want to waste time and money, put it on the programmers. They will bill more hours and drive up the cost of every piece of software, and your security will be no better.
Yes, one app may use one port, but a firewall manages what is done with the connection on that port, which goes beyond what any programming team can anticipate, especially when standards can change so rapidly.
That makes no sense at all! How is possible that one piece of software can manage what is done with a port, yet another cannot? We’re supposed to believe that a firewall can better anticipate all the vulnerabilities of all the services provided by an OS than any of those services? Face the fact: firewalls don’t really manage traffic so much as they block it.
Even if a firewall could do a better job, it still would make it less likely that security holes would be fixed. Windows and AV software is a good example. Many old vulnerabilities still exist today because resources were poured into profit taking measures like One Care instead of fixing the source of the problem.
Is IE part of Windows? Microsoft has certainly done their best to make it appear that it is, but no it is not. No matter how entwined they make it, it is still a separate application that serves to demonstrate the danger of buying from a company that doesn’t put the needs of users first. Just like IE, firewalls are and always will be separate applications. The difference is that there is a legitimate need for a browser while a firewall’s only reason for being is to cover up flaws in the operating system.
That makes no sense at all! How is possible that one piece of software can manage what is done with a port, yet another cannot? We’re supposed to believe that a firewall can better anticipate all the vulnerabilities of all the services provided by an OS than any of those services? Face the fact: firewalls don’t really manage traffic so much as they block it.
That makes no sense at all! How can one piece of software manipulate pixels in an image (photoshop) and another cannot (Outlook)? It’s what the software is designed to do! Of course, software designed to manage port security is going to be able to manage that port, where other software will not be. Some software can render web pages too, but other software can’t. I’m not sure what you were getting at there.
I use a third party firewall (software) to BLOCK ACCESS to all ports that I’m not actively using myself for some service I want the outside world to access. I tell the firewall to open ports for serving a web site, and serving email, and serving ftp. I tell it to close all the other ports. Why? Because I’m not running services on them, but if they’re “open” there’s a chance someone could exploit one of them to gain access to my system. The firewall prevents that.
I dont think anyone is asking a firewall to “anticipate” anything. We expect the firewall to open the ports we tell it to, and block all the others. There’s no anticipation involved at all. It’s a security guard. When someone from outside requests to connect to one of my ports, my security guard either lets him in (because I told the guard that the port was open) or tells him to bugger off, because all ports that are not open, are closed by default. Beyond that, the firewall doesn’t interfere with the service - if the port is open, data passes through to the OS, and the corresponding service handles the data. The security guard just sits there and watches, until someone else knocks.
Face the fact: software that controls which ports allow traffic and which do not, is *managing traffic*, in the same way as the cop in the intersection is. He’s not driving the cars, but he surely has full control over whether or not they go. How is that not management?
Suggesting that each service should be responsible for it’s own security is nice - but I’ve got 65,000 ports and I don’t want to run 65k services that I don’t need, just to provide security on the ports. I’d rather just hire the single brawny security guard with the automatic weapon to turn away uninvited guests. Hence the firewall.
Would it be nice if the OS provided finely grained port controls, so that I didn’t need to run a firewall? It sure would. But that doesn’t remove the need for the firewall, it just places the onus of creating it on the OS developer instead of a 3rd party.
Allow me to follow up further on CamoGeek’s post. If the OS or individual applications were to manage ports as completely as our newest gadlfly argues they must, they would be firewalls, but rather than having one firewall, we would have an array of them, almost certainly conflicting with one another. To use CamoGeek’s traffic cop analogy, just imagine one intersection with 15 cops direct traffic at the same time. Ouch.
If the OS or individual applications were to manage ports as completely as our newest gadlfly argues they must, they would be firewalls, but rather than having one firewall, we would have an array of them, almost certainly conflicting with one another.
So you’re saying that by fixing/closing any security holes in each service, they would somehow be firewalls? If that’s true, they already are! Many services have had updates to close holes over the years.
Remember that a firewall’s only purpose is to defend the various services where they are vulnerable. If a firewall blocks traffic that would not take advantage of a vulnerability, then it has gone too far. It isn’t managing traffic at all. It is only blocking traffic based on a limited set of rules, and those rules cannot be as effective as a code fix to the service(s) with vulnerabilities.
So you’re saying that by fixing/closing any security holes in each service, they would somehow be firewalls? If that’s true, they already are! Many services have had updates to close holes over the years.
Remember that a firewall’s only purpose is to defend the various services where they are vulnerable. If a firewall blocks traffic that would not take advantage of a vulnerability, then it has gone too far. It isn’t managing traffic at all. It is only blocking traffic based on a limited set of rules, and those rules cannot be as effective as a code fix to the service(s) with vulnerabilities.
This makes at least one assumption that I will charitably characterize as irresponsibly dangerous, namely that all possible vulnerabilities that can ever be exploited in code can be known in advance of the discovery of said vulnerabilities by any malicious coder intent on exploiting them.
I will confess to having only limited coding experience, but I have to assume that it is greater than the experience of the one whom I am quoting above. There was a time even a single programmer could know every line of a piece of software and how it worked, including its vulnerabilities, but that passed a couple of (coding) eons ago. In an age of install DVD that deliver 5GB installs (I have done 2GB downloads of software that was then unzipped and installed), even after removing graphical content the code portion is dozens of times the size of the large hard drives that were on the market fifteen years ago. Where one person wrote Q-DOS and ended up selling the OS to Microsoft, the complexity of the code needed to manage all that computers do in the internet age is far greater, requiring teams of people just to design, much less implement. You are arguing that in that age, any company can be expected to know all possible risks?
Let’s look at that most famous of phone phreaks, Captain Crunch. Ma Bell created a system by which a tone could be passed into the mouthpiece of a telephone in order to allow such things as long-distance line tests. Meanwhile, the makers of Cap’n Crunch gave away a toy whistle in boxes of cereal, not knowing that the pitch of the whistle was identical to that of the AT&T;device. Now, who is responsible? Must be AT&T;for failing to recognize the threat posed by a child’s toy made years after the system was created and distributed with a breakfast food, right?
This makes at least one assumption that I will charitably characterize as irresponsibly dangerous, namely that all possible vulnerabilities that can ever be exploited in code can be known in advance of the discovery of said vulnerabilities by any malicious coder intent on exploiting them.
You’re making broad assumptions about the ability of one piece of software to outperform another simply because of its name, yet you claim more coding experience than I!
Where is it written that a software firewall can do a better job of anticipating unknown vulnerabilities? To do that, it must block everything, which is essentially the same as turning a service off. That’s not exactly what I’d call a better solution.
Ok, let’s look at Captain Crunch. Ma Bell created a system using unencrypted tones that could potentially have easily been reproduced any number of ways by someone looking to beat their system. It was most definitely their fault, not because they didn’t anticipate a toy being used, but because they didn’t anticipate any attempt to circumvent their nonexistent security. More significantly, a firewall such as those used by computers today would not have been possible, since it would merely block the tones required for the system to function!
CamoGeek - 07 November 2007 12:05 AM
I use a third party firewall (software) to BLOCK ACCESS to all ports that I’m not actively using myself for some service I want the outside world to access. I tell the firewall to open ports for serving a web site, and serving email, and serving ftp. I tell it to close all the other ports. Why? Because I’m not running services on them, but if they’re “open” there’s a chance someone could exploit one of them to gain access to my system. The firewall prevents that.
I dont think anyone is asking a firewall to “anticipate” anything.
Ports should be closed unless they’re needed. That shouldn’t need to be done by a firewall, and in fact a new Mac comes with its ports turned off. It isn’t until you turn on a service that ports are opened, and that’s because they’re needed! By definition, this gives the firewall nothing useful to do. Now, I could be wrong, but I doubt it. As a test, maybe you’d like to port scan a Mac with all of its services turned off and report back here what open ports you find.
Ports should be closed unless they’re needed. That shouldn’t need to be done by a firewall, and in fact a new Mac comes with its ports turned off. It isn’t until you turn on a service that ports are opened, and that’s because they’re needed! By definition, this gives the firewall nothing useful to do. Now, I could be wrong, but I doubt it. As a test, maybe you’d like to port scan a Mac with all of its services turned off and report back here what open ports you find.
I do not dispute that the basic functionality of a software firewall is what you describe, but you are far from grasping (or perhaps simply from expressing you comprehension of) what a firewall truly does. It is not merely a matter of opening ports when needed. That, as you note, can be handled by the operating system in an intergrated fashion. However, that assumes that malicious code cannot get onto the computer and trick a legitimate piece of software into opening a port for illegitimate purposes, unless you write software that cannot be deleted or updated by any means, including authorized updates.
However, firewalls do much more. Most important here (and most glaringly omitted from any comments written under the cwtnospam name thus far on this thread) is that firewalls monitor the traffic, not merely the ports. They verify that proper handshake procedures have taken place, that the open ports are talking to the proper ports at proper locations and at the proper times. Spreading that responsibility around is begging for a disaster. Worse, it forces consumers to rely on software designers to meet standards with uniformity, and one look at browser standards compliance, past and present, will show you just how promising that might be.
I do not disagree that software makers could, and perhaps even should, do more, but I strongly dispute any contention that this obviates the need for a real firewall at any time prior to the establishment and enforcement of rigorous minimum compliance. Worse, this has a generational break, even if such standards were to be accepted tomorrow. Older software would have to be updated or replaced by newly compliant software, and I don’t quite have the money to replace everything on my machine right away.
Monitoring traffic is a noble goal, but I seriously doubt that any firewall can do it in a meaningful way. If a malicious code would not be caught by the service it was intended to corrupt, how could a firewall hope to spot the malware when it knows little to nothing about the service? The reality is that firewalls spend more time blocking legitimate access attempts than doing any good. (I have used my firewall by the way, but usually only when I want to keep some software from checking the LAN for other copies of itself. Does that count as a firewall strength or weakness?)
Then there’s the cost/benefit, where the cost of a firewall blocking legitimate traffic creates a need for a VPN, which essentially bypasses the firewall! All that’s needed from that point is a compromised computer on the outside using the VPN and the firewall becomes nothing more than a costly nuisance.
Monitoring traffic is a noble goal, but I seriously doubt that any firewall can do it in a meaningful way [...] The reality is that firewalls spend more time blocking legitimate access attempts than doing any good.
I see. So what we are faced with here is one of two things: Either someone who configures firewalls with the subtlety of a vice president on a hunting trip or someone who does not understand what constitutes “legitimate access attempts.”
A firewall, properly configured, will allow access to those services that are needed by users on the system and restrict all others. An administrator should know which services fall into which category and configure the firewall accordingly. Anything less than that is a serious failure, and relying on software developers to get it right will only invite less security than even an incompetent administrator can provide.
A firewall, properly configured, will allow access to those services that are needed by users on the system and restrict all others.
If that were true, there would be no need for a VPN because the firewall would allow legitimate users access to the LAN.
If you’re able to configure a firewall to allow users to print to network printers and access network servers without using a VPN and without sacrificing the security allegedly provided by the firewall, then I think you should let us all know how to do it!
My premise assumes that the resources needed to create a firewall are time and money. I believe that time and money could be better spent securing the services that use ports to communicate with the network.
I think you’re making this more complicated than it needs to be. It doesn’t matter if there are a thousand twenty four, 65 thousand, or 16.7 million ports, the fact is that the OS is, and should be, responsible for each and every one of them. Tacking on an additional layer of software isn’t a good idea. It’s an easy shortcut that has significant long term consequences.
I’m not saying that there shouldn’t be security. I just think that security should be one of the main jobs of every service that uses a port. As long as programmers know that there is a firewall, there is little urgency to secure their own code. They may not consciously think about the firewall, but they don’t have to in order for it to affect their work.
I think that Apple has come to the same conclusion I have: secure the OS and you don’t need the firewall or AV software. So far it looks like they’ve done a fairly good job of it.
mac OS X includes a GREAT firewall “ipfw” that’s the standard UNIX firewall battle proven. What happened here is Apple took the time and resources to create an application layer middle app that tries to autoconfig the firewall based upon use and not by the user as in Tiger. This may have some benefit for the novice user and was no doubt in response to what may have been a large number of firewall related support calls, but it flies against the conventional wisdom. It still has a ways to go and Apple should have included an advanced option for the rest of us.
Again, if you are behind a NAT router (airport, etc.) then you’re fine with the firewall off a more valuable effort, for me would have been to see Apple provide an outgoing firewall like Lil’Snitch THAT WOULS HAVE EARNED APPLE MAJOR SECURITY KUDOS.
This entire episode is just silly and someone’s supposedly great idea gone wrong.
